я бегу OpenVPN 2.4.0
на Ubuntu 17.04
, Эта настройка работает нормально и уже описана здесь https://serverfault.com/q/887243
.
Проблема возникает, когда я пытаюсь загрузить правила ip6tables с помощью следующего скрипта. В этот момент я не могу ping6 ipv6.google.com
больше. Кроме того, ipv6 тестирует через такие сервисы, как http://ipv6-test.com/
и http://test-ipv6.com/
терпят неудачу во всех тестах ipv6, но если я сброшу все правила ip6table, эти тесты и ping6 ipv6.google.com
добиться успеха. Поэтому я думаю, что проблема в следующих правилах, но не знаю где.
#!/bin/bash
vpn_ipv4="10.8.0.0"
vpn_ipv6="2001:xxxx:y:abcd::1"
server_ipv4="w.x.y.z"
server_ipv6="2001:xxxx:1:zzzz::1"
server_if="enp1s0"
iptables_cmd="/sbin/ip6tables"
#echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
#sysctl -w net/ipv4/ip_forward=1
#sysctl sys.net.ipv6.conf.all.forwarding=1
# Flush all rules
ip6tables -F FORWARD
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -X
#Drop all packets by default
#ip6tables -P INPUT DROP
#Temporarily remove the previous drop rule
#ip6tables -D INPUT -j DROP
#Accept all packets by default
ip6tables -P INPUT ACCEPT
#Allow current active connections
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#Allow Loopback traffic and place this rules
#as the very first rule of the INPUT chain.
ip6tables -I INPUT 1 -i lo -j ACCEPT
#FTP
ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
#SSH
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
#SMTP
ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT
#DNS
ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT
ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
#HTTP
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
#IMAP
ip6tables -A INPUT -p tcp --dport 143 -j ACCEPT
#HTTPS
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
#SMTPS
ip6tables -A INPUT -p tcp --dport 465 -j ACCEPT
#Submission
ip6tables -A INPUT -p tcp --dport 587 -j ACCEPT
#IMAPS
ip6tables -A INPUT -p tcp --dport 993 -j ACCEPT
#WEB-DAV
ip6tables -A INPUT -p tcp --dport 8443 -j ACCEPT
#OpenVPN
#Allow the tcp connection on the openvpn port
ip6tables -A INPUT -i enp1s0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
#Allow everything from within your VPN
#Allow TUN interface connections to OpenVPN server
ip6tables -A INPUT -i tun+ -j ACCEPT
#Allow TUN interface connections to be forwarded through other interfaces
ip6tables -A FORWARD -i tun+ -j ACCEPT
ip6tables -A FORWARD -i tun+ -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i enp1s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
#NAT the VPN client traffic to the Internet. Change the ip address mask
#according to your info of tun0 result while running "ifconfig" command.
#Use MASQUERADE when we do not know the public ip address (dadsl ynamic addresses)
#ip6tables -t nat -A POSTROUTING -s 2001:xxxx:y:abcd::1/64 -o enp1s0 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s 2001:xxxx:y:abcd::/64 -o enp1s0 -j MASQUERADE
#Use SNAT when we know the public ip address (static addresses)
#ip6tables -t nat -A POSTROUTING -s $vpn_ipv6/64 -o enp1s0 -j SNAT --to-source $server_ipv6
#OnyiIf default ip6tables OUTPUT value is not ACCEPT
#ip6tables -A OUTPUT -o tun+ -j ACCEPT
#Allow incoming ICMP PING
#https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-codes-6
#ip6tables -p ipv6-icmp -h
ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -s 0/0 -d $server_ipv6 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Logging
ip6tables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "ip6tables denied: " --log-level 7
#Drop remaining packets. Only needed if first rule is not drop by default.
ip6tables -A INPUT -j DROP
Вкратце, это основной файл конфигурации OpenVPN:
local w.x.y.z
port 1194
proto udp
proto-force udp
dev tun
tun-ipv6
ifconfig-ipv6 2001:xxxx:y:abcd::1 2001:xxxx:y:abcd::2
ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt
key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key
dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2001:xxxx:y:abcd::/64
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
;push "redirect-gateway-ipv6 def1 bypass-dhcp-ipv6"
push "dhcp-option DNS w.x.y.z"
push "dhcp-option DNS w1.x1.y1.z1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS nameserver 2001:4860:4860::8888"
push "dhcp-option DNS nameserver 2001:4860:4860::8844"
push "dhcp-option DOMAIN-SEARCH example.com"
push "route-ipv6 2001:xxxx:y:8ade::/64"
push "route-ipv6 2000::/3"
tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
auth SHA512
crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem
cipher AES-256-GCM
compress lz4
user nobody
group nogroup
;client-to-client
verify-client-cert require
remote-cert-tls client
username-as-common-name
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
client-connect /etc/openvpn/scripts/connect.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh
management /run/openvpn/openvpn.sock unix pw-management-file
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
max-clients 5
Это конфигурация сетевых интерфейсов:
enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet w.x.y.z netmask 255.255.255.0 broadcast w.x.y.255
inet6 fe80::xxx:yyyy:zzzz:24f2 prefixlen 64 scopeid 0x20<link>
inet6 2001:xxxx:1:zzzz::1 prefixlen 128 scopeid 0x0<global>
ether aa:bb:cc:dd:ee:ff txqueuelen 1000 (Ethernet)
RX packets 68711957 bytes 17404677376 (17.4 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11570407 bytes 4045695904 (4.0 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xfbce0000-fbd00000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 7069763 bytes 5800523658 (5.8 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7069763 bytes 5800523658 (5.8 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
inet6 fe80::xxxx:yyyy:zzzz:e621 prefixlen 64 scopeid 0x20<link>
inet6 2001:xxxx:y:abcd::1 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 17574 bytes 2074557 (2.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16852 bytes 7690971 (7.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Это правила ipv4 iptables, которые, похоже, работают нормально:
#!/bin/bash
# https://gist.githubusercontent.com/jirutka/3742890/raw/c9f6bdbfcf597578e562c92ea1e256a9ebcf3a2c/rules-ipv4.iptables
hwaddrs=('aa:bb:cc:dd:ee:ff' 'a1:b1:c1:d1:e1:f1')
vpn_ipv4="10.8.0.0"
server_ipv4="w.x.y.z"
server_if="enp1s0"
iptables_cmd="/sbin/iptables"
#echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
#sysctl -w net/ipv4/ip_forward=1
#sysctl sys.net.ipv6.conf.all.forwarding=1
# Flush all rules
iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -F SSHBRUTE
iptables -F ICMPFLOOD
iptables -X
# Drop all packets by default
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP
# Temporarily remove the previous drop rule
#iptables -D INPUT -j DROP
# Accept all packets by default
iptables -P INPUT ACCEPT
# Allow current active connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Drop non-conforming packets, such as malformed headers, etc.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Block remote packets claiming to be from a loopback address.
