CentOS / RHEL IPv6 ip6tables 防火墙配置
我知道如何使用 Netfilter 配置基于主机的 iptables (IPv4) 防火墙。如何配置 ip6tables 以进行基本的 IPv6 数据包过滤?
Ip6tables 用于设置、维护和检查 Linux 内核中的 IPv6 数据包过滤规则表。以下配置在以下平台上进行测试:
- CentOS Linux 5.x
- Red Hat Enterprise Linux 5.x
- Fedora Linux 10 和 11。
输入以下命令查看当前的 IPv6 防火墙配置:
# ip6tables -nL --line-numbers
如果没有出现规则,请通过输入以下命令激活 IPv6 防火墙并确保它在启动时启动:
# chkconfig ip6tables on
/etc/sysconfig/ip6tables
编辑 /etc/sysconfig/ip6tables,输入:
# vi /etc/sysconfig/ip6tables
您将看到以下默认规则:
要打开端口 80(Http 服务器),请在 COMMIT 行前添加以下内容:
要打开端口 53(DNS 服务器),请在 COMMIT 行前添加以下内容:
要打开端口 443(Https 服务器),请在 COMMIT 行前添加以下内容:
要打开端口 25(smtp 服务器),请在 COMMIT 行前添加以下内容:
要在丢弃所有未被先前规则明确接受的数据包之前进行记录,请将最后几行从: 更改
为:
保存并关闭文件。重新启动 ip6tables 防火墙:
示例输出:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT
# service ip6tables restart
# ip6tables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 42237 3243K RH-Firewall-1-INPUT all * * ::/0 ::/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 RH-Firewall-1-INPUT all * * ::/0 ::/0 Chain OUTPUT (policy ACCEPT 12557 packets, 2042K bytes) num pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) num pkts bytes target prot opt in out source destination 1 6 656 ACCEPT all lo * ::/0 ::/0 2 37519 2730K ACCEPT icmpv6 * * ::/0 ::/0 3 0 0 ACCEPT esp * * ::/0 ::/0 4 0 0 ACCEPT ah * * ::/0 ::/0 5 413 48385 ACCEPT udp * * ::/0 ff02::fb/128 udp dpt:5353 6 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:631 7 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:631 8 173 79521 ACCEPT udp * * ::/0 ::/0 udp dpts:32768:61000 9 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpts:32768:61000 flags:!0x16/0x02 10 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 11 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80 12 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:53 13 4108 380K ACCEPT udp * * ::/0 ::/0 udp dpt:53 14 18 4196 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited