netfilter6防火墙只支持2.4以上的核心.早期的2.2核心您只能用41号协议过滤IPv6-in-IPv4.
警告: 按照例子那样设定并不能真正地保护您的作业系统.
下载最新的核心:
http://www.kernel.org/
下载最新的iptables:
tar:
http://www.netfilter.org/
Source RPM for rebuild of binary (for RedHat systems):
ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/
解开源代码与更名
# tar z|jxf kernel-version.tar.gz|bz2
# mv linux linux-version-iptables-version+IPv6
解开 iptables 源代码
# tar z|jxf iptables-version.tar.gz|bz2
Apply pending patches
# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/
Apply additional IPv6 related patches (still not in the vanilla kernel included)
# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/
在下面的选单中回答yes:
检视IPv6括展:
# make print-extensions
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport
进入代码目录:
# cd /path/to/src/linux-version-iptables-version/
改变Makefile
- EXTRAVERSION =
+ EXTRAVERSION = -iptables-version+IPv6-try
运行相关的设定:Run configure, enable IPv6 related
Code maturity level options
Prompt for development and/or incomplete code/drivers : yes
Networking options
Network packet filtering: yes
The IPv6 protocol: module
IPv6: Netfilter Configuration
IP6 tables support: module
All new options like following:
limit match support: module
MAC address match support: module
Multiple port match support: module
Owner match support: module
netfilter MARK match support: module
Aggregated address check: module
Packet filtering: module
REJECT target support: module
LOG target support: module
Packet mangling: module
MARK target support: module
在系统的其它方面进行相应的修改.
确定您的核心源代码存在于: /usr/src/linux/
Rename older directory
# mv /usr/src/linux /usr/src/linux.old
Create a new softlink
# ln /path/to/src/linux-version-iptables-version /usr/src/linux
Rebuild SRPMS
# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm
Install new iptables packages (iptables + iptables-ipv6) 安装新的iptables
# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
# rpm -ihv --nodep /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
# ln -s /lib/iptables/ /usr/lib/iptables
将模块挂进来:
# modprobe ip6_tables
检视
# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support
? 'ip6tables' firewalling (IPv6)!"
16.3.2.1. List all IPv6 netfilter entries
Short
# ip6tables -L
Extended
# ip6tables -n -v --line-numbers -L
List specified filter
# ip6tables -n -v --line-numbers -L INPUT
加入一个日志:
# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:"
? --log-level 7
加入一个入站丢弃的条件:
# ip6tables --table filter --append INPUT -j DROP
移除一个条件:
# ip6tables --table filter --delete INPUT 1
允许 ICMPv6:
Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified
允许入站 ICMPv6 经过 tunnels
# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT
允许出站 ICMPv6 经过 tunnels
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT
Newer kernels allow specifying of ICMPv6 types:
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
限制Rate-limiting
Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like:
# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
允许入站的 SSH
Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address
允许来自 3ffe:ffff:100::1/128 的 SSH 入站
# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:ffff:100::1/128 --sport 512:65535
? --dport 22 -j ACCEPT
允许回应包Allow response packets (此刻 IPv6 连结追踪不在 mainstream netfilter6 implemented 当中)
# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:ffff:100::1/128 --dport 512:65535
? --sport 22 ! --syn j ACCEPT
充许 tunneled IPv6-in-IPv4
Tto accept tunneled IPv6-in-IPv4 packets, 在IPv4 防火墙做相应的设定 firewall setup relating to such packets, for example
充许 interface ppp0 的 IPv6-in-IPv4 入站
# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
充许 interface ppp0 的 IPv6-in-IPv4 出站
# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT
If you have only a static tunnel, you can specify the IPv4 addresses, too, like
充许来自 endpoint 1.2.3.4 的 IPv6-in-IPv4 通过 interface ppp0 入站
# iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT
充许来自 endpoint 1.2.3.4 的 IPv6-in-IPv4 通过 interface ppp0 入站
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT
16.3.2.10. Protection against incoming TCP connection requests
极力推荐! 出于安全考虑 您应当加入一个阻止TCP 连结请求入站的条件 . Adapt "-i" option, if other interface names are in use!
阻止入站的 TCP 连结请求
# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP
在路由器后面 阻止入站的 TCP 连结请求
# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP
可能这些条件以经存在其它地方,但这是您想当然的想法.最好建一个包含很多条件的 script 然后执行.
16.3.2.11.阻止入站的 UDP 连结请求
极力推荐! 提起过我的防火墙信息可以控制出站 UDP/TCP 会话的端口. 所以如果您的本地IPv6系统使用本地端口 比如:从 32768 至 60999 您也可以像这样过滤UDP连结 (直到连结跟踪正常工作) like:
阻止入站的 UDP 数据包 , 斩断请求出站的回应数据包
# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP
在路由器上面阻止入站的 UDP 数据包转寄到路由器后面的主机
ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP
下面这个实例是一个经典, 由 Happy netfilter6 ruleset 生成:
# ip6tables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 extIN all sit+ * ::/0 ::/0
4 384 intIN all eth0 * ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all lo * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `INPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
?
0 0 int2ext all eth0 sit+ ::/0 ::/0
0 0 ext2int all sit+ eth0 ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `FORWARD-default:'
0 0 DROP all * * ::/0 ::/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
?
0 0 extOUT all * sit+ ::/0 ::/0
4 384 intOUT all * eth0 ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all * lo ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `OUTPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain ext2int (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `ext2int-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain extIN (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT tcp * * 3ffe:400:100::1/128 ::/0
? tcp spts:512:65535 dpt:22
0 0 ACCEPT tcp * * 3ffe:400:100::2/128 ::/0
? tcp spts:512:65535 dpt:22
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 ACCEPT udp * * ::/0 ::/0
? udp spts:1:65535 dpts:1024:65535
0 0 LOG all * * ::/0 ::/0
? limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:'
0 0 DROP all * * ::/0 ::/0
Chain extOUT (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT tcp * * ::/0
? 3ffe:ffff:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT tcp * * ::/0
? 3ffe:ffff:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1024:65535 dpts:1:65535
0 0 ACCEPT udp * * ::/0 ::/0
? udp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `extOUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain int2ext (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `int2ext:'
0 0 DROP all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `int2ext-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain intIN (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT all * * ::/0
? fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
Chain intOUT (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT all * * ::/0
? fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `intOUT-default:'
0 0 DROP all * * ::/0 ::/0