我有基于 Arch Linux 的 IPv6 路由器。我的 ISP 给我2a00:f480:4:266::/64网络:
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 78:24:af:04:66:72 brd ff:ff:ff:ff:ff:ff
inet 10.20.10.134/16 brd 10.20.255.255 scope global dynamic noprefixroute eth0
valid_lft 42952sec preferred_lft 37552sec
inet6 2a00:f480:4:266:7a24:afff:fe04:6672/64 scope global dynamic mngtmpaddr
valid_lft 2591945sec preferred_lft 604745sec
inet6 fe80::7a24:afff:fe04:6672/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b8:27:eb:c5:31:79 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.1/24 brd 192.168.88.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 2a00:f480:4:266::0388/64 scope global nodad
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fec5:3179/64 scope link
valid_lft forever preferred_lft forever
我的外部接口通过以下方式配置netctl;对于 IPv4,我使用DHCP对于 IPv6 我使用斯坦福直线加速器:
# cat /etc/netctl/external
Description='Wired WAN connection'
Interface=eth0
Connection=ethernet
IP=dhcp
IP6=stateless
DNS=('127.0.0.1' '::1')
SkipNoCarrier=yes
DNS 服务器dnsmasq安装在本地。我的内部接口是手动配置的:
# cat /etc/netctl/internal
Description='Wireless LAN connection'
Interface=wlan0
Connection=ethernet
IP=static
IP6=static
Address='192.168.88.1/24'
Address6='2a00:f480:4:266::0388/64'
SkipNoCarrier=yes
我通过 共享互联网连接给整个房间hostapd。已启用转发:
# cat /etc/sysctl.d/30-ipforward.conf .
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
iptables针对两个 IP 协议版本都进行了配置:
# cat /etc/iptables/iptables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
# loopback functionality
-A INPUT -i lo -j ACCEPT
# drop all invalid packets regardless its origin
-A INPUT -m conntrack --ctstate INVALID -j DROP
# allow established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# allow ping from LAN
-A INPUT -i wlan0 -s 192.168.88.0/24 -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# allow TCP and UDP services
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# deny all other incoming connections
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# TCP services
-A TCP -i wlan0 -s 192.168.88.0/24 -p tcp --dport 22 -j ACCEPT
-A TCP -i wlan0 -s 192.168.88.0/24 -p tcp --dport 53 -j ACCEPT
# UDP services
-A UDP -i wlan0 -s 192.168.88.0/24 -p udp --dport 53 -j ACCEPT
-A UDP -i wlan0 -p udp --dport 67 -j ACCEPT
# allow forwarding between eth0 and wlan0
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
# deny all remaining
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# allow masquerading for LAN
-A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE
COMMIT
# cat /etc/iptables/ip6tables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# loopback functionality
-A INPUT -i lo -j ACCEPT
# drop all invalid packets regardless its origin
-A INPUT -m conntrack --ctstate INVALID -j DROP
# allow established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# allow ICMPv6
-A INPUT -p ipv6-icmp -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
# allow forwarding between eth0 and wlan0
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
# deny all other incoming connections
-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
radvd还安装并配置了:
# cat /etc/radvd.conf
interface wlan0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2a00:f480:4:266::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {
