我的服务器面临 IPv6 可访问性问题。
ping6并traceroute6在我的 Debian 稳定版 Wheezy 上进行了测试,是最新的)AAAA条目已存在且运行正常ip6tablesINPUT表配置为允许 HTTP 请求,就像 iptables 一样(默认策略DROP+ TCP 80ACCEPT规则):
Chain INPUT (policy DROP 648 packets, 46788 bytes)
pkts bytes target prot opt in out source destination
6 480 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
我将问题范围缩小到这样一个事实:如果我将默认策略设置为ACCEPT,则 HTTP 连接可以工作,否则就不能。
因此,似乎可能需要其他一些端口重定向?oO
这可能与路由/IPv6 堆栈的某些内核配置有关吗?
这是输出sudo ip6tables --line-numbers -nvL:
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 8169 784K ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22
3 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
4 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
各位,您一定不能像对待传统 IP 那样忽视 ICMPv6 - ICMPv6,尤其是邻居发现协议 (NDP)对于 IPv6 的正常运行至关重要。(除其他外,NDP 是 ARP 的替代品。)
这意味着,您必须至少允许来自本地链路(即fe80::/10)的 ICMPv6 类型 133-136。此外,您必须允许某些错误消息到达,例如路由器不再分段。您也不想丢弃链接本地多播消息。
RFC 4890 讲述了完整的故事。
以下是我的一台机器(充当路由器的虚拟机主机)的摘录:
#! /bin/sh
drop () {
/sbin/ip6tables --jump DROP --append "$@";
}
accept () {
/sbin/ip6tables --jump ACCEPT --append "$@";
}
chain () {
/sbin/ip6tables --new-chain "$@"
}
ICMP_RATELIMIT="--match limit --limit 2/s"
# ...
# Validate ingoing ICMPv6 messages
#
chain ICMPv6_IN
# error messages
# allow error messages that are related to previously seen traffic
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type destination-unreachable --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type packet-too-big --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type ttl-exceeded --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type parameter-problem --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT
# accept neighbor discovery
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type neighbor-solicitation $ICMP_RATELIMIT
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type neighbor-advertisement $ICMP_RATELIMIT
# accept router discovery
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type router-solicitation '!' --src ff00::/8 --in-interface cafe0 $ICMP_RATELIMIT
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type router-advertisement --src fe80::/10 --in-interface wlp3s0 $ICMP_RATELIMIT
# ping
# accept replies to my ping requests
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type echo-reply --match conntrack --ctstate ESTABLISHED,RELATED
# allow ping from my network(s)
accept ICMPv6_IN --src $COUNTERMODE --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT
# allow link-local unicast ping
accept ICMPv6_IN --dst fe80::/10 --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT
## allow multicast ping from local link
#accept ICMPv6_IN --dst ff00::/8 --src fe80::/10 --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT
# multicast listener discovery v1
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 130 --in-interface cafe0
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 131 --in-interface cafe0
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 132 --in-interface cafe0
# multicast listener discovery v2
accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 143 --in-interface cafe0
# drop everything else
drop ICMPv6_IN
| 归档时间: |
|
| 查看次数: |
3664 次 |
| 最近记录: |