こんにちは、鯨井貴博@opensourcetechです。
タイトルの通り、ip6tables を使うためのメモです。
ip6tablesルールの確認
[root@CentOS6 ~]# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT udp anywhere fe80::/64 state NEW udp dpt:dhcpv6-client
ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh
REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ip6tablesルールの追加
[root@CentOS6 ~]# ip6tables -I INPUT 3 -p tcp --dport 80 -d ::1 -j ACCEPT
[root@CentOS6 ~]# ip6tables -I INPUT 3 -p tcp --dport 80 --source FE80::2002:43B7 -j ACCEPT
[root@CentOS6 ~]# ip6tables -I INPUT 3 -p tcp --dport 80 --destination FF01:0:0:0:0:0:0:102 -j ACCEPT
ip6tablesルールの追加(ルール番号付き)
[root@CentOS6 ~]# ip6tables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT ipv6-icmp anywhere anywhere
3 ACCEPT tcp anywhere ff01::102/128 tcp dpt:http
4 ACCEPT tcp fe80::2002:43b7/128 anywhere tcp dpt:http
5 ACCEPT tcp anywhere localhost/128 tcp dpt:http
6 ACCEPT tcp 2001:a2b8:bc34:0:aaa8:b800:200c:418a/128 anywhere tcp dpt:http
7 ACCEPT all anywhere anywhere
8 ACCEPT udp anywhere fe80::/64 state NEW udp dpt:dhcpv6-client
9 ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh
10 REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
ip6tables 設定ファイルの確認
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
ip6tables 設定ファイルのバックアップ・リストア
[root@CentOS6 ~]# ip6tables-restore < /etc/sysconfig/ip6tables.test