我的服务器面临 IPv6 可访问性问题。
- 该服务器支持 IPv6,能够通过 IPv6 联系第三方或被第三方联系(
ping6
已traceroute6
在我的 Debian 稳定版 Wheezy 上测试,最新) - 该网站的DNS IPv6
AAAA
条目存在且运行正常 - Web 服务器 (nginx) 正在监听 IPv6 链接,并准备以与 IPv4 相同的方式处理请求
ip6tables
INPUT
表配置为像 iptables 一样允许 HTTP 请求(默认策略DROP
+ TCP 80ACCEPT
规则):Chain INPUT (policy DROP 648 packets, 46788 bytes) pkts bytes target prot opt in out source destination 6 480 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
我把问题缩小到如果我将默认策略设置为ACCEPT
,则 HTTP 连接有效,否则不。
因此,似乎可能需要其他一些端口重定向?oO
这可能与路由/IPv6 堆栈的某些内核配置有关吗?
以下是输出sudo ip6tables --line-numbers -nvL
:
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 8169 784K ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22
3 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
4 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
答案1
各位,你们必须不要像忽略传统 IP 那样忽略 ICMPv6 - ICMPv6 以及邻居发现协议 (NDP)必不可少的以确保 IPv6 正常运行。(NDP 是 ARP 的替代品。)
这意味着,你必须至少允许来自本地链路的 ICMPv6 类型 133-136(即fe80::/10
)。此外,您必须允许某些错误消息到达,例如路由器不再进行碎片化。您也不想丢弃链接本地多播消息。
RFC 4890 中讲述了完整的故事。
下面是从我的一台机器(充当路由器的虚拟机主机)摘录的:
#! /bin/sh
drop () {
/sbin/ip6tables --jump DROP --append "$@";
}
accept () {
/sbin/ip6tables --jump ACCEPT --append "$@";
}
chain () {
/sbin/ip6tables --new-chain "$@"
}
ICMP_RATELIMIT="--match limit --limit 2/s"
# ...
# Validate ingoing ICMPv6 messages
#
chain ICMPv6_IN
# error messages
# allow error messages that are related to previously seen traffic
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type destination-unreachable --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type packet-too-big --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type ttl-exceeded --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type parameter-problem --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
# accept neighbor discovery
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type neighbor-solicitation $ICMP_RATELIMIT
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type neighbor-advertisement $ICMP_RATELIMIT
# accept router discovery
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type router-solicitation '!' --src ff00::/8 --in-interface cafe0 $ICMP_RATELIMIT
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type router-advertisement --src fe80::/10 --in-interface wlp3s0 $ICMP_RATELIMIT
# ping
# accept replies to my ping requests
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type echo-reply --match conntrack --ctstate ESTABLISHED,RELATED
# allow ping from my network(s)
accept ICMPv6_IN --src $COUNTERMODE --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT
# allow link-local unicast ping
accept ICMPv6_IN --dst fe80::/10 --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT
## allow multicast ping from local link
#accept ICMPv6_IN --dst ff00::/8 --src fe80::/10 --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT
# multicast listener discovery v1
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 130 --in-interface cafe0
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 131 --in-interface cafe0
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 132 --in-interface cafe0
# multicast listener discovery v2
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 143 --in-interface cafe0
# drop everything else
drop ICMPv6_IN