我有一台 Debian 11 機器充當 IPv6 的路由器(機器 A),具有 WAN (bond0) 和 LAN (bond1) 接口,另一台 Debian 11 機器(機器 B)連接到其 LAN 接口。此設定按預期正常工作,直到我在電腦 A 中設定防火牆規則:
ip6tables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
ip6tables -P FORWARD DROP
完成此設定後,從機器 B 可以 ping 通,但沒有其他功能,例如 http 連線不起作用:
--2022-11-20 18:25:05-- http://[2a02:16a8:dc41:100::132]/
Connecting to [2a02:16a8:dc41:100::132]:80... connected.
HTTP request sent, awaiting response...
一旦我改回預設策略以接受:
ip6tables -P FORWARD ACCEPT
一切都恢復正常了,提到的連接也是如此。所以我猜錯誤不在網路設定上,而可能是缺少防火牆規則。機器A中輸入輸出預設策略為accept,無任何規則:
Chain INPUT (policy ACCEPT 52117 packets, 7950K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmpv6 * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 32646 packets, 2259K bytes)
pkts bytes target prot opt in out source destination
所以我想這部分沒有問題。機器 B 沒有設定任何規則。為了使其正常工作,我缺少什麼?
更新:
將防火牆規則附加ip6tables -A FORWARD -j LOG到過濾規則的末尾後,我收到此訊息/var/log/kern.log
Nov 20 19:08:11 machineA kernel: [64351.126036] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=735930 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:08:11 machineA kernel: [64351.126186] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=735930 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0
Nov 20 19:08:11 machineA kernel: [64351.343310] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=735930 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0
Nov 20 19:08:11 machineA kernel: [64351.563328] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=918248 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0
Nov 20 19:08:12 machineA kernel: [64352.007316] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=983152 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0
Nov 20 19:08:12 machineA kernel: [64352.139854] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=983152 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:08:13 machineA kernel: [64352.903316] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=286527 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0
Nov 20 19:08:13 machineA kernel: [64352.911487] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=286527 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK FIN URGP=0
Nov 20 19:08:14 machineA kernel: [64354.159965] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=286527 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:08:14 machineA kernel: [64354.663292] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=128197 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH FIN URGP=0
Nov 20 19:08:18 machineA kernel: [64358.247272] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=83931 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH FIN URGP=0
Nov 20 19:08:18 machineA kernel: [64358.347769] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=83931 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:08:25 machineA kernel: [64365.415153] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=504998 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH FIN URGP=0
Nov 20 19:08:26 machineA kernel: [64366.539630] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=504998 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:08:39 machineA kernel: [64379.494991] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=546713 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH FIN URGP=0
Nov 20 19:08:42 machineA kernel: [64382.667434] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=72 TC=0 HOPLIMIT=63 FLOWLBL=546713 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0
Nov 20 19:09:09 machineA kernel: [64409.190482] IN=bond1 OUT=bond0 MAC=<mac snip> SRC=<machine B ipv6> DST=<destination servers ipv6> LEN=210 TC=0 HOPLIMIT=63 FLOWLBL=39670 PROTO=TCP SPT=46848 DPT=80 WINDOW=507 RES=0x00 ACK PSH FIN URGP=0
答案1
看起來問題出在路由本身。根據日誌檔和ip6tables計數器,它告訴我一些資料包沒有通過前向鏈。在來源端和目標端進行追蹤路由後,我發現資料包從 機器B正在經歷機器A但數據包到機器 B 以某種方式繞過。一旦我的提供者解決了這個路由問題,所有資料包從和到 機器B正在通過 FORWARD 鏈並且它正在按預期工作。
如果有人想要建造「類似 nat」的 IPv6 防火牆,僅供參考。接受已建立的相關狀態是不夠的,還需要新增從 LAN 到 WAN 介面的新狀態。完整的命令如下:
ip6tables -A FORWARD -i <lan int> -o <wan int> -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -P FORWARD DROP