从运营商分配到IPv6地址后,并通过路由器分配到内网主机IPv6地址,内网的主机将获取公网IPv6地址,这样带来一个安全问题,即全球互联网都可以访问到你的主机,而不是像IPv4通过路由器的nat转换后到互联网,nat可以隐藏私网IPv4地址,通过配置相应的防火墙保护路由器后的主机非常重要,大致配置方式如下:
- 接受established/related 数据包;
- 丢弃非法数据包,并记录到日志中;
- 接受除了WAN(外网接口)ICMPv6数据包;
- 接受从客户端到互联网的连接;
- 丢弃其他所有数据。
首先定义地址列表,这些地址包括本地链路地址、组播地址和你获取的IPv6地址
/ipv6 firewall address-list add address=fe80::/16 list=allowed add address=your_ipv6 address list=allowed add address=ff02::/16 comment=multicast list=allowed
防火墙1,4,5规则策略组合非常重要,允许从内网到外网的访问,但外网向内网访问被拒绝,保证网络内部IPv6网络的安全性,避免别外部恶意访问,配置如下:
/ipv6 firewall filter add action=accept chain=forward comment=established,related connection-state=established,related add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid add action=accept chain=forward comment=icmpv6 in-interface=! WAN protocol=icmpv6 add action=accept chain=forward comment=”local network” in-interface=!WAN src-address-list=allowed add action=drop chain=forward log-prefix=IPV6
这个配置是一组IPv6防火墙访问策略,对于内网主机来说是单向策略,只能从内到外,不能从外到内,如果你理解到了,也可以应用于IPv4的防火墙的单向访问策略
如果需要指定外部IPv6地址访问,需在最后一条规则drop所有数据前面加上目标IPv6地址段2001:db8:1::/64
[admin@MikroTik] /ipv6 firewall filter> print
Flags: X – disabled, I – invalid, D – dynamic
0 ;;; allow established and related
chain=input action=accept connection-state=established,related log=no log-prefix=””
1 ;;; accept ICMPv6
chain=input action=accept protocol=icmpv6 log=no log-prefix=””
2 ;;; defconf: accept UDP traceroute
chain=input action=accept protocol=udp port=33434-33534 log=no log-prefix=””
3 ;;; accept DHCPv6-Client prefix delegation.
chain=input action=accept protocol=udp src-address=fe80::/16 dst-port=546 log=no log-prefix=””
4 chain=input action=drop src-address=fe80::/16 in-interface=pppoe-out2 log=yes log-prefix=”dropLL_from_public”
5 ;;; allow allowed addresses
chain=input action=accept src-address-list=allowed log=no log-prefix=””
6 chain=input action=drop log=no log-prefix=””
7 ;;; established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=””
8 ;;; invalid
chain=forward action=drop connection-state=invalid log=yes log-prefix=”ipv6,invalid”
9 ;;; icmpv6
chain=forward action=accept protocol=icmpv6 in-interface=!WAN log=no log-prefix=””
10 ;;; local network
chain=forward action=accept in-interface=!WAN src-address-list=allowed log=no log-prefix=””
11 chain=forward action=drop log=no log-prefix=”IPV6″
[admin@MikroTik] /ipv6 firewall filter> add action=accept chain=forward dst-address=2001:db8:1::1/64
[admin@MikroTik] /ipv6 firewall filter> move 12 11