解决云主机开放ip6tables端口后IPv6无法访问问题

问题

最近给云主机开通了IPv6服务，在IPv6静态地址、CIDR掩码、IPv6网关配置完成后，测试IPv6进出均通。但是在参照IPv4的iptables的规则配置ip6tables，放开了对应的端口后，却发现IPv6不通了。这该如何解决？

排查

首先dump下ip6tables确认下规则正确。执行ip6tables-save查看当前的规则。

# Generated by ip6tables-save v1.8.7 on Sun Feb 12 22:28:06 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [709:774441]
:MY-Firewall-1-INPUT - [0:0]
-A INPUT -j MY-Firewall-1-INPUT
-A FORWARD -j MY-Firewall-1-INPUT
-A MY-Firewall-1-INPUT -i lo -j ACCEPT
-A MY-Firewall-1-INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A MY-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A MY-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Sun Feb 12 22:28:06 2023
# Generated by ip6tables-save v1.8.7 on Sun Feb 12 22:28:06 2023
*nat
:PREROUTING ACCEPT [13:1048]
:INPUT ACCEPT [13:1048]
:OUTPUT ACCEPT [11:904]
:POSTROUTING ACCEPT [11:904]
# Completed on Sun Feb 12 22:28:06 2023

# Generated by ip6tables-save v1.8.7 on Sun Feb 12 22:28:06 2023

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [709:774441]

:MY-Firewall-1-INPUT - [0:0]

-A INPUT -j MY-Firewall-1-INPUT

-A FORWARD -j MY-Firewall-1-INPUT

-A MY-Firewall-1-INPUT -i lo -j ACCEPT

-A MY-Firewall-1-INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A MY-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A MY-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

COMMIT

# Completed on Sun Feb 12 22:28:06 2023

# Generated by ip6tables-save v1.8.7 on Sun Feb 12 22:28:06 2023

*nat

:PREROUTING ACCEPT [13:1048]

:INPUT ACCEPT [13:1048]

:OUTPUT ACCEPT [11:904]

:POSTROUTING ACCEPT [11:904]

# Completed on Sun Feb 12 22:28:06 2023

可以看到对应的80, 443已经打开，且规则非常简单，没有特别的问题。ip6tables默认规则为DROP，开放了对应的端口。

那问题出在哪里呢? 先确认下IPv6的物理通道是否畅通，尝试ping IPv6静态网关试试。结果ping之后发现了端倪

root@host:~# ping6 [IPv6网关地址]
PING [IPv6网关地址]([网关地址]) 56 data bytes
From [IPv6本机地址] icmp_seq=1 Destination unreachable: Address unreachable
From [IPv6本机地址] icmp_seq=2 Destination unreachable: Address unreachable
From [IPv6本机地址] icmp_seq=3 Destination unreachable: Address unreachable

root@host:~# ping6 [IPv6网关地址]

PING [IPv6网关地址]([网关地址]) 56 data bytes

From [IPv6本机地址] icmp_seq=1 Destination unreachable: Address unreachable

From [IPv6本机地址] icmp_seq=2 Destination unreachable: Address unreachable

From [IPv6本机地址] icmp_seq=3 Destination unreachable: Address unreachable

ping6报告说网关不可达。看到这个结果我就反应过来了。IPv6不通过数据链路层的ARP协议来实现IP地址到MAC地址的转换，而是通过在网络层上使用邻居发现协议，来实现IP地址到MAC地址的转换（参考IPv6 邻居发现协议详解）。而这个邻居发现协议是通过ICMPv6来承载的，而ICMPv6是在网络层上，因此会被ip6tables给DROP掉。

到这里问题就比较简单了。即允许ip6tables通过NDP对应的ICMPv6报文即可。经过搜索，参照这个资料，添加了以下规则

ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT

ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT

ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT

ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT

ip6tables -A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT

执行完成后，ip6tables就不会阻止本机查找网关所在的MAC地址了。

验证

重新ping6网关，发现已经恢复畅通。访问443端口服务，正常得到返回。问题解决。

问题

排查

验证

发表评论 取消回复

发表评论取消回复