如何configurationufw或iptables只允许从IPv6networking到Internet的出站stream量?
我有一个办公室networking与IPv4的传统NAT设置。 我想添加一台运行Ubuntu的PC作为利用Hurricane Electric隧道的IPv6路由器。
我有一切设置和运作正常。 我的内部计算机正在从Ubuntu中接收全局地址,并且能够ping ipv6.google.com并浏览ipv6test.google.com,而不会出现任何问题。
我不知道的是,如何configuration一个防火墙阻止来自Internet的未经请求的stream量到我的内部networking,但允许出站stream量到Internet(和相关的返回stream量)。
ufw命令或iptables规则的实际例子将不胜感激。
root@ipv6router:/home/corey# ifconfig eth0 Link encap:Ethernet HWaddr 00:08:a1:10:62:c0 inet addr:146.xy12 Bcast:146.xy15 Mask:255.255.255.240 inet6 addr: fe80::208:a1ff:fe10:62c0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:190487 errors:1 dropped:0 overruns:1 frame:1 TX packets:40982 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:80088076 (80.0 MB) TX bytes:6825762 (6.8 MB) eth1 Link encap:Ethernet HWaddr 00:1b:21:5b:f0:5b inet addr:192.168.76.3 Bcast:192.168.76.255 Mask:255.255.255.0 inet6 addr: fe80::21b:21ff:fe5b:f05b/64 Scope:Link inet6 addr: 2001:x:1f07:z::1/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:90200 errors:0 dropped:0 overruns:0 frame:0 TX packets:59894 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:12839775 (12.8 MB) TX bytes:70668474 (70.6 MB) he-ipv6 Link encap:IPv6-in-IPv4 inet6 addr: fe80::9273:130c/128 Scope:Link inet6 addr: 2001:x:1f06:z::2/64 Scope:Global UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1 RX packets:56991 errors:0 dropped:0 overruns:0 frame:0 TX packets:34362 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:69388394 (69.3 MB) TX bytes:4537403 (4.5 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:13137 errors:0 dropped:0 overruns:0 frame:0 TX packets:13137 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:998616 (998.6 KB) TX bytes:998616 (998.6 KB) root@ipv6router:/home/corey# route -A inet6 Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2001:x:1f06:z::1/128 :: U 1024 0 1 he-ipv6 2001:x:1f06:z::/64 :: Un 256 0 0 he-ipv6 2001:x:1f07:z::/64 :: U 256 0 0 eth1 fe80::/64 :: U 256 0 0 eth1 fe80::/64 :: Un 256 0 0 he-ipv6 fe80::/64 :: U 256 0 0 eth0 ::/0 2001:x:1f06:z::1 UG 1024 0 0 he-ipv6 ::/0 :: !n -1 1 92337 lo ::1/128 :: Un 0 1 412 lo 2001:x:1f06:z::/128 :: Un 0 1 0 lo 2001:x:1f06:z::2/128 :: Un 0 1 736 lo 2001:x:1f07:z::/128 :: Un 0 1 0 lo 2001:x:1f07:z::1/128 :: Un 0 1 0 lo fe80::/128 :: Un 0 1 0 lo fe80::/128 :: Un 0 1 0 lo fe80::9273:130c/128 :: Un 0 1 0 lo fe80::208:a1ff:fe10:62c0/128 :: Un 0 1 0 lo fe80::21b:21ff:fe5b:f05b/128 :: Un 0 1 4611 lo ff00::/8 :: U 256 0 0 eth1 ff00::/8 :: U 256 0 0 he-ipv6 ff00::/8 :: U 256 0 0 eth0 ::/0 :: !n -1 1 92337 lo 使用forward链路添加转发防火墙规则。
ip6tables -A FORWARD -i he-ipv6 -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept already established connections (return traffic, for instance) ip6tables -A FORWARD -i he-ipv6 -j DROP # Drop the rest ip6tables -A FORWARD -o he-ipv6 -j ACCEPT # Accept outbound connections to the ipv6 tunnel ip6tables -P FORWARD DROP # Set default policy on forward chain
有了这个设置,你需要添加更多的规则来让其他接口按照你想要的方式进行路由,但是它会和上面的结果非常相似。