辰风云网络科技

Hi, 请登录

Routeros软路由IPV6内网 防火墙策略

从运营商分配到IPv6地址后,并通过路由器分配到内网主机IPv6地址,内网的主机将获取公网IPv6地址,这样带来一个安全问题,即全球互联网都可以访问到你的主机,而不是像IPv4通过路由器的nat转换后到互联网,nat可以隐藏私网IPv4地址,通过配置相应的防火墙保护路由器后的主机非常重要,大致配置方式如下:
  1. 接受established/related 数据包;
  2. 丢弃非法数据包,并记录到日志中;
  3. 接受除了WAN(外网接口)ICMPv6数据包;
  4. 接受从客户端到互联网的连接;
  5. 丢弃其他所有数据。
首先定义地址列表,这些地址包括本地链路地址、组播地址和你获取的IPv6地址
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=your_ipv6 address  list=allowed
add address=ff02::/16 comment=multicast list=allowed
防火墙1,4,5规则策略组合非常重要,允许从内网到外网的访问,但外网向内网访问被拒绝,保证网络内部IPv6网络的安全性,避免别外部恶意访问,配置如下:
/ipv6 firewall filter
add action=accept chain=forward comment=established,related connection-state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 in-interface=! WAN protocol=icmpv6
add action=accept chain=forward comment=”local network” in-interface=!WAN src-address-list=allowed
add action=drop chain=forward log-prefix=IPV6
这个配置是一组IPv6防火墙访问策略,对于内网主机来说是单向策略,只能从内到外,不能从外到内,如果你理解到了,也可以应用于IPv4的防火墙的单向访问策略 如果需要指定外部IPv6地址访问,需在最后一条规则drop所有数据前面加上目标IPv6地址段2001:db8:1::/64
[admin@MikroTik] /ipv6 firewall filter> print Flags: X – disabled, I – invalid, D – dynamic 0    ;;; allow established and related chain=input action=accept connection-state=established,related log=no log-prefix=”” 1    ;;; accept ICMPv6 chain=input action=accept protocol=icmpv6 log=no log-prefix=”” 2    ;;; defconf: accept UDP traceroute chain=input action=accept protocol=udp port=33434-33534 log=no log-prefix=”” 3    ;;; accept DHCPv6-Client prefix delegation. chain=input action=accept protocol=udp src-address=fe80::/16 dst-port=546 log=no log-prefix=”” 4    chain=input action=drop src-address=fe80::/16 in-interface=pppoe-out2 log=yes log-prefix=”dropLL_from_public” 5    ;;; allow allowed addresses chain=input action=accept src-address-list=allowed log=no log-prefix=”” 6    chain=input action=drop log=no log-prefix=”” 7    ;;; established,related chain=forward action=accept connection-state=established,related log=no log-prefix=”” 8    ;;; invalid chain=forward action=drop connection-state=invalid log=yes log-prefix=”ipv6,invalid” 9    ;;; icmpv6 chain=forward action=accept protocol=icmpv6 in-interface=!WAN log=no log-prefix=”” 10    ;;; local network chain=forward action=accept in-interface=!WAN src-address-list=allowed log=no log-prefix=”” 11    chain=forward action=drop log=no log-prefix=”IPV6″ [admin@MikroTik] /ipv6 firewall filter> add action=accept chain=forward dst-address=2001:db8:1::1/64 [admin@MikroTik] /ipv6 firewall filter> move 12 11


相关推荐

二维码
评论