我正在面对我的服务器的IPv6可访问性问题。
ping6和traceroute6 ,最新) AAAA条目已存在并正常运行 ip6tables INPUT表configuration为允许HTTP请求就像iptables(默认策略DROP + TCP 80 ACCEPT规则):
Chain INPUT (policy DROP 648 packets, 46788 bytes) pkts bytes target prot opt in out source destination 6 480 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
我缩小了问题的范围,因为如果将默认策略设置为ACCEPT ,则HTTP连接将起作用 , 否则不起作用 。
因此,似乎可能需要一些其他端口redirect? OO
这可能与路由/ IPv6堆栈的某些内核configuration有关吗?
这里是sudo ip6tables --line-numbers -nvL的输出sudo ip6tables --line-numbers -nvL :
Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 8169 784K ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 3 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80 4 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination
人们不能忽视ICMPv6,就像你对传统IP所做的那样 – ICMPv6,尤其是邻居发现协议(NDP) 对于 IPv6的正常运行至关重要 。 (NDP等等,是ARP的替代品。)
这意味着,您必须至less允许来自链路本地(即fe80::/10 )的ICMPv6types133-136。 此外,您必须允许某些错误消息到达,例如路由器不再分割。 您也不想丢弃链接本地多播消息。
完整的故事在RFC 4890中被告知。
下面是我的一台机器的摘录,一台作为路由器的vm主机:
#! /bin/sh drop () { /sbin/ip6tables --jump DROP --append "$@"; } accept () { /sbin/ip6tables --jump ACCEPT --append "$@"; } chain () { /sbin/ip6tables --new-chain "$@" } ICMP_RATELIMIT="--match limit --limit 2/s" # ... # Validate ingoing ICMPv6 messages # chain ICMPv6_IN # error messages # allow error messages that are related to previously seen traffic accept ICMPv6_IN --protocol icmpv6 --icmpv6-type destination-unreachable --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT accept ICMPv6_IN --protocol icmpv6 --icmpv6-type packet-too-big --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT accept ICMPv6_IN --protocol icmpv6 --icmpv6-type ttl-exceeded --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT accept ICMPv6_IN --protocol icmpv6 --icmpv6-type parameter-problem --match conntrack --ctstate ESTABLISHED,RELATED $ICMP_RATELIMIT # accept neighbor discovery accept ICMPv6_IN --protocol icmpv6 --icmpv6-type neighbor-solicitation $ICMP_RATELIMIT accept ICMPv6_IN --protocol icmpv6 --icmpv6-type neighbor-advertisement $ICMP_RATELIMIT # accept router discovery accept ICMPv6_IN --protocol icmpv6 --icmpv6-type router-solicitation '!' --src ff00::/8 --in-interface cafe0 $ICMP_RATELIMIT accept ICMPv6_IN --protocol icmpv6 --icmpv6-type router-advertisement --src fe80::/10 --in-interface wlp3s0 $ICMP_RATELIMIT # ping # accept replies to my ping requests accept ICMPv6_IN --protocol icmpv6 --icmpv6-type echo-reply --match conntrack --ctstate ESTABLISHED,RELATED # allow ping from my network(s) accept ICMPv6_IN --src $COUNTERMODE --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT # allow link-local unicast ping accept ICMPv6_IN --dst fe80::/10 --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT ## allow multicast ping from local link #accept ICMPv6_IN --dst ff00::/8 --src fe80::/10 --protocol icmpv6 --icmpv6-type echo-request $ICMP_RATELIMIT # multicast listener discovery v1 accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 130 --in-interface cafe0 accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 131 --in-interface cafe0 accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 132 --in-interface cafe0 # multicast listener discovery v2 accept ICMPv6_IN --protocol icmpv6 --icmpv6-type 143 --in-interface cafe0 # drop everything else drop ICMPv6_IN