ip6tables 端口删除和默认值

ip6tables 端口删除和默认值

在 CentOS 6 上,ip6tables 简直给这台机器带来了噩梦。

拥有

ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT

ip6tables -A INPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A INPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A INPUT ! -p ipv6-icmp -j DROP
ip6tables -A OUTPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A OUTPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP
ip6tables -A OUTPUT ! -p ipv6-icmp -j DROP

或者将顶部和底部颠倒过来,仍然无济于事。

IP6tables 要么阻止所有端口,要么允许所有进出。在放置这些规则之前,我已经刷新了 ip6tables 以确保没有任何规则。

所需的只是允许所有流量并拒绝 tcp/udp 的多个进出端口

上述端口仅供示例之用。

谢谢。

编辑:达到了更好的阶段,但还没有与逆运算一起工作

ip6tables -F
ip6tables -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -I FORWARD -j DROP --protocol tcp -m multiport --dports 22,80,443

答案1

你已经完成了这个:

# Drops all incoming TCP that's not directed to these ports,
# Preventing also answers for locally initiated connections!
ip6tables -A INPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP
# Drops all incoming UDP that's not directed to these ports,
# Preventing also answers for locally initiated connections!
ip6tables -A INPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP
# Drop everything that's not icmp6, including UDP and TCP traffic
# that was allowed to pass earlier, making them obsolete.
ip6tables -A INPUT ! -p ipv6-icmp -j DROP

(重复OUTPUT

通常,您会ACCEPT允许所有想要允许的内容,然后放弃。

ip6tables -P INPUT DROP
ip6tables -A INPUT -p tcp -m multiport --dports 21,22,80,443 -j ACCEPT
ip6tables -A INPUT -p udp -m multiport --dports 21,22,80,443 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

我不会过滤传出的流量,除非你有充分的理由。

相关内容