netfilter6防火牆只支持2.4以上的核心.早期的2.2核心您只能用41號協議過濾IPv6-in-IPv4.
警告: 按照例子那樣設定並不能真正地保護您的作業系統.
下載最新的核心:
http://www.kernel.org/
下載最新的iptables:
tar:
http://www.netfilter.org/
Source RPM for rebuild of binary (for RedHat systems):
ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/
解開源代碼與更名
# tar z|jxf kernel-version.tar.gz|bz2
# mv linux linux-version-iptables-version+IPv6
解開 iptables 源代碼
# tar z|jxf iptables-version.tar.gz|bz2
Apply pending patches
# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/
Apply additional IPv6 related patches (still not in the vanilla kernel included)
# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/
在下面的選單中回答yes:
檢視IPv6括展:
# make print-extensions
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport
進入代碼目錄:
# cd /path/to/src/linux-version-iptables-version/
改變Makefile
- EXTRAVERSION =
+ EXTRAVERSION = -iptables-version+IPv6-try
運行相關的設定:Run configure, enable IPv6 related
Code maturity level options
Prompt for development and/or incomplete code/drivers : yes
Networking options
Network packet filtering: yes
The IPv6 protocol: module
IPv6: Netfilter Configuration
IP6 tables support: module
All new options like following:
limit match support: module
MAC address match support: module
Multiple port match support: module
Owner match support: module
netfilter MARK match support: module
Aggregated address check: module
Packet filtering: module
REJECT target support: module
LOG target support: module
Packet mangling: module
MARK target support: module
在系統的其它方面進行相應的修改.
確定您的核心源代碼存在於: /usr/src/linux/
Rename older directory
# mv /usr/src/linux /usr/src/linux.old
Create a new softlink
# ln /path/to/src/linux-version-iptables-version /usr/src/linux
Rebuild SRPMS
# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm
Install new iptables packages (iptables + iptables-ipv6) 安裝新的iptables
# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
# rpm -ihv --nodep /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
# ln -s /lib/iptables/ /usr/lib/iptables
將模組掛進來:
# modprobe ip6_tables
檢視
# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support
? 'ip6tables' firewalling (IPv6)!"
16.3.2.1. List all IPv6 netfilter entries
Short
# ip6tables -L
Extended
# ip6tables -n -v --line-numbers -L
List specified filter
# ip6tables -n -v --line-numbers -L INPUT
加入一個日誌:
# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:"
? --log-level 7
加入一個入站丟棄的條件:
# ip6tables --table filter --append INPUT -j DROP
移除一個條件:
# ip6tables --table filter --delete INPUT 1
允許 ICMPv6:
Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified
允許入站 ICMPv6 經過 tunnels
# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT
允許出站 ICMPv6 經過 tunnels
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT
Newer kernels allow specifying of ICMPv6 types:
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
限制Rate-limiting
Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like:
# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
允許入站的 SSH
Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address
允許來自 3ffe:ffff:100::1/128 的 SSH 入站
# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:ffff:100::1/128 --sport 512:65535
? --dport 22 -j ACCEPT
允許回應包Allow response packets (此刻 IPv6 連結追蹤不在 mainstream netfilter6 implemented 當中)
# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:ffff:100::1/128 --dport 512:65535
? --sport 22 ! --syn j ACCEPT
充許 tunneled IPv6-in-IPv4
Tto accept tunneled IPv6-in-IPv4 packets, 在IPv4 防火牆做相應的設定 firewall setup relating to such packets, for example
充許 interface ppp0 的 IPv6-in-IPv4 入站
# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
充許 interface ppp0 的 IPv6-in-IPv4 出站
# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT
If you have only a static tunnel, you can specify the IPv4 addresses, too, like
充許來自 endpoint 1.2.3.4 的 IPv6-in-IPv4 通過 interface ppp0 入站
# iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT
充許來自 endpoint 1.2.3.4 的 IPv6-in-IPv4 通過 interface ppp0 入站
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT
16.3.2.10. Protection against incoming TCP connection requests
極力推薦! 出於安全考慮 您應當加入一個阻止TCP 連結請求入站的條件 . Adapt "-i" option, if other interface names are in use!
阻止入站的 TCP 連結請求
# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP
在路由器後面 阻止入站的 TCP 連結請求
# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP
可能這些條件以經存在其它地方,但這是您想當然的想法.最好建一個包含很多條件的 script 然後執行.
16.3.2.11.阻止入站的 UDP 連結請求
極力推薦! 提起過我的防火牆資訊可以控制出站 UDP/TCP 會話的端口. 所以如果您的本地IPv6系統使用本地端口 比如:從 32768 至 60999 您也可以像這樣過濾UDP連結 (直到連結跟蹤正常工作) like:
阻止入站的 UDP 數據包 , 斬斷請求出站的回應數據包
# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP
在路由器上面阻止入站的 UDP 數據包轉寄到路由器後面的主機
ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP
下面這個實例是一個經典, 由 Happy netfilter6 ruleset 生成:
# ip6tables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 extIN all sit+ * ::/0 ::/0
4 384 intIN all eth0 * ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all lo * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `INPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
?
0 0 int2ext all eth0 sit+ ::/0 ::/0
0 0 ext2int all sit+ eth0 ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `FORWARD-default:'
0 0 DROP all * * ::/0 ::/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
?
0 0 extOUT all * sit+ ::/0 ::/0
4 384 intOUT all * eth0 ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all * lo ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `OUTPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain ext2int (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `ext2int-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain extIN (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT tcp * * 3ffe:400:100::1/128 ::/0
? tcp spts:512:65535 dpt:22
0 0 ACCEPT tcp * * 3ffe:400:100::2/128 ::/0
? tcp spts:512:65535 dpt:22
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 ACCEPT udp * * ::/0 ::/0
? udp spts:1:65535 dpts:1024:65535
0 0 LOG all * * ::/0 ::/0
? limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:'
0 0 DROP all * * ::/0 ::/0
Chain extOUT (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT tcp * * ::/0
? 3ffe:ffff:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT tcp * * ::/0
? 3ffe:ffff:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1024:65535 dpts:1:65535
0 0 ACCEPT udp * * ::/0 ::/0
? udp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `extOUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain int2ext (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `int2ext:'
0 0 DROP all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `int2ext-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain intIN (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT all * * ::/0
? fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
Chain intOUT (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT all * * ::/0
? fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `intOUT-default:'
0 0 DROP all * * ::/0 ::/0