ip6tables禁止公网访问
有没有办法让外网(公网)无法访问内部的ipv6服务,但是内部可以正常用ipv6访问公网?
如果以后需要暴露部分端口,比如80或443,此时应该如何添加例外规则?
对于第一个问题,下面的规则可以实现这个过程:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
如果以后需要开放某些端口,则可以在上述规则之后添加相应的放行规则,如:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT
[root@OpenWrt:11:23 AM ~] # ip6tables -L INPUT --line-number Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED 2 DROP all anywhere anywhere 3 ACCEPT all anywhere anywhere /* !fw3 */ 4 input_rule all anywhere anywhere /* !fw3: Custom input rule chain */ 5 ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */ 6 syn_flood tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */ 7 zone_lan_input all anywhere anywhere /* !fw3 */ 8 zone_lan_input all anywhere anywhere /* !fw3 */ 9 zone_docker_input all anywhere anywhere /* !fw3 */ [root@OpenWrt:11:23 AM ~] # ping6 [2402:4e00:1900:1400:0:9227:71e8:2ccc] PING [2402:4e00:1900:1400:0:9227:71e8:2ccc] (2402:4e00:1900:1400:0:9227:71e8:2ccc): 56 data bytes 64 bytes from 2402:4e00:1900:1400:0:9227:71e8:2ccc: seq=0 ttl=53 time=33.320 ms
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 solitud.es
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果