Linux
配置 ufw 或 iptables 以僅允許從內部 IPv6 網路到 Internet 的出站流量
如何配置 ufw 或 iptables 以僅允許從 IPv6 網路到 Internet 的出站流量?
我有一個使用 IPv4 的傳統 NAT 設置的辦公網路。我想添加一台執行 Ubuntu 的 PC 作為 IPv6 路由器,使用來自 Hurricane Electric 的隧道。
我已經完成了所有設置並正常執行。我的內部電腦正在接收來自 Ubuntu 機器的全域地址,並且能夠 ping ipv6.google.com 並毫無問題地瀏覽 ipv6test.google.com。
我不確定的是,如何配置防火牆以阻止來自 Internet 的未經請求的傳入流量到我的內部網路,但允許到 Internet 的出站流量(以及相關的返回流量)。
ufw 命令或 iptables 規則的實際範例將不勝感激。
root@ipv6router:/home/corey# ifconfig eth0 Link encap:Ethernet HWaddr 00:08:a1:10:62:c0 inet addr:146.x.y.12 Bcast:146.x.y.15 Mask:255.255.255.240 inet6 addr: fe80::208:a1ff:fe10:62c0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:190487 errors:1 dropped:0 overruns:1 frame:1 TX packets:40982 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:80088076 (80.0 MB) TX bytes:6825762 (6.8 MB) eth1 Link encap:Ethernet HWaddr 00:1b:21:5b:f0:5b inet addr:192.168.76.3 Bcast:192.168.76.255 Mask:255.255.255.0 inet6 addr: fe80::21b:21ff:fe5b:f05b/64 Scope:Link inet6 addr: 2001:x:1f07:z::1/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:90200 errors:0 dropped:0 overruns:0 frame:0 TX packets:59894 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:12839775 (12.8 MB) TX bytes:70668474 (70.6 MB) he-ipv6 Link encap:IPv6-in-IPv4 inet6 addr: fe80::9273:130c/128 Scope:Link inet6 addr: 2001:x:1f06:z::2/64 Scope:Global UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1 RX packets:56991 errors:0 dropped:0 overruns:0 frame:0 TX packets:34362 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:69388394 (69.3 MB) TX bytes:4537403 (4.5 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:13137 errors:0 dropped:0 overruns:0 frame:0 TX packets:13137 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:998616 (998.6 KB) TX bytes:998616 (998.6 KB) root@ipv6router:/home/corey# route -A inet6 Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2001:x:1f06:z::1/128 :: U 1024 0 1 he-ipv6 2001:x:1f06:z::/64 :: Un 256 0 0 he-ipv6 2001:x:1f07:z::/64 :: U 256 0 0 eth1 fe80::/64 :: U 256 0 0 eth1 fe80::/64 :: Un 256 0 0 he-ipv6 fe80::/64 :: U 256 0 0 eth0 ::/0 2001:x:1f06:z::1 UG 1024 0 0 he-ipv6 ::/0 :: !n -1 1 92337 lo ::1/128 :: Un 0 1 412 lo 2001:x:1f06:z::/128 :: Un 0 1 0 lo 2001:x:1f06:z::2/128 :: Un 0 1 736 lo 2001:x:1f07:z::/128 :: Un 0 1 0 lo 2001:x:1f07:z::1/128 :: Un 0 1 0 lo fe80::/128 :: Un 0 1 0 lo fe80::/128 :: Un 0 1 0 lo fe80::9273:130c/128 :: Un 0 1 0 lo fe80::208:a1ff:fe10:62c0/128 :: Un 0 1 0 lo fe80::21b:21ff:fe5b:f05b/128 :: Un 0 1 4611 lo ff00::/8 :: U 256 0 0 eth1 ff00::/8 :: U 256 0 0 he-ipv6 ff00::/8 :: U 256 0 0 eth0 ::/0 :: !n -1 1 92337 lo
使用
forward
鏈添加轉發防火牆規則。ip6tables -A FORWARD -i he-ipv6 -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept already established connections (return traffic, for instance) ip6tables -A FORWARD -i he-ipv6 -j DROP # Drop the rest ip6tables -A FORWARD -o he-ipv6 -j ACCEPT # Accept outbound connections to the ipv6 tunnel ip6tables -P FORWARD DROP # Set default policy on forward chain
使用此設置,您需要添加更多規則以讓其他介面按您想要的方式路由,但最終會與上述非常相似。