CentOS/RHEL IPv6 ip6tables防火墙配置
时间:2020-01-09 10:43:11 来源:igfitidea点击:
我知道如何使用Netfilter配置iptables(IPv4)基于主机的防火墙。
如何配置ip6tables以基本过滤IPv6数据包?
ip6tables用于在Linux内核中设置,维护和检查IPv6数据包筛选器规则表。
对以下配置进行了测试:
- CentOS Linux 5.x
- 红帽企业Linux 5.x
- Fedora Linux 10和11。
执行以下命令以查看当前的ipv6防火墙配置:
# ip6tables -nL --line-numbers
如果未显示任何规则,请执行以下命令,激活IPv6防火墙并确保其在启动时启动:
# chkconfig ip6tables on
/etc/sysconfig/ip6tables
编辑/etc/sysconfig/ip6tables,执行:
# vi /etc/sysconfig/ip6tables
您将看到默认规则,如下所示:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited COMMIT
要打开端口80(Http服务器),请在COMMIT行之前添加以下内容:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
要打开端口53(DNS服务器),请在COMMIT行之前添加以下内容:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT
要打开端口443(Https服务器),请在COMMIT行之前添加以下内容:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
要打开端口25(smtp服务器),请在COMMIT行之前添加以下内容:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT
要在丢弃之前规则未明确接受的所有数据包之前进行记录,请从以下位置更改最后几行:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited COMMIT
至:
-A RH-Firewall-1-INPUT -j LOG -A RH-Firewall-1-INPUT -j DROP COMMIT
保存并关闭文件。
重新启动ip6tables防火墙:
# service ip6tables restart # ip6tables -vnL --line-numbers
输出示例:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 42237 3243K RH-Firewall-1-INPUT all * * ::/0 ::/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 RH-Firewall-1-INPUT all * * ::/0 ::/0 Chain OUTPUT (policy ACCEPT 12557 packets, 2042K bytes) num pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) num pkts bytes target prot opt in out source destination 1 6 656 ACCEPT all lo * ::/0 ::/0 2 37519 2730K ACCEPT icmpv6 * * ::/0 ::/0 3 0 0 ACCEPT esp * * ::/0 ::/0 4 0 0 ACCEPT ah * * ::/0 ::/0 5 413 48385 ACCEPT udp * * ::/0 ff02::fb/128 udp dpt:5353 6 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:631 7 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:631 8 173 79521 ACCEPT udp * * ::/0 ::/0 udp dpts:32768:61000 9 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpts:32768:61000 flags:!0x16/0x02 10 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 11 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80 12 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:53 13 4108 380K ACCEPT udp * * ::/0 ::/0 udp dpt:53 14 18 4196 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited
