网络安全:在 Ubuntu 服务器上强化 IPv6?

网络安全:在 Ubuntu 服务器上强化 IPv6?

我熟悉如何在 Ubuntu 服务器上强化 IPv4,但当我使用 ip6tables 对 IPv6 使用相同的规则时,IPv6 连接会丢失,导致Destination unreachable: Address unreachableping 时出错。您能建议如何解决这个问题吗?我的逻辑如下:

#IPv6
#Reset all rules (F) and chains (X)
ip6tables -F
ip6tables -X

#Force SYN packets check
ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Drop XMAS packets
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#Drop null packets
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#Drop incoming packets with fragments
#ip6tables -A INPUT -f -j DROP #this does not really work like in iptables

#Drop traffic 
ip6tables -t filter -P INPUT DROP
ip6tables -t filter -P FORWARD DROP
ip6tables -t filter -P OUTPUT DROP
#Keep established
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Accept loopback
ip6tables -t filter -A INPUT -i lo -j ACCEPT
ip6tables -t filter -A OUTPUT -o lo -j ACCEPT

#ICMP
ip6tables -t filter -A INPUT -p icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT

#ServiceX
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
#ServiceY
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
#ServiceZ
ip6tables -t filter -A DESTINATION -p PROTOCOL --dport PORT -j ACCEPT
...

ssh 服务器的示例,尽管我从未使用默认端口 22......

#SSH
ip6tables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

该脚本是可执行的,因此它在 /etc/init.d/scriptname 中重启后运行。其目的是阻止所有内容,仅允许服务器服务实际使用的内容。请问有什么更好的方法吗?为什么这在 IPv4 中有效,但在 IPv6 中无效?当我发布时ip6tables -t filter -P INPUT ACCEPT它可以工作,但这不是重点。如何在 Ubuntu 服务器上真正保护 IPv6?谢谢!

答案1

根据 IPv6 功能,您需要为 ICMPv6 添加一些 ACCEPT 规则,请尝试以下操作:

ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 2 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A FORWARD -i $WAN_IF -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Router and neighbor discovery incoming and outgoing
ip6tables -A INPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
# Ping request to firewall from LAN and DMZ
ip6tables -A INPUT ! -i $WAN_IF -p icmpv6 --icmpv6-type 128 -j ACCEPT
# Ping request from firewall, LAN and DMZ
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -j ACCEPT
ip6tables -A FORWARD ! -i $WAN_IF -p icmpv6 --icmpv6-type 128 -j ACCEPT

我发现这篇文章对我自己非常有用:IPv6 表

答案2

ip6tables -t filter -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p ipv6-icmp -j ACCEPT

代替

ip6tables -t filter -A INPUT -p icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT

解决了它。

相关内容