侧边栏壁纸
博主头像
The Lonely House博主等级

行动起来,活在当下

  • 累计撰写 15 篇文章
  • 累计创建 24 个标签
  • 累计收到 2 条评论

目 录CONTENT

文章目录

ip6tables禁止公网访问

Solituder
2023-08-11 / 0 评论 / 1 点赞 / 41 阅读 / 1703 字 / 正在检测是否收录...
  1. 有没有办法让外网(公网)无法访问内部的ipv6服务,但是内部可以正常用ipv6访问公网?

  2. 如果以后需要暴露部分端口,比如80或443,此时应该如何添加例外规则?

    对于第一个问题,下面的规则可以实现这个过程:

    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    如果以后需要开放某些端口,则可以在上述规则之后添加相应的放行规则,如:

    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p tcp --dport 80 -j ACCEPT 
    -A INPUT -p tcp --dport 443 -j ACCEPT
    [root@OpenWrt:11:23 AM ~] # ip6tables -L INPUT --line-number
    Chain INPUT (policy DROP)
    num  target     prot opt source               destination         
    1    ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
    2    DROP       all      anywhere             anywhere            
    3    ACCEPT     all      anywhere             anywhere             /* !fw3 */
    4    input_rule  all      anywhere             anywhere             /* !fw3: Custom input rule chain */
    5    ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
    6    syn_flood  tcp      anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
    7    zone_lan_input  all      anywhere             anywhere             /* !fw3 */
    8    zone_lan_input  all      anywhere             anywhere             /* !fw3 */
    9    zone_docker_input  all      anywhere             anywhere             /* !fw3 */
    [root@OpenWrt:11:23 AM ~] # ping6 [2402:4e00:1900:1400:0:9227:71e8:2ccc]
    PING [2402:4e00:1900:1400:0:9227:71e8:2ccc] (2402:4e00:1900:1400:0:9227:71e8:2ccc): 56 data bytes
    64 bytes from 2402:4e00:1900:1400:0:9227:71e8:2ccc: seq=0 ttl=53 time=33.320 ms
    
1

评论区