IPv6 防火墙规则似乎阻止所有连接

tag-icon tag-icon iptables ipv6
IPv6 防火墙规则似乎阻止所有连接

在确定我的小型服务器需要防火墙后,我使用 ferm 为我配置 iptables 和 ip6tables(这个问题应该标记为 ferm,但我无法创建标记)。

我对 ipv4 和 ipv6 使用相同的规则,但一旦我设置了防火墙,IPv6 连接(在所有端口上)就会停止工作,我必须切换到 IPv4。为什么会这样呢?

我的/etc/ferm.conf

domain (ip ip6) table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local connections
        interface lo ACCEPT;

        # respond to ping
        proto icmp icmp-type echo-request ACCEPT;

        # allow SSH connections
        proto tcp dport ssh ACCEPT;

        # allow all my lovely server stuff
        proto tcp dport (http https smtp imap imaps) ACCEPT;

        # Teamspeak 3 Server
        proto tcp dport (10011 30033) ACCEPT;
        proto udp dport 9987 ACCEPT;

        # Prosody XMPP
        proto tcp dport (5222 5269) ACCEPT;

        # ident connections are also allowed
        proto tcp dport auth ACCEPT;

        # the rest is dropped by the above policy
    }

    # outgoing connections are not limited
    chain OUTPUT policy ACCEPT;

    # this is not a router
    chain FORWARD policy DROP;
}

ip6tables-vnL

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      *       ::/0                 ::/0                 state INVALID
   24  8224 ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:22
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:80
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:443
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:25
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:143
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:993
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:10011
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:30033
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 udp dpt:9987
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:5222
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:5269
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:113

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 24 packets, 8224 bytes)
 pkts bytes target     prot opt in     out     source               destination

答案1

问题是您正在丢弃大多数 ICMPv6 数据包。许多基本的 IPv6 功能都依赖于 ICMPv6,例如邻居发现(相当于 IPv4 中的 ARP)。 ICMP 是 IP 协议(​​IPv4 和 IPv6)的重要组成部分,但不良 ICMP 过滤对 IPv6 的影响比 IPv4 严重得多。允许所有 ICMP 然后(也许)过滤掉您不想要的东西可能会更好。

欲了解更多背景信息,请查看RFC 4890

相关内容