Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use the ip6tables command of Linux". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn how to use the ip6tables command of Linux.

Linux common commands ip6tables commands, like iptables, are firewall software in linux, except that the TCP/ip protocol adopted by ip6tables is IPv6.

Firewall Software in ip6tableslinux

Syntax ip6tables (options) option-t: specify the table to manipulate;-A: add entries to the rule chain;-D: delete entries from the rule chain;-I: insert entries into the rule chain;-R: replace entries in the rule chain;-L: display existing entries in the rule chain;-F: clear the existing entries in the rule chain -Z: clear the packet calculator and byte counter in the rule chain;-N: create a new user-defined rule chain;-P: define the default destination in the rule chain;-h: display help information;-p: specify the packet protocol type to match;-s: specify the packet source ip address to match;-j: specify the destination to jump -I: specifies the network interface on which the packet enters the machine;-o: specifies the network interface on which the packet is to leave the machine. -c: initializes packet counters and byte counters when performing insert operations (insert), append operations (append), and replace operations (replace). The instance can view the current IPv6 firewall configuration by entering the following instructions in the command line window:

Ip6tables-nl-line-numbers/etc/sysconfig/ip6tables file

Use the editor to edit the / etc/sysconfig/ip6tables file:

Vi / etc/sysconfig/ip6tables may see the following default ip6tables rules:

* filter: INPUT accept [0:0]: FORWARD ACCEPT [0:0]: OUTPUT ACCEPT [0:0]: RH-Firewall-1-INPUT-[0:0]-An INPUT-j RH-Firewall-1-INPUT-A FORWARD-j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT-I lo-j ACCEPT-A RH-Firewall-1-INPUT-p icmpv6-j ACCEPT-A RH-Firewall-1-INPUT-p 50-j ACCEPT-A RH-Firewall- 1-INPUT-p 51-j ACCEPT-A RH-Firewall-1-INPUT-p udp-- dport 5353-d ff02::fb-j ACCEPT-A RH-Firewall-1-INPUT-p udp-m udp-- dport 631-j ACCEPT-A RH-Firewall-1-INPUT-p tcp-m tcp-- dport 631-j ACCEPT-A RH-Firewall-1-INPUT-p udp-m udp-- dport 32768 ACCEPT-A RH-Firewall-1-INPUT-p tcp-m tcp-- dport 32768 ACCEPT 61000!-- syn-j ACCEPT-A RH-Firewall-1-INPUT-m tcp-p tcp-- dport 22-j ACCEPT-A RH-Firewall-1-INPUT-j reject--reject-with icmp6-adm-prohibited COMMIT is similar to IPv4's iptables rules But it's not exactly the same.

To open port 80 (HTTP server port), add the following rule before the COMMIT line:

-A RH-Firewall-1-INPUT-m tcp-p tcp-- dport 80-j ACCEPT-p tcp represents traffic only for the tcp protocol. -- dport specifies the port number.

To open port 53 (DNS server port), add the following rule before the COMMIT line:

-A RH-Firewall-1-INPUT-m tcp-p tcp-- dport 53-j ACCEPT-A RH-Firewall-1-INPUT-m udp-p tcp-- dport 53-j ACCEPT opens port 53 for both tcp and udp protocols.

To open port 443, add the following rule before the COMMIT line:

-A RH-Firewall-1-INPUT-m tcp-p tcp-- dport 443-j ACCEPT to open port 25 (SMTP mail server port), add the following rule before the COMMIT line:

-A RH-Firewall-1-INPUT-m tcp-p tcp-- dport 25-j ACCEPT may be unwanted and probably problematic for packets that do not have specific rules to match. We may also want to record them before we DROP them. At this point, you can set the last line:

-A RH-Firewall-1-INPUT-j REJECT-- reject-with icmp6-adm-prohibitedCOMMIT is changed to:

-A RH-Firewall-1-INPUT-j LOG-A RH-Firewall-1-INPUT-j DROPCOMMIT saves and closes the file. Then restart ip6tables Firewall:

