我正在尝试过滤掉特定的 ICMPv6 数据包,并尝试使用以下命令查看所有可能的类型选项:
ip6tables -p icmpv6 -h
这会产生以下类型(注意嵌套的类型):
Valid ICMPv6 Types:
destination-unreachable
no-route
communication-prohibited
address-unreachable
port-unreachable
packet-too-big
time-exceeded (ttl-exceeded)
ttl-zero-during-transit
ttl-zero-during-reassembly
parameter-problem
bad-header
unknown-header-type
unknown-option
echo-request (ping)
echo-reply (pong)
router-solicitation
router-advertisement
neighbour-solicitation (neighbor-solicitation)
neighbour-advertisement (neighbor-advertisement)
redirect
嵌套类型是否可以有针对性?
DROP对于传出的目的地不可达的数据包来说,这是正确的语法吗no-route?
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable no-route -j DROP
答案1
直接匹配no-route类型就可以:
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type no-route -j DROP
如果您想要删除所有无法到达目的地的类型,您可以使用:
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable -j DROP