很奇怪,我的CentOS无法接收来自dhcpv6服务器的dhcpv6回复消息。我已启用规则 dhcpv6-client。
每次尝试打开界面时,都会发送 dhcpv6 请求消息,但没有收到 dhcpv6 回复消息。我尝试使用wireshark嗅探接口,但仍然没有收到dhcpv6回复消息,并且只发现dhcpv6请求消息。
我猜是防火墙阻止了我的数据包。当我禁用firewalld服务时,我可以收到dhcpv6回复消息。但我不知道防火墙是否阻止了dhcpv6请求消息或dhcpv6回复消息。
此外,我的centos并不每次都处理ipv6路由器通告数据包。所以我必须配置默认的ipv6网关才能访问Internet。当防火墙打开或关闭时会发生这种情况。我尝试设置net.ipv6.conf.enp7s0.accept_ra=2和net.ipv6.conf.enp7s0.forwarding=0,但所有这些都不起作用。
所以,伙计们,我需要你们的帮助,谢谢!
-------------------编辑1(附加iptables配置)------------------------ -
据我所知,firewalld 使用 iptables 作为后端。我的输出ip6tables --list如下
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all anywhere anywhere
INPUT_direct all anywhere anywhere
INPUT_ZONES_SOURCE all anywhere anywhere
INPUT_ZONES all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all anywhere anywhere
FORWARD_direct all anywhere anywhere
FORWARD_IN_ZONES_SOURCE all anywhere anywhere
FORWARD_IN_ZONES all anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all anywhere anywhere
FORWARD_OUT_ZONES all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all anywhere anywhere [goto]
FWDI_public all anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all anywhere anywhere [goto]
FWDO_public all anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all anywhere anywhere
FWDI_public_deny all anywhere anywhere
FWDI_public_allow all anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all anywhere anywhere
FWDO_public_deny all anywhere anywhere
FWDO_public_allow all anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all anywhere anywhere [goto]
IN_public all anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all anywhere anywhere
IN_public_deny all anywhere anywhere
IN_public_allow all anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT udp anywhere fe80::/64 udp dpt:dhcpv6-client ctstate NEW
ACCEPT tcp anywhere anywhere tcp dpt:ssh ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
答案1
问题1已解决:firewalld默认启用RPF,dhcpv6回复消息被表原始链PREROUTING上安装的RPF规则阻止。