在 CentOS 6 上,ip6tables 简直给这台机器带来了噩梦。
拥有
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
和
ip6tables -A INPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A INPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A INPUT ! -p ipv6-icmp -j DROP
ip6tables -A OUTPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A OUTPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A OUTPUT ! -p ipv6-icmp -j DROP
或者将顶部和底部颠倒过来,仍然无济于事。
IP6tables 要么阻止所有端口,要么允许所有进出。在放置这些规则之前,我已经刷新了 ip6tables 以确保没有任何规则。
所需的只是允许所有流量并拒绝 tcp/udp 的多个进出端口
上述端口仅供示例之用。
谢谢。
编辑:达到了更好的阶段,但还没有与逆运算一起工作
ip6tables -F
ip6tables -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -I FORWARD -j DROP --protocol tcp -m multiport --dports 22,80,443
答案1
你已经完成了这个:
# Drops all incoming TCP that's not directed to these ports,
# Preventing also answers for locally initiated connections!
ip6tables -A INPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP
# Drops all incoming UDP that's not directed to these ports,
# Preventing also answers for locally initiated connections!
ip6tables -A INPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP
# Drop everything that's not icmp6, including UDP and TCP traffic
# that was allowed to pass earlier, making them obsolete.
ip6tables -A INPUT ! -p ipv6-icmp -j DROP
(重复OUTPUT
)
通常,您会ACCEPT
允许所有想要允许的内容,然后放弃。
ip6tables -P INPUT DROP
ip6tables -A INPUT -p tcp -m multiport --dports 21,22,80,443 -j ACCEPT
ip6tables -A INPUT -p udp -m multiport --dports 21,22,80,443 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
我不会过滤传出的流量,除非你有充分的理由。