Ipv6

ipv6 和 iptables - 設置基本規則

  • February 23, 2021

我開始意識到我的 IPv6 埠沒有通過 iptables,因此可以被攻擊訪問。我還沒有看到,但我相信這只是時間問題。因此,我正在嘗試支持 ipv6 的防火牆。我遇到了這個配置ip6tables規則的腳本:

#!/bin/bash

# ip6tables single-host firewall script

# Define your command variables
ipt6="/sbin/ip6tables"

# Flush all rules and delete all chains
# for a clean startup
$ipt6 -F
$ipt6 -X

# Zero out all counters
$ipt6 -Z

# Default policies: deny all incoming
# Unrestricted outgoing

$ipt6 -P INPUT DROP
$ipt6 -P FORWARD DROP
$ipt6 -P OUTPUT ACCEPT

# Must allow loopback interface
$ipt6 -A INPUT -i lo -j ACCEPT

# Reject connection attempts not initiated from the host
$ipt6 -A INPUT -p tcp --syn -j DROP

# Allow return connections initiated from the host
$ipt6 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Accept all ICMP v6 packets
$ipt6 -A INPUT -p ipv6-icmp -j ACCEPT

# Optional rules to allow other LAN hosts access to services. Delete $ipt6 -A INPUT -p tcp --syn -j DROP

# Allow DHCPv6 from LAN only
$ipt6 -A INPUT -m state --state NEW -m udp -p udp -s fe80::/10 --dport 546 -j ACCEPT

# Allow connections from SSH clients
$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# Allow HTTP and HTTPS traffic 
$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# Allow access to SMTP, POP3, and IMAP
$ipt6 -A INPUT -m state --state NEW -p tcp -m multiport --dport 25,110,143 -j ACCEPT

雖然這確實阻止了我想要的,但它似乎也不允許 80 和 443 埠?

$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

當我嘗試從另一台伺服器訪問時,它只是掛起:

curl -v -6 http://backups.foo.org:80
* Rebuilt URL to: http://backups.foo.org:80/
*   Trying 2a00:1098:80:a1::1...
* TCP_NODELAY set

ipv4 工作正常:

curl -v -4 http://backups.foo.org:80
* Rebuilt URL to: http://backups.foo.org:80/
*   Trying 93.93.135.111...
* TCP_NODELAY set
* Connected to backups.foo.org (93.93.135.169) port 80 (#0)
> GET / HTTP/1.1
> Host: backups.foo.org
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Tue, 23 Feb 2021 07:52:32 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< Location: https://backups.foo.org/
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host backups.foo.org left intact

我錯過了什麼?基本上,我只想阻止敏感服務(MySQL、Exim、SMTP 等)上的 ipv6 埠。

**更新:**按照建議,我已刪除:

$ipt6 -A INPUT -p tcp --syn -j DROP

然後再次執行腳本,ip6tables現在看起來像這樣:

root@backups:~# ip6tables --list -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      ::/0                 ::/0
ACCEPT     all      ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
ACCEPT     icmpv6    ::/0                 ::/0
ACCEPT     udp      fe80::/10            ::/0                 state NEW udp dpt:546
ACCEPT     tcp      ::/0                 ::/0                 state NEW tcp dpt:22
ACCEPT     tcp      ::/0                 ::/0                 state NEW tcp dpt:80
ACCEPT     tcp      ::/0                 ::/0                 state NEW tcp dpt:443
ACCEPT     tcp      ::/0                 ::/0                 state NEW multiport dports 25,110,143

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

我已經測試過了:

curl -6 backups.foo.org
curl: (7) Failed to connect to backups.foo.org port 80: Connection refused

同樣,它適用於-4. 奇怪的是它確實從這裡開始工作:

https://tools.keycdn.com/ipv6-ping

我可以從同一台伺服器 ping,它工作正常:

ping backups.foo.org
PING backups.chambresdhotes.org(2a00:1098:80:a1::1 (2a00:1098:80:a1::1)) 56 data bytes
64 bytes from 2a00:1098:80:a1::1 (2a00:1098:80:a1::1): icmp_seq=1 ttl=59 time=1.08 ms
64 bytes from 2a00:1098:80:a1::1 (2a00:1098:80:a1::1): icmp_seq=2 ttl=59 time=1.03 ms
^X^C

根據要求,ip6tables-save還有以下輸出:

ip6tables-save
# Generated by ip6tables-save v1.6.1 on Tue Feb 23 08:57:59 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [78:6090]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -p udp -m state --state NEW -m udp --dport 546 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,110,143 -j ACCEPT
COMMIT

更新 2:

根據要求,來自 ss -lnpt. 有趣的是,我在那裡看不到埠 80。

LISTEN    0    100  [::]:993       [::]:*  
LISTEN    0    100  [::]:995       [::]:*  
LISTEN    0    128  [::]:22122       [::]:*  
LISTEN    0    100  [::]:110       [::]:*  
LISTEN    0    128 ::1]:783       [::]:*   
LISTEN    0    100  [::]:143       [::]:*  
LISTEN    0    128  [::]:55413       [::]:*  
LISTEN    0    128 *:8181         *:*      
LISTEN    0    128 ::1]:53       [::]:*
LISTEN    0    128  [::]:55414   [::]:*
LISTEN    0    128  [::]:22      [::]:*
LISTEN    0    128 [::1]:8953    [::]:*  

有趣的是,它顯示為netstat

sudo netstat -tulpan | grep nginx
tcp        0      0 0.0.0.0:9183            0.0.0.0:*               LISTEN      1133/nginx: master
tcp        0      0 93.93.135.169:80        0.0.0.0:*               LISTEN      1161/nginx: master
tcp        0      0 127.0.0.1:8084          0.0.0.0:*               LISTEN      1161/nginx: master
tcp        0      0 93.93.135.169:443       0.0.0.0:*               LISTEN      1161/nginx: master
tcp6       0      0 :::80                   :::*                    LISTEN      1161/nginx: master
tcp6       0      0 :::443                  :::*                    LISTEN      1161/nginx: master
udp        0      0 127.0.0.1:51104         127.0.0.53:53           ESTABLISHED 1135/nginx: worker

這是在不了解任何一行的情況下不要使用安全腳本的教訓。

我懷疑這部分是罪魁禍首:

# Reject connection attempts not initiated from the host
$ipt6 -A INPUT -p tcp --syn -j DROP

它確實禁用了任何傳入的 TCPv6 通信。它還必須禁用任何“相關”TCPv6 通信(例如,“活動”FTP),因為它出現在 ctstate 行之前。

只需將其刪除。這是沒用的。無論如何,所有不匹配的數據包都會被策略丟棄,那麼為什麼在鏈的早期丟棄任何東西,而不留下選擇性啟用服務的可能性呢?我不明白為什麼這行會出現在腳本中。

引用自:https://serverfault.com/questions/1054689