Ipv6
ipv6 和 iptables - 設置基本規則
我開始意識到我的 IPv6 埠沒有通過 iptables,因此可以被攻擊訪問。我還沒有看到,但我相信這只是時間問題。因此,我正在嘗試支持 ipv6 的防火牆。我遇到了這個配置
ip6tables
規則的腳本:#!/bin/bash # ip6tables single-host firewall script # Define your command variables ipt6="/sbin/ip6tables" # Flush all rules and delete all chains # for a clean startup $ipt6 -F $ipt6 -X # Zero out all counters $ipt6 -Z # Default policies: deny all incoming # Unrestricted outgoing $ipt6 -P INPUT DROP $ipt6 -P FORWARD DROP $ipt6 -P OUTPUT ACCEPT # Must allow loopback interface $ipt6 -A INPUT -i lo -j ACCEPT # Reject connection attempts not initiated from the host $ipt6 -A INPUT -p tcp --syn -j DROP # Allow return connections initiated from the host $ipt6 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept all ICMP v6 packets $ipt6 -A INPUT -p ipv6-icmp -j ACCEPT # Optional rules to allow other LAN hosts access to services. Delete $ipt6 -A INPUT -p tcp --syn -j DROP # Allow DHCPv6 from LAN only $ipt6 -A INPUT -m state --state NEW -m udp -p udp -s fe80::/10 --dport 546 -j ACCEPT # Allow connections from SSH clients $ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Allow HTTP and HTTPS traffic $ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT $ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # Allow access to SMTP, POP3, and IMAP $ipt6 -A INPUT -m state --state NEW -p tcp -m multiport --dport 25,110,143 -j ACCEPT
雖然這確實阻止了我想要的,但它似乎也不允許 80 和 443 埠?
$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT $ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
當我嘗試從另一台伺服器訪問時,它只是掛起:
curl -v -6 http://backups.foo.org:80 * Rebuilt URL to: http://backups.foo.org:80/ * Trying 2a00:1098:80:a1::1... * TCP_NODELAY set
ipv4 工作正常:
curl -v -4 http://backups.foo.org:80 * Rebuilt URL to: http://backups.foo.org:80/ * Trying 93.93.135.111... * TCP_NODELAY set * Connected to backups.foo.org (93.93.135.169) port 80 (#0) > GET / HTTP/1.1 > Host: backups.foo.org > User-Agent: curl/7.58.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Server: nginx < Date: Tue, 23 Feb 2021 07:52:32 GMT < Content-Type: text/html < Content-Length: 162 < Connection: keep-alive < Location: https://backups.foo.org/ < <html> <head><title>301 Moved Permanently</title></head> <body> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx</center> </body> </html> * Connection #0 to host backups.foo.org left intact
我錯過了什麼?基本上,我只想阻止敏感服務(MySQL、Exim、SMTP 等)上的 ipv6 埠。
**更新:**按照建議,我已刪除:
$ipt6 -A INPUT -p tcp --syn -j DROP
然後再次執行腳本,
ip6tables
現在看起來像這樣:root@backups:~# ip6tables --list -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all ::/0 ::/0 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT icmpv6 ::/0 ::/0 ACCEPT udp fe80::/10 ::/0 state NEW udp dpt:546 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:22 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:80 ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:443 ACCEPT tcp ::/0 ::/0 state NEW multiport dports 25,110,143 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
我已經測試過了:
curl -6 backups.foo.org curl: (7) Failed to connect to backups.foo.org port 80: Connection refused
同樣,它適用於
-4
. 奇怪的是它確實從這裡開始工作:https://tools.keycdn.com/ipv6-ping
我可以從同一台伺服器 ping,它工作正常:
ping backups.foo.org PING backups.chambresdhotes.org(2a00:1098:80:a1::1 (2a00:1098:80:a1::1)) 56 data bytes 64 bytes from 2a00:1098:80:a1::1 (2a00:1098:80:a1::1): icmp_seq=1 ttl=59 time=1.08 ms 64 bytes from 2a00:1098:80:a1::1 (2a00:1098:80:a1::1): icmp_seq=2 ttl=59 time=1.03 ms ^X^C
根據要求,
ip6tables-save
還有以下輸出:ip6tables-save # Generated by ip6tables-save v1.6.1 on Tue Feb 23 08:57:59 2021 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [78:6090] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -s fe80::/10 -p udp -m state --state NEW -m udp --dport 546 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m multiport --dports 25,110,143 -j ACCEPT COMMIT
更新 2:
根據要求,來自
ss -lnpt
. 有趣的是,我在那裡看不到埠 80。LISTEN 0 100 [::]:993 [::]:* LISTEN 0 100 [::]:995 [::]:* LISTEN 0 128 [::]:22122 [::]:* LISTEN 0 100 [::]:110 [::]:* LISTEN 0 128 ::1]:783 [::]:* LISTEN 0 100 [::]:143 [::]:* LISTEN 0 128 [::]:55413 [::]:* LISTEN 0 128 *:8181 *:* LISTEN 0 128 ::1]:53 [::]:* LISTEN 0 128 [::]:55414 [::]:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 [::1]:8953 [::]:*
有趣的是,它顯示為
netstat
:sudo netstat -tulpan | grep nginx tcp 0 0 0.0.0.0:9183 0.0.0.0:* LISTEN 1133/nginx: master tcp 0 0 93.93.135.169:80 0.0.0.0:* LISTEN 1161/nginx: master tcp 0 0 127.0.0.1:8084 0.0.0.0:* LISTEN 1161/nginx: master tcp 0 0 93.93.135.169:443 0.0.0.0:* LISTEN 1161/nginx: master tcp6 0 0 :::80 :::* LISTEN 1161/nginx: master tcp6 0 0 :::443 :::* LISTEN 1161/nginx: master udp 0 0 127.0.0.1:51104 127.0.0.53:53 ESTABLISHED 1135/nginx: worker
這是在不了解任何一行的情況下不要使用安全腳本的教訓。
我懷疑這部分是罪魁禍首:
# Reject connection attempts not initiated from the host $ipt6 -A INPUT -p tcp --syn -j DROP
它確實禁用了任何傳入的 TCPv6 通信。它還必須禁用任何“相關”TCPv6 通信(例如,“活動”FTP),因為它出現在 ctstate 行之前。
只需將其刪除。這是沒用的。無論如何,所有不匹配的數據包都會被策略丟棄,那麼為什麼在鏈的早期丟棄任何東西,而不留下選擇性啟用服務的可能性呢?我不明白為什麼這行會出現在腳本中。