在CentOS 6上,ip6tables实际上给这台机器带来了一场噩梦。
有
ip6tables -P INPUT ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD ACCEPT 同
ip6tables -A INPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP ip6tables -A INPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP ip6tables -A INPUT ! -p ipv6-icmp -j DROP ip6tables -A OUTPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP ip6tables -A OUTPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP ip6tables -A OUTPUT ! -p ipv6-icmp -j DROP
或颠倒了顶部和底部,仍然没有帮助。
IP6tables要么阻塞所有的端口,要么允许所有的input/输出。 我已经刷新了ip6tables,以确保在制定这些规则之前没有规则。
所有这一切都需要允许所有stream量,并拒绝多个端口进/出tcp / udp
上面的端口仅用于示例目的。
谢谢。
编辑:达到了一个更好的阶段,但不与反向工作
ip6tables -F ip6tables -X ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -I FORWARD -j DROP --protocol tcp -m multiport --dports 22,80,443
你这样做了:
# Drops all incoming TCP that's not directed to these ports, # Preventing also answers for locally initiated connections! ip6tables -A INPUT -p tcp -m multiport ! --dports 21,22,80,443 -j DROP # Drops all incoming UDP that's not directed to these ports, # Preventing also answers for locally initiated connections! ip6tables -A INPUT -p udp -m multiport ! --dports 21,22,80,443 -j DROP # Drop everything that's not icmp6, including UDP and TCP traffic # that was allowed to pass earlier, making them obsolete. ip6tables -A INPUT ! -p ipv6-icmp -j DROP
(重复OUTPUT )
通常情况下,你ACCEPT一切你想允许的,然后你放弃。
ip6tables -P INPUT DROP ip6tables -A INPUT -p tcp -m multiport --dports 21,22,80,443 -j ACCEPT ip6tables -A INPUT -p udp -m multiport --dports 21,22,80,443 -j ACCEPT ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
我不会过滤出站stream量,除非您有足够的理由。