};
};
在 LAN 中的笔记本电脑上,我有来自 ISP 子网的 IPv6 地址(我假设是通过路由器广告):
[viktor@desolve-nettop ~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 78:24:af:04:66:72 brd ff:ff:ff:ff:ff:ff
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 48:45:20:c0:77:cc brd ff:ff:ff:ff:ff:ff
inet 192.168.88.10/24 brd 192.168.88.255 scope global dynamic noprefixroute wlp2s0
valid_lft 85645sec preferred_lft 85645sec
inet6 2a00:f480:4:266:50d5:7ac7:d3b1:618f/64 scope global dynamic noprefixroute
valid_lft 86396sec preferred_lft 14396sec
inet6 fe80::40e2:4067:e8c6:3c1/64 scope link noprefixroute
valid_lft forever preferred_lft forever
然而,测试-ipv6,ping以及tracerouteipv6.google.com在局域网中的笔记本电脑上无法工作:
[viktor@desolve-nettop ~]$ ping ipv6.google.com
PING ipv6.google.com(li-in-x71.1e100.net (2a00:1450:4010:c05::71)) 56 data bytes
^C
--- ipv6.google.com ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7103ms
[viktor@desolve-nettop ~]$ traceroute -6 ipv6.google.com
traceroute to ipv6.google.com (2a00:1450:4010:c05::71), 30 hops max, 80 byte packets
1 2a00:f480:4:266::0388 (2a00:f480:4:266::0388) 121.853 ms 122.249 ms 122.224 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
同时路由器上一切都很好:
# ping ipv6.google.com
PING ipv6.google.com(li-in-x71.1e100.net (2a00:1450:4010:c05::71)) 56 data bytes
64 bytes from li-in-x71.1e100.net (2a00:1450:4010:c05::71): icmp_seq=1 ttl=45 time=16.4 ms
64 bytes from li-in-x71.1e100.net (2a00:1450:4010:c05::71): icmp_seq=2 ttl=45 time=16.4 ms
64 bytes from li-in-x71.1e100.net (2a00:1450:4010:c05::71): icmp_seq=3 ttl=45 time=16.3 ms
64 bytes from li-in-x71.1e100.net (2a00:1450:4010:c05::71): icmp_seq=4 ttl=45 time=16.3 ms
^C
--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 16.313/16.359/16.434/0.047 ms
# traceroute -6 ipv6.google.com
traceroute to ipv6.google.com (2a00:1450:4010:c05::71), 30 hops max, 80 byte packets
1 2a00:f480:4:266::1 (2a00:f480:4:266::1) 0.723 ms 0.621 ms 0.608 ms
2 2a00:f480:0:3::4:ff (2a00:f480:0:3::4:ff) 0.667 ms 0.641 ms 0.626 ms
3 2a00:f480:0:3::517:10 (2a00:f480:0:3::517:10) 1.133 ms 1.007 ms 0.882 ms
4 2a00:f480:0:3::514:12 (2a00:f480:0:3::514:12) 0.773 ms 1.014 ms 0.889 ms
5 2a00:f480:0:1:: (2a00:f480:0:1::) 1.203 ms 1.261 ms 1.205 ms
6 m9-3-gw.msk.runnet.ru (2001:b08:b08:b08::f1) 0.690 ms 0.850 ms 0.768 ms
7 2001:4860:1:1:0:cc3:0:1 (2001:4860:1:1:0:cc3:0:1) 0.922 ms 0.797 ms 0.832 ms
8 2001:4860:0:116f::11 (2001:4860:0:116f::11) 1.315 ms 2001:4860:0:1170::2 (2001:4860:0:1170::2) 1.958 ms 2001:4860:0:1170::12 (2001:4860:0:1170::12) 1.155 ms
9 2001:4860::c:4001:8e2d (2001:4860::c:4001:8e2d) 19.363 ms 17.405 ms 2001:4860::8:4000:e519 (2001:4860::8:4000:e519) 18.808 ms
10 2001:4860::2:0:752c (2001:4860::2:0:752c) 16.285 ms 14.465 ms 14.462 ms
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 li-in-x71.1e100.net (2a00:1450:4010:c05::71) 18.411 ms 17.802 ms 16.240 ms
ip6tables规则不阻止请求,转发已启用,但我不知道为什么它不起作用。我的 Android 手机也是如此。有人能帮我找到问题的原因吗?我发现了同样的问题这里但没有解决方案
以下是我的局域网笔记本电脑上的路由表:
[viktor@desolve-nettop ~]$ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2a00:f480:4:266::/64 dev wlp2s0 proto ra metric 600 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 600 pref medium
default via fe80::ba27:ebff:fec5:3179 dev wlp2s0 proto ra metric 20600 pref medium