ip6tables 在端口 80 上发出请求后断开连接

tag-icon tag-icon ipv6
ip6tables 在端口 80 上发出请求后断开连接

我的 Ip6tables 有点问题。当我应用下面的规则时,一切都很好。在我通过网页尝试 http 之后,一切正常。在我返回 SSH 尝试之后,ssh 断开连接,浏览器不再通过 ipv6 回复。当我停止 ip6table 时,一切又恢复正常了。你能帮帮我吗?

     ip6tables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      lo     any     anywhere             anywhere
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp echo-request limit: avg 15/sec burst 5
    0     0 DROP       tcp      any    any     anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
    7   612 ACCEPT     all      any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:ftp state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:ssh state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:smtp state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:http state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpt:https state NEW
    0     0 ACCEPT     tcp      any    any     anywhere             anywhere            tcp dpts:30000:31000 state NEW
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp type 8
    0     0 REJECT     all      any    any     anywhere             anywhere            reject-with icmp6-adm-prohibited

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 608 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      any    lo      anywhere             anywhere
    0     0 ACCEPT     ipv6-icmp    any    any     anywhere             anywhere            ipv6-icmp echo-reply limit: avg 15/sec burst 5

答案1

我不确定问题的原因是什么,我需要查看一些流量转储,但您的规则集看起来很奇怪。对于您接受的 ICMP 类型 8,这是什么?无论如何,您必须接受某些 ICMPv6 消息。请参阅RFC 4890如何正确过滤 ICMPv6。

答案2

不过,只要看一下规则就能知道发生了什么以及为什么会发生。我的印象是规则 3 并没有按照您的预期执行(丢弃所有创建新的 conntrack 条目但设置了 RST、ACK 或 FIN 标志或未设置 SYN 标志的数据包)。

为了进一步调试它,我建议您在 INPUT 链中的规则 3 之前和最终拒绝之前添加 -j LOG 目标。

iptables -I INPUT 3 -p tcp --tcp-flags ! FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG


iptables -I INPUT 12 -j LOG --log-prefix "final reject"

LOG 是一个“非终止目标”,即规则遍历在下一个规则处继续。

相关内容