# service ip6tables restart then look at the ip6tables rule again, and you can see the output shown below:

# ip6tables-vnL-- sample line-numbers output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination1 42237 3243K RH-Firewall-1-INPUT all * *:: / 0:: / 0Chain FORWARD (policy ACCEPT 0 packets 0 bytes) num pkts bytes target prot opt in out source destination1 0 0 RH-Firewall-1-INPUT all * *:: / 0:: / 0Chain OUTPUT (policy ACCEPT 12557 packets 2042K bytes) num pkts bytes target prot opt in out source destinationChain RH-Firewall-1-INPUT (2 references) num pkts bytes target prot opt in out source destination1 6 656 ACCEPT all lo *: / 0:: / 02 37519 2730K ACCEPT icmpv6 * *:: / 0 :: / 03 ACCEPT esp * *:: / 0:: / 04 ACCEPT ah * *:: / 0:: / 05 413 48385 ACCEPT udp * *:: / 0 Ff02::fb/128 udp dpt:53536 0 0 ACCEPT udp * *:: / 0:: / 0 udp dpt:6317 0 0 ACCEPT tcp * *:: / 0:: / 0 tcp dpt:6318 173 79521 ACCEPT Udp * *:: / 0:: / 0 udp dpts:32768:610009 00 ACCEPT tcp * *:: / 0:: / 0 tcp dpts:32768:61000 tcp dpts:32768:61000 00 ACCEPT tcp * *:: / 0:: / 0 tcp dpt:2211 0 0 ACCEPT tcp * *:: / 0:: / 0 tcp dpt:8012 00 ACCEPT tcp * *:: / 0:: / 0 tcp dpt:5313 4108 380K ACCEPT udp * *:: / 0:: / 0 udp dpt:5314 18 4196 REJECT all * *:: / 0:: / 0IPv6 private IP

IPv4 usually protects hosts on the private IP of the internal LAN by default. But IPv6 is so rich in addresses that private networks using protocols such as NAT are no longer needed. In this way, all internal hosts can have a public network IP and connect directly to the Internet, which will be exposed to various threats on the Internet at the same time. So how do you configure IPv6 Firewall to discard all input packets except ping6 requests by default? The local IPv6 unicast address can be identified using the FC00::/7 prefix.

Allow specific ICMPv6 traffic

When using IPv6, you need to allow more types of ICMP traffic than IPv4 to ensure that functions such as routing and IP address autoconfiguration work properly. Sometimes, if your rule settings are too harsh, you may not be able to assign the correct IPv6 address. Except, of course, if you configure the IP address manually instead of using DHCP.

Here are some common examples of ipv6-icmp configuration:

: ICMPv6- [0:0] # Approve certain ICMPv6 types and all outgoing ICMPv6# http://forum.linode.com/viewtopic.php?p=39840#39840-An INPUT-p icmpv6- j ICMPv6-An ICMPv6- p icmpv6--icmpv6-type echo-request-j ACCEPT-An ICMPv6- p icmpv6--icmpv6-type destination-unreachable-j ACCEPT-An ICMPv6- p icmpv6--icmpv6-type packet-too-big-j ACCEPT-An ICMPv6- p icmpv6--icmpv6-type time-exceeded-j ACCEPT-An ICMPv6- p Icmpv6--icmpv6-type parameter-problem-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type router-solicitation-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type router-advertisement-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type neighbour-solicitation-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type neighbour-advertisement-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type redirect-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type 141j ACCEPT-An ICMPv6-p icmpv6--icmpv6- Type 142j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type 148j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type 149j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type 130s fe80::/10-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type 131s fe80::/10-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type 132s fe80::/10-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type 143s fe80::/10 -j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type 151s fe80::/10-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type 152s fe80::/10-j ACCEPT-An ICMPv6-p icmpv6--icmpv6-type 153s fe80::/10-j ACCEPT-An ICMPv6-p icmpv6- j ACCEPT Thank you for reading The above is the content of "how to use the ip6tables command of Linux". After the study of this article, I believe you have a deeper understanding of how to use the ip6tables command of Linux, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.