Linux

配置 ufw 或 iptables 以僅允許從內部 IPv6 網路到 Internet 的出站流量

  • April 10, 2013

如何配置 ufw 或 iptables 以僅允許從 IPv6 網路到 Internet 的出站流量?

我有一個使用 IPv4 的傳統 NAT 設置的辦公網路。我想添加一台執行 Ubuntu 的 PC 作為 IPv6 路由器,使用來自 Hurricane Electric 的隧道。

我已經完成了所有設置並正常執行。我的內部電腦正在接收來自 Ubuntu 機器的全域地址,並且能夠 ping ipv6.google.com 並毫無問題地瀏覽 ipv6test.google.com。

我不確定的是,如何配置防火牆以阻止來自 Internet 的未經請求的傳入流量到我的內部網路,但允許到 Internet 的出站流量(以及相關的返回流量)。

ufw 命令或 iptables 規則的實際範例將不勝感激。

root@ipv6router:/home/corey# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:08:a1:10:62:c0  
         inet addr:146.x.y.12  Bcast:146.x.y.15  Mask:255.255.255.240
         inet6 addr: fe80::208:a1ff:fe10:62c0/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:190487 errors:1 dropped:0 overruns:1 frame:1
         TX packets:40982 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:80088076 (80.0 MB)  TX bytes:6825762 (6.8 MB)

eth1      Link encap:Ethernet  HWaddr 00:1b:21:5b:f0:5b  
         inet addr:192.168.76.3  Bcast:192.168.76.255  Mask:255.255.255.0
         inet6 addr: fe80::21b:21ff:fe5b:f05b/64 Scope:Link
         inet6 addr: 2001:x:1f07:z::1/64 Scope:Global
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:90200 errors:0 dropped:0 overruns:0 frame:0
         TX packets:59894 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:12839775 (12.8 MB)  TX bytes:70668474 (70.6 MB)

he-ipv6   Link encap:IPv6-in-IPv4  
         inet6 addr: fe80::9273:130c/128 Scope:Link
         inet6 addr: 2001:x:1f06:z::2/64 Scope:Global
         UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
         RX packets:56991 errors:0 dropped:0 overruns:0 frame:0
         TX packets:34362 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0 
         RX bytes:69388394 (69.3 MB)  TX bytes:4537403 (4.5 MB)

lo        Link encap:Local Loopback  
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:13137 errors:0 dropped:0 overruns:0 frame:0
         TX packets:13137 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0 
         RX bytes:998616 (998.6 KB)  TX bytes:998616 (998.6 KB)

root@ipv6router:/home/corey# route -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met  Ref Use If
2001:x:1f06:z::1/128           ::                         U    1024 0     1 he-ipv6
2001:x:1f06:z::/64             ::                         Un   256  0     0 he-ipv6
2001:x:1f07:z::/64             ::                         U    256  0     0 eth1
fe80::/64                      ::                         U    256  0     0 eth1
fe80::/64                      ::                         Un   256  0     0 he-ipv6
fe80::/64                      ::                         U    256  0     0 eth0
::/0                           2001:x:1f06:z::1           UG   1024 0     0 he-ipv6
::/0                           ::                         !n   -1   1 92337 lo
::1/128                        ::                         Un   0    1   412 lo
2001:x:1f06:z::/128            ::                         Un   0    1     0 lo
2001:x:1f06:z::2/128           ::                         Un   0    1   736 lo
2001:x:1f07:z::/128            ::                         Un   0    1     0 lo
2001:x:1f07:z::1/128           ::                         Un   0    1     0 lo
fe80::/128                     ::                         Un   0    1     0 lo
fe80::/128                     ::                         Un   0    1     0 lo
fe80::9273:130c/128            ::                         Un   0    1     0 lo
fe80::208:a1ff:fe10:62c0/128   ::                         Un   0    1     0 lo
fe80::21b:21ff:fe5b:f05b/128   ::                         Un   0    1  4611 lo
ff00::/8                       ::                         U    256  0     0 eth1
ff00::/8                       ::                         U    256  0     0 he-ipv6
ff00::/8                       ::                         U    256  0     0 eth0
::/0                           ::                         !n   -1   1 92337 lo

使用forward鏈添加轉發防火牆規則。

ip6tables -A FORWARD -i he-ipv6 -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept already established connections (return traffic, for instance)
ip6tables -A FORWARD -i he-ipv6 -j DROP # Drop the rest
ip6tables -A FORWARD -o he-ipv6 -j ACCEPT # Accept outbound connections to the ipv6 tunnel
ip6tables -P FORWARD DROP # Set default policy on forward chain

使用此設置,您需要添加更多規則以讓其他介面按您想要的方式路由,但最終會與上述非常相似。

引用自:https://serverfault.com/questions/497725