在确定我的小服务器需要防火墙后,我使用ferm为我配置了iptables和ip6tables(这个问题应该被标记为ferm,但我无法创建标记)。
我对 ipv4 和 ipv6 使用相同的规则,但是一旦我设置了防火墙,IPv6 连接(在所有端口上)就会停止工作,我必须降到 IPv4。为什么会这样?
我的 /etc/ferm.conf
domain (ip ip6) table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow all my lovely server stuff
proto tcp dport (http https smtp imap imaps) ACCEPT;
# Teamspeak 3 Server
proto tcp dport (10011 30033) ACCEPT;
proto udp dport 9987 ACCEPT;
# Prosody XMPP
proto tcp dport (5222 5269) ACCEPT;
# ident connections are also allowed
proto tcp dport auth ACCEPT;
# the rest is dropped by the above policy
}
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
# this is not a router
chain FORWARD policy DROP;
}
ip6tables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0 state INVALID
24 8224 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
0 0 ACCEPT all lo * ::/0 ::/0
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:25
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:143
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:993
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:10011
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:30033
0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:9987
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:5222
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:5269
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:113
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 24 packets, 8224 bytes)
pkts bytes target prot opt in out source destination
| 归档时间: |
|
| 查看次数: |
1175 次 |
| 最近记录: |