Ssh
AWS EC2 實例不接受入站 IPV6 請求
現在我有一個設置了 ipv6 連接的 Ubuntu 16 EC2 實例。我只是想通過 IPV6 進行 SSH 和 OpenVPN。以下工作:
- ipv4 SSH 和 OpenVPN 連接
- ipv6 出站連接,例如
ping6
和curl
- ipv6 入站連接,如果我連接到伺服器託管的 VPN,這是一個 ipv4 連接
我檢查了安全組,仔細檢查並完成了AWS IPV6 遷移指南的每一步,並清除了所有 ip6tables。我在解決這個問題方面沒有取得任何進展。
以下是當我嘗試在 VPN 之外進行 SSH 時發生的情況:
$ ssh ubuntu@example.com -i "example.key" -6 -v OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to example.com [2600:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] port 22. debug1: connect to address 2600:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx port 22: Resource temporarily unavailable ssh: connect to host example.com port 22: Resource temporarily unavailable
當我在 OpenVPN 上通過 IPV4 連接時,然後通過 IPV6 SSH:
$ ssh ubuntu@2001:db8:ee00:abcd::1 -i "example.key" -6 -v OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to 2001:db8:ee00:abcd::1 [2001:db8:ee00:abcd::1] port 22. debug1: Connection established. debug1: identity file example.key type -1 debug1: identity file example.key-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 pat OpenSSH* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA bd:a7:ac:dd:37:98:c0:8f:7a:f6:e7:e8:20:05:36:48 The authenticity of host '2001:db8:ee00:abcd::1 (2001:db8:ee00:abcd::1)' can't be established. ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '2001:db8:ee00:abcd::1' (ECDSA) to the list of known hosts. debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: example.key debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). Authenticated to 2001:db8:ee00:abcd::1 ([2001:db8:ee00:abcd::1]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 setsockopt IPV6_TCLASS 16: Operation not permitted: debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1035-aws x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 6 packages can be updated. 0 updates are security updates. Last login: Sat Sep 30 04:32:44 2017 from xxx.xxx.xxx.xxx
這是此實例的安全組:
**編輯 1:**這是一個 tcpdump。看來伺服器正在查看數據包。
17:26:33.761004 IP6 (flowlabel 0x93c4a, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.64941 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0x20be (correct), seq 2537279844, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 17:26:36.761425 IP6 (flowlabel 0x93c4a, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.64941 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0x20be (correct), seq 2537279844, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 17:26:42.260168 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56 hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e 0x0000: 02b7 e1e7 e95e prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity 0x0000: 4000 ffff ffff ffff ffff 0000 0000 2600 0x0010: 1f1c 0c41 b120 0000 0000 0000 0000 17:26:42.761137 IP6 (flowlabel 0x93c4a, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.64941 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0x20be (correct), seq 2537279844, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 17:26:52.260303 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56 hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e 0x0000: 02b7 e1e7 e95e prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity 0x0000: 4000 ffff ffff ffff ffff 0000 0000 2600 0x0010: 1f1c 0c41 b120 0000 0000 0000 0000
**編輯 2:**這是禁用 miredo 後的 tcpdump。但是,
ping6
現在返回錯誤connect: Network is unreachable
17:52:44.291012 IP6 (flowlabel 0xc8b54, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.65166 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0xf081 (correct), seq 4210466052, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 17:52:47.291056 IP6 (flowlabel 0xc8b54, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.65166 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0xf081 (correct), seq 4210466052, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 17:52:52.272999 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56 hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e 0x0000: 02b7 e1e7 e95e prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity 0x0000: 4000 ffff ffff ffff ffff 0000 0000 2600 0x0010: 1f1c 0c41 b120 0000 0000 0000 0000 17:52:53.298882 IP6 (flowlabel 0xc8b54, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.65166 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0xf081 (correct), seq 4210466052, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0 17:53:02.273102 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56 hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e 0x0000: 02b7 e1e7 e95e prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity 0x0000: 4000 ffff ffff ffff ffff 0000 0000 2600 0x0010: 1f1c 0c41 b120 0000 0000 0000 0000 17:53:12.273190 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56 hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e 0x0000: 02b7 e1e7 e95e prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity 0x0000: 4000 ffff ffff ffff ffff 0000 0000 2600 0x0010: 1f1c 0c41 b120 0000 0000 0000 0000 17:53:22.273260 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56 hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e 0x0000: 02b7 e1e7 e95e prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity 0x0000: 4000 ffff ffff ffff ffff 0000 0000 2600 0x0010: 1f1c 0c41 b120 0000 0000 0000 0000
問題是由於
/etc/network/interfaces.d/60-default-with-ipv6.cfg
. 它被設置為只有使用者可以讀取文件。我通過執行以下命令解決了這個問題:$ sudo chmod go+r /etc/network/interfaces.d/60-default-with-ipv6.cfg $ sudo ifdown eth0 ; sudo ifup eth0
IPV6 現在完全可以在入站和出站工作。OpenVPN 仍然不適用於 ipv6,但這是另一個問題。