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
# Drop all packets that are going to broadcast, multicast or anycast address.
iptables -A INPUT -m addrtype --dst-type BROADCAST -j DROP
iptables -A INPUT -m addrtype --dst-type MULTICAST -j DROP
iptables -A INPUT -m addrtype --dst-type ANYCAST -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
# Chain for preventing SSH brute-force attacks.
# Permits 10 new connections within 5 minutes from a single host then drops
# incomming connections from that host. Beyond a burst of 100 connections we
# log at up 1 attempt per second to prevent filling of logs.
iptables -N SSHBRUTE
iptables -A SSHBRUTE -m recent --name SSH --set
iptables -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
iptables -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
iptables -A SSHBRUTE -j ACCEPT
# Chain for preventing ping flooding - up to 6 pings per second from a single
# source, again with log limiting. Also prevents us from ICMP REPLY flooding
# some victim when replying to ICMP ECHO from a spoofed source.
iptables -N ICMPFLOOD
iptables -A ICMPFLOOD -m recent --set --name ICMP --rsource
iptables -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
iptables -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
iptables -A ICMPFLOOD -j ACCEPT
# Allow Loopback traffic and place this rules
# as the very first rule of the INPUT chain.
iptables -I INPUT 1 -i lo -j ACCEPT
#iptables -I OUTPUT 1 -o lo -j ACCEPT
# FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# SSH
for i in "${hwaddrs[@]}"
do
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source $i -j ACCEPT
done
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
# brute-force attacks.
iptables -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
# SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# DNS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# IMAP
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
# HTTPS
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# SMTPS
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
# Submission
iptables -A INPUT -p tcp --dport 587 -j ACCEPT
# IMAPS
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
# WEB-DAV
iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
# OpenVPN
# Allow the udp connection on the openvpn port
iptables -A INPUT -i enp1s0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
# Allow everything from within your VPN
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp1s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
# Block client-to-client routing on the VPN
iptables -A FORWARD -i tun+ -s $vpn_ipv4/24 -d $vpn_ipv4/24 -j DROP
# NAT the VPN client traffic to the Internet. Change the ip address mask
# according to your info of tun0 result while running "ifconfig" command.
# ** Use MASQUERADE when we do not know the public ip address (dadsl ynamic addresses)
# iptables -t nat -A POSTROUTING -s $vpn_ipv4/24 -o enp1s0 -j MASQUERADE
# ** Use SNAT when we know the public ip address (static addresses)
iptables -t nat -A POSTROUTING -s $vpn_ipv4/24 -o enp1s0 -j SNAT --to-source $server_ipv4
# Only if default iptables OUTPUT value is not ACCEPT
#iptables -A OUTPUT -o tun+ -j ACCEPT
# Permit useful IMCP packet types.
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
# Blocking these can make diagnosing of even simple faults much more tricky.
# Real security lies in locking down and hardening all services, not by hiding.
iptables -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD
iptables -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
# Allow incoming ICMP PING
# The Internet Control Message Protocol (ICMP) has many messages that are identified by
# a “type” field. You need to use 0 and 8 ICMP code types.
# => Zero (0) is for echo-reply
# => Eight (8) is for echo-request.
# Help: /sbin/iptables -p icmp -h
# https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
#iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $server_ipv4 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -p icmp --icmp-type 0 -s $server_ipv4 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Logging
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Do not log late replies from nameservers.
#iptables -A INPUT -p udp --sport 53 -j DROP
# Good practise is to explicately reject AUTH traffic so that it fails fast.
iptables -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
# Prevent DOS by filling log files.
iptables -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "
# Drop remaining packets. Only needed if first rule is not drop by default.
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
К настоящему времени я заменил ip6tables -t nat -A POSTROUTING -s $vpn_ipv6/64 -o enp1s0 -j SNAT --to-source $server_ipv6
по:
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
Но мне интересно, действительно ли мне нужно принимать все типы icmpv6.