如何配置 ufw 或 iptables 以仅允许从 IPv6 网络到 Internet 的出站流量?
我有一个办公室网络,其具有针对 IPv4 的传统 NAT 设置。我想添加一台运行 Ubuntu 的 PC 作为 IPv6 路由器,利用 Hurricane Electric 的隧道。
我已设置好一切并正常运行。我的内部计算机正在从 Ubuntu 盒子接收全局地址,并且能够毫无问题地 ping ipv6.google.com 和浏览 ipv6test.google.com。
我不确定的是,如何配置防火墙以阻止从 Internet 到我的内部网络的未经请求的传入流量,但允许到 Internet 的出站流量(以及相关的返回流量)。
ufw 命令或 iptables 规则的实际示例将不胜感激。
root@ipv6router:/home/corey# ifconfig
eth0 Link encap:Ethernet HWaddr 00:08:a1:10:62:c0
inet addr:146.x.y.12 Bcast:146.x.y.15 Mask:255.255.255.240
inet6 addr: fe80::208:a1ff:fe10:62c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:190487 errors:1 dropped:0 overruns:1 frame:1
TX packets:40982 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:80088076 (80.0 MB) TX bytes:6825762 (6.8 MB)
eth1 Link encap:Ethernet HWaddr 00:1b:21:5b:f0:5b
inet addr:192.168.76.3 Bcast:192.168.76.255 Mask:255.255.255.0
inet6 addr: fe80::21b:21ff:fe5b:f05b/64 Scope:Link
inet6 addr: 2001:x:1f07:z::1/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:90200 errors:0 dropped:0 overruns:0 frame:0
TX packets:59894 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12839775 (12.8 MB) TX bytes:70668474 (70.6 MB)
he-ipv6 Link encap:IPv6-in-IPv4
inet6 addr: fe80::9273:130c/128 Scope:Link
inet6 addr: 2001:x:1f06:z::2/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:56991 errors:0 dropped:0 overruns:0 frame:0
TX packets:34362 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:69388394 (69.3 MB) TX bytes:4537403 (4.5 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:13137 errors:0 dropped:0 overruns:0 frame:0
TX packets:13137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:998616 (998.6 KB) TX bytes:998616 (998.6 KB)
root@ipv6router:/home/corey# route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:x:1f06:z::1/128 :: U 1024 0 1 he-ipv6
2001:x:1f06:z::/64 :: Un 256 0 0 he-ipv6
2001:x:1f07:z::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: Un 256 0 0 he-ipv6
fe80::/64 :: U 256 0 0 eth0
::/0 2001:x:1f06:z::1 UG 1024 0 0 he-ipv6
::/0 :: !n -1 1 92337 lo
::1/128 :: Un 0 1 412 lo
2001:x:1f06:z::/128 :: Un 0 1 0 lo
2001:x:1f06:z::2/128 :: Un 0 1 736 lo
2001:x:1f07:z::/128 :: Un 0 1 0 lo
2001:x:1f07:z::1/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::9273:130c/128 :: Un 0 1 0 lo
fe80::208:a1ff:fe10:62c0/128 :: Un 0 1 0 lo
fe80::21b:21ff:fe5b:f05b/128 :: Un 0 1 4611 lo
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 he-ipv6
ff00::/8 :: U 256 0 0 eth0
::/0 :: !n -1 1 92337 lo
使用
forward链添加转发防火墙规则。使用此设置,您需要添加更多规则,让其他接口按照您的意愿进行路由,但最终结果将与上述非常相似。