ip6tables 中接受输入 HTTP 的规则不足以允许 IPv6 请求

ip6tables 中接受输入 HTTP 的规则不足以允许 IPv6 请求

我的服务器面临 IPv6 可访问性问题。

  • 该服务器支持 IPv6,能够通过 IPv6 联系第三方或被第三方联系(ping6traceroute6在我的 Debian 稳定版 Wheezy 上测试,最新)
  • 该网站的DNS IPv6AAAA条目存在且运行正常
  • Web 服务器 (nginx) 正在监听 IPv6 链接,并准备以与 IPv4 相同的方式处理请求
  • ip6tablesINPUT表配置为像 iptables 一样允许 HTTP 请求(默认策略DROP+ TCP 80ACCEPT规则):

    Chain INPUT (policy DROP 648 packets, 46788 bytes)
    pkts bytes target     prot opt in     out     source               destination
    6   480 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:80
    

我把问题缩小到如果我将默认策略设置为ACCEPT,则 HTTP 连接有效否则不

因此,似乎可能需要其他一些端口重定向?oO

这可能与路由/IPv6 堆栈的某些内核配置有关吗?

以下是输出sudo ip6tables --line-numbers -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     8169  784K ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
2        0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:22
3        0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:80
4        0     0 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:443

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

答案1

各位,你们必须不要像忽略传统 IP 那样忽略 ICMPv6 - ICMPv6 以及邻居发现协议 (NDP)必不可少的以确保 IPv6 正常运行。(NDP 是 ARP 的替代品。)

这意味着,你必须至少允许来自本地链路的 ICMPv6 类型 133-136(即fe80::/10)。此外,您必须允许某些错误消息到达,例如路由器不再进行碎片化。您也不想丢弃链接本地多播消息。

RFC 4890 中讲述了完整的故事。

下面是从我的一台机器(充当路由器的虚拟机主机)摘录的:

#! /bin/sh

drop () {
    /sbin/ip6tables --jump DROP --append "$@";
}

accept () {
    /sbin/ip6tables --jump ACCEPT --append "$@";
}

chain () {
    /sbin/ip6tables --new-chain "$@"
}

ICMP_RATELIMIT="--match limit --limit 2/s"

# ...

#       Validate ingoing ICMPv6 messages
#
chain   ICMPv6_IN

# error messages

# allow error messages that are related to previously seen traffic
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type destination-unreachable --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type packet-too-big --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type ttl-exceeded --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type parameter-problem --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT

# accept neighbor discovery
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type neighbor-solicitation $ICMP_RATELIMIT
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type neighbor-advertisement $ICMP_RATELIMIT

# accept router discovery
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type router-solicitation '!' --src ff00::/8 --in-interface cafe0 $ICMP_RATELIMIT
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type router-advertisement --src fe80::/10 --in-interface wlp3s0 $ICMP_RATELIMIT


# ping
# accept replies to my ping requests
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type echo-reply --match conntrack --ctstate ESTABLISHED,RELATED

# allow ping from my network(s)
accept  ICMPv6_IN --src $COUNTERMODE --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT

# allow link-local unicast ping
accept  ICMPv6_IN --dst fe80::/10 --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT

## allow multicast ping from local link
#accept  ICMPv6_IN --dst ff00::/8 --src fe80::/10 --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT

# multicast listener discovery v1
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type 130 --in-interface cafe0
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type 131 --in-interface cafe0
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type 132 --in-interface cafe0

# multicast listener discovery v2
accept  ICMPv6_IN --protocol icmpv6 --icmpv6-type 143 --in-interface cafe0


# drop everything else
drop ICMPv6_IN

相关内容