Ssh

AWS EC2 實例不接受入站 IPV6 請求

  • October 2, 2017

現在我有一個設置了 ipv6 連接的 Ubuntu 16 EC2 實例。我只是想通過 IPV6 進行 SSH 和 OpenVPN。以下工作:

  • ipv4 SSH 和 OpenVPN 連接
  • ipv6 出站連接,例如ping6curl
  • ipv6 入站連接,如果我連接到伺服器託管的 VPN,這是一個 ipv4 連接

我檢查了安全組,仔細檢查並完成了AWS IPV6 遷移指南的每一步,並清除了所有 ip6tables。我在解決這個問題方面沒有取得任何進展。

以下是當我嘗試在 VPN 之外進行 SSH 時發生的情況:

$ ssh ubuntu@example.com -i "example.key" -6 -v
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to example.com [2600:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] port 22.
debug1: connect to address 2600:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx port 22: Resource temporarily unavailable
ssh: connect to host example.com port 22: Resource temporarily unavailable

當我在 OpenVPN 上通過 IPV4 連接時,然後通過 IPV6 SSH:

$ ssh ubuntu@2001:db8:ee00:abcd::1 -i "example.key" -6 -v
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 2001:db8:ee00:abcd::1 [2001:db8:ee00:abcd::1] port 22.
debug1: Connection established.
debug1: identity file example.key type -1
debug1: identity file example.key-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA bd:a7:ac:dd:37:98:c0:8f:7a:f6:e7:e8:20:05:36:48
The authenticity of host '2001:db8:ee00:abcd::1 (2001:db8:ee00:abcd::1)' can't be established.
ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '2001:db8:ee00:abcd::1' (ECDSA) to the list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: example.key
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to 2001:db8:ee00:abcd::1 ([2001:db8:ee00:abcd::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
setsockopt IPV6_TCLASS 16: Operation not permitted:
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1035-aws x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

 Get cloud support with Ubuntu Advantage Cloud Guest:
   http://www.ubuntu.com/business/services/cloud

6 packages can be updated.
0 updates are security updates.


Last login: Sat Sep 30 04:32:44 2017 from xxx.xxx.xxx.xxx

這是此實例的安全組:

EC2 的安全組

**編輯 1:**這是一個 tcpdump。看來伺服器正在查看數據包。

17:26:33.761004 IP6 (flowlabel 0x93c4a, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.64941 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0x20be (correct), seq 2537279844, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:26:36.761425 IP6 (flowlabel 0x93c4a, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.64941 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0x20be (correct), seq 2537279844, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:26:42.260168 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56
   hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
     source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e
       0x0000:  02b7 e1e7 e95e
     prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity
       0x0000:  4000 ffff ffff ffff ffff 0000 0000 2600
       0x0010:  1f1c 0c41 b120 0000 0000 0000 0000
17:26:42.761137 IP6 (flowlabel 0x93c4a, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.64941 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0x20be (correct), seq 2537279844, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:26:52.260303 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56
   hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
     source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e
       0x0000:  02b7 e1e7 e95e
     prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity
       0x0000:  4000 ffff ffff ffff ffff 0000 0000 2600
       0x0010:  1f1c 0c41 b120 0000 0000 0000 0000

**編輯 2:**這是禁用 miredo 後的 tcpdump。但是,ping6現在返回錯誤connect: Network is unreachable

17:52:44.291012 IP6 (flowlabel 0xc8b54, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.65166 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0xf081 (correct), seq 4210466052, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:52:47.291056 IP6 (flowlabel 0xc8b54, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.65166 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0xf081 (correct), seq 4210466052, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:52:52.272999 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56
   hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
     source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e
       0x0000:  02b7 e1e7 e95e
     prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity
       0x0000:  4000 ffff ffff ffff ffff 0000 0000 2600
       0x0010:  1f1c 0c41 b120 0000 0000 0000 0000
17:52:53.298882 IP6 (flowlabel 0xc8b54, hlim 50, next-header TCP (6) payload length: 32) 2601:my:home:ipv6:addr:xxxx:xxxx:xxxx.65166 > 2600:my:server:ipv6:addr:yyyy:yyyy:yyyy.ssh: Flags [S], cksum 0xf081 (correct), seq 4210466052, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
17:53:02.273102 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56
   hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
     source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e
       0x0000:  02b7 e1e7 e95e
     prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity
       0x0000:  4000 ffff ffff ffff ffff 0000 0000 2600
       0x0010:  1f1c 0c41 b120 0000 0000 0000 0000
17:53:12.273190 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56
   hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
     source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e
       0x0000:  02b7 e1e7 e95e
     prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity
       0x0000:  4000 ffff ffff ffff ffff 0000 0000 2600
       0x0010:  1f1c 0c41 b120 0000 0000 0000 0000
17:53:22.273260 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::b7:e1ff:fee7:e95e > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 56
   hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
     source link-address option (1), length 8 (1): 02:b7:e1:e7:e9:5e
       0x0000:  02b7 e1e7 e95e
     prefix info option (3), length 32 (4): 2600:my:server:ipv6::/64, Flags [none], valid time infinity, pref. time infinity
       0x0000:  4000 ffff ffff ffff ffff 0000 0000 2600
       0x0010:  1f1c 0c41 b120 0000 0000 0000 0000

問題是由於/etc/network/interfaces.d/60-default-with-ipv6.cfg. 它被設置為只有使用者可以讀取文件。我通過執行以下命令解決了這個問題:

$ sudo chmod go+r /etc/network/interfaces.d/60-default-with-ipv6.cfg
$ sudo ifdown eth0 ; sudo ifup eth0

IPV6 現在完全可以在入站和出站工作。OpenVPN 仍然不適用於 ipv6,但這是另一個問題。

引用自:https://serverfault.com/questions/876243