Ubuntu-gr Forum

To Forum της Ελληνικής Κοινότητας Ubuntu-gr
https://forum.ubuntu-gr.org/

VPS και IPv6

https://forum.ubuntu-gr.org/viewtopic.php?p=307032#p307032

Δημοσιεύτηκε: 16 Φεβ 2014, 18:34
από pc_magas
Έχω στον okeanos εναν server με τα εξής network interfaces:

Κώδικας: Επιλογή όλων
user@snf-200880:~$ ifconfig
eth0 Link encap:Ethernet HWaddr aa:0c:f5:91:aa:86
inet addr:83.212.113.134 Bcast:83.212.113.255 Mask:255.255.254.0
inet6 addr: fe80::a80c:f5ff:fe91:aa86/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19860 errors:0 dropped:0 overruns:0 frame:0
TX packets:15773 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8740411 (8.7 MB) TX bytes:2110804 (2.1 MB)

eth2 Link encap:Ethernet HWaddr aa:00:05:d1:9a:73
inet6 addr: fe80::a800:5ff:fed1:9a73/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:458 errors:0 dropped:0 overruns:0 frame:0
TX packets:1640 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47232 (47.2 KB) TX bytes:176364 (176.3 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:170 errors:0 dropped:0 overruns:0 frame:0
TX packets:170 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:21902 (21.9 KB) TX bytes:21902 (21.9 KB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:963 (963.0 B) TX bytes:152 (152.0 B)


Το interface eth2 έχει ipv6 διεύθυνση και ο okeanos το έχει σαν public ipv6 network αλλά για κάποιο λόγο το μηχάνημα δεν μπορεί να κάνει ping καθόλου ipv6 διευθύνσεις:
Κώδικας: Επιλογή όλων
user@snf-200880:~$ ping6 ipv6.google.com
PING ipv6.google.com(ham02s12-in-x05.1e100.net) 56 data bytes
^C
--- ipv6.google.com ping statistics ---
16 packets transmitted, 0 received, 100% packet loss, time 14999ms

user@snf-200880:~$ ping6 snf-455503.vm.okeanos.grnet.gr
PING snf-455503.vm.okeanos.grnet.gr(snf-455503.vm.okeanos.grnet.gr) 56 data bytes
^C
--- snf-455503.vm.okeanos.grnet.gr ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4031ms




To forewall μου έχει τις εξής ρυθμίσεις:
Spoiler: show
user@snf-200880:~$ cat /etc/iptables.sh
#!/bin/bash
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#List for eth0 interface
sudo iptables -N ethinput
#List for VPN Interface
sudo iptables -N vpnincoming
#List for loopback
sudo iptables -N loinput
#List for http
sudo iptables -N httplimit
#List for ping
sudo iptables -N ping

sudo iptables -P FORWARD DROP


sudo iptables -A INPUT -i lo -j loinput
sudo iptables -A INPUT -i eth0 -j ethinput
sudo iptables -A INPUT -i eth2 -j ethinput
sudo iptables -A INPUT -i tun0 -j vpnincoming
sudo iptables -P INPUT DROP

sudo iptables -A INPUT -m state --state INVALID -j DROP # Drop invalid packets

sudo iptables -P OUTPUT ACCEPT
sudo iptables -A OUTPUT -m state --state INVALID -j DROP # Drop invalid packets

sudo iptables -P loinput ACCEPT
sudo iptables -A loinput -p icmp --icmp-type echo-request -j DROP

sudo iptables -P vpnincoming DROP
sudo iptables -A vpnincoming -p tcp -m multiport --dport 10000,80,449 -j httplimit
sudo iptables -A vpnincoming -p tcp -m multiport --dport 3306,6000 -j ACCEPT
sudo iptables -A vpnincoming -p icmp --icmp-type echo-request -j ping

sudo iptables -P ethinput DROP
sudo iptables -A ethinput -p tcp -m multiport --dport 80,449 -j httplimit
sudo iptables -A ethinput -p udp --dport 1194 -j ACCEPT
sudo iptables -A ethinput -p tcp --dport 53 -j ACCEPT
sudo iptables -A ethinput -p udp --dport 53 -j ACCEPT
#sudo iptables -A ethinput -p tcp -m multiport --dport 465,587 -j ACCEPT
sudo iptables -A ethinput -p tcp --dport 6000 -j ACCEPT
sudo iptables -A ethinput -p icmp --icmp-type echo-request -j ping
#sudo iptables -A ethinput -p tcp -m multiport --dport 28785,4000 -j ACCEPT
sudo iptables -A ethinput -p udp --dport 28785 -j ACCEPT

sudo iptables -A httplimit -m limit --limit 10/minute --limit-burst 30 -j ACCEPT
sudo iptables -P httplimit DROP


sudo iptables -A ping -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
sudo iptables -P ping DROP

