我注意到我的新服务器上没有配置 ip6tables,但我的 VPS 很好地支持它,而且我对如何实施 ipv4 规则有一些想法,但对 ipv6 一无所知,我尝试查看各种 Google 和 serverfault 示例,但得到的关于最佳实践的论点有些矛盾。所以我的问题是,考虑到下面 iptables.firewall.rules 文件中的实践,我启动服务器时 ipv6tables.firewall.rules 文件会是什么样子?
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow ports for testing
-A INPUT -p tcp --dport 8080:8090 -j ACCEPT
# Allows SMTP access
-A INPUT -p tcp --dport 25 -j ACCEPT
# Allows pop and pops connections
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
# Allows imap and imaps connections
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
# Allow ports for MOSH (mobile shell)
-A INPUT -p udp --dport 60000:61000 -j ACCEPT
# Allow SSH connections
# The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 1022 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
答案1
ip6tables 与 iptables 基本相同。IPv6 严重依赖 ICMP,因此我建议不要过滤它,除非你有很好的理由。
我将首先删除此行(IPv4 地址在 ip6tables 中没有意义):
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
并将 ICMP 行更改为:
-A INPUT -p icmpv6 -j ACCEPT
其余一切看起来都与 IP 版本无关,并且应该适用于 iptables 和 ip6tables。