#for ipv6
sudo ip6tables -F
sudo ip6tables -X
sudo ip6tables -t mangle -F
sudo ip6tables -t mangle -X

sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#List for eth0 interface
sudo ip6tables -N ethinput
#List for VPN Interface
sudo ip6tables -N vpnincoming
#List for loopback
sudo ip6tables -N loinput
#List for http
sudo ip6tables -N httplimit
#List for ping
sudo ip6tables -N ping

sudo ip6tables -P FORWARD DROP


sudo ip6tables -A INPUT -i lo -j loinput
sudo ip6tables -A INPUT -i eth2 -j ethinput
sudo ip6tables -A INPUT -i tun0 -j vpnincoming
sudo ip6tables -P INPUT DROP

sudo ip6tables -A INPUT -m state --state INVALID -j DROP # Drop invalid packets

sudo ip6tables -P OUTPUT ACCEPT
sudo ip6tables -A OUTPUT -m state --state INVALID -j DROP # Drop invalid packets

sudo ip6tables -P loinput ACCEPT
sudo ip6tables -A loinput -p icmp -j DROP

sudo ip6tables -P vpnincoming DROP
sudo ip6tables -A vpnincoming -p tcp -m multiport --dport 10000,80,449 -j httplimit
sudo ip6tables -A vpnincoming -p tcp -m multiport --dport 3306,6000 -j ACCEPT
sudo ip6tables -A vpnincoming -p icmpv6 -j ping

sudo ip6tables -P ethinput DROP
sudo ip6tables -A ethinput -p tcp -m multiport --dport 80,449 -j httplimit
sudo ip6tables -A ethinput -p udp --dport 1194 -j ACCEPT
sudo ip6tables -A ethinput -p tcp --dport 53 -j ACCEPT
sudo ip6tables -A ethinput -p udp --dport 53 -j ACCEPT
#sudo iptables -A ethinput -p tcp -m multiport --dport 465,587 -j ACCEPT
sudo ip6tables -A ethinput -p tcp --dport 6000 -j ACCEPT
sudo ip6tables -A ethinput -p icmpv6 -j ping
#sudo iptables -A ethinput -p tcp -m multiport --dport 28785,4000 -j ACCEPT
sudo ip6tables -A ethinput -p udp --dport 28785 -j ACCEPT

sudo ip6tables -A httplimit -m limit --limit 10/minute --limit-burst 30 -j ACCEPT
sudo ip6tables -P httplimit DROP


sudo ip6tables -A ping -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
sudo ip6tables -P ping DROP


Ενώ to routing έχει ως εξής:
Κώδικας: Επιλογή όλων

user@snf-200880:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 83.212.112.1 0.0.0.0 UG 100 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
83.212.112.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0

Κώδικας: Επιλογή όλων
user@snf-200880:~$ ip -6 route show dev eth2
2001:648:2ffc:1225::/64 proto kernel metric 256
fe80::/64 proto kernel metric 256
default via fe80::ce47:52ff:fe4e:4554 proto static metric 1
default via fe80::ce47:52ff:fe4e:4554 proto kernel metric 1024 expires 14133sec

Κώδικας: Επιλογή όλων
user@snf-200880:~$ route -A inet6 |grep -w "eth2"
2001:648:2ffc:1225::/64 :: UA 256 0 0 eth2
fe80::/64 :: U 256 0 0 eth2
::/0 fe80::ce47:52ff:fe4e:4554 UG 1 0 0 eth2
::/0 fe80::ce47:52ff:fe4e:4554 UGDAe 1024 0 0 eth2
ff00::/8 :: U 256 0 0 eth2
user@snf-200880:~$ route -A inet6 |grep -w "eth0"
fe80::/64 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth0


Πάσα βοήθεια δεκτή!
Όλοι οι χρόνοι είναι UTC + 2 ώρες [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/