Назад | Перейти на главную страницу

OpenVPN ipv6 работает нормально, пока я не загружу правила ip6tables

я бегу OpenVPN 2.4.0 на Ubuntu 17.04, Эта настройка работает нормально и уже описана здесь https://serverfault.com/q/887243.

Проблема возникает, когда я пытаюсь загрузить правила ip6tables с помощью следующего скрипта. В этот момент я не могу ping6 ipv6.google.com больше. Кроме того, ipv6 тестирует через такие сервисы, как http://ipv6-test.com/ и http://test-ipv6.com/ терпят неудачу во всех тестах ipv6, но если я сброшу все правила ip6table, эти тесты и ping6 ipv6.google.com добиться успеха. Поэтому я думаю, что проблема в следующих правилах, но не знаю где.

#!/bin/bash

vpn_ipv4="10.8.0.0"
vpn_ipv6="2001:xxxx:y:abcd::1"
server_ipv4="w.x.y.z"
server_ipv6="2001:xxxx:1:zzzz::1"
server_if="enp1s0"

iptables_cmd="/sbin/ip6tables"

#echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
#sysctl -w net/ipv4/ip_forward=1

#sysctl sys.net.ipv6.conf.all.forwarding=1

# Flush all rules
ip6tables -F FORWARD
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -X

#Drop all packets by default
#ip6tables -P INPUT DROP

#Temporarily remove the previous drop rule
#ip6tables -D INPUT -j DROP

#Accept all packets by default
ip6tables -P INPUT ACCEPT

#Allow current active connections
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Allow Loopback traffic and place this rules
#as the very first rule of the INPUT chain.
ip6tables -I INPUT 1 -i lo -j ACCEPT

#FTP
ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
#SSH
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
#SMTP
ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT
#DNS
ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT
ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
#HTTP
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
#IMAP
ip6tables -A INPUT -p tcp --dport 143 -j ACCEPT
#HTTPS
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
#SMTPS
ip6tables -A INPUT -p tcp --dport 465 -j ACCEPT
#Submission
ip6tables -A INPUT -p tcp --dport 587 -j ACCEPT
#IMAPS
ip6tables -A INPUT -p tcp --dport 993 -j ACCEPT
#WEB-DAV
ip6tables -A INPUT -p tcp --dport 8443 -j ACCEPT
#OpenVPN
#Allow the tcp connection on the openvpn port
ip6tables -A INPUT -i enp1s0 -m state --state NEW -p udp --dport 1194 -j ACCEPT

#Allow everything from within your VPN
#Allow TUN interface connections to OpenVPN server
ip6tables -A INPUT -i tun+ -j ACCEPT

#Allow TUN interface connections to be forwarded through other interfaces
ip6tables -A FORWARD -i tun+ -j ACCEPT
ip6tables -A FORWARD -i tun+ -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i enp1s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

#NAT the VPN client traffic to the Internet. Change the ip address mask
#according to your info of tun0 result while running "ifconfig" command.
#Use MASQUERADE when we do not know the public ip address (dadsl ynamic addresses)
#ip6tables -t nat -A POSTROUTING -s 2001:xxxx:y:abcd::1/64 -o enp1s0 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s 2001:xxxx:y:abcd::/64 -o enp1s0 -j MASQUERADE
#Use SNAT when we know the public ip address (static addresses)
#ip6tables -t nat -A POSTROUTING -s $vpn_ipv6/64 -o enp1s0 -j SNAT --to-source $server_ipv6


#OnyiIf default ip6tables OUTPUT value is not ACCEPT
#ip6tables -A OUTPUT -o tun+ -j ACCEPT


#Allow incoming ICMP PING
#https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-codes-6
#ip6tables -p ipv6-icmp -h
ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -s 0/0 -d $server_ipv6 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Logging
ip6tables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "ip6tables denied: " --log-level 7

#Drop remaining packets. Only needed if first rule is not drop by default.
ip6tables -A INPUT -j DROP

Вкратце, это основной файл конфигурации OpenVPN:

local w.x.y.z
port 1194
proto udp
proto-force udp
dev tun
tun-ipv6

ifconfig-ipv6 2001:xxxx:y:abcd::1 2001:xxxx:y:abcd::2

ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt
key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key
dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem

topology subnet

server 10.8.0.0 255.255.255.0
server-ipv6 2001:xxxx:y:abcd::/64

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"
;push "redirect-gateway-ipv6 def1 bypass-dhcp-ipv6"

push "dhcp-option DNS w.x.y.z"
push "dhcp-option DNS w1.x1.y1.z1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS nameserver 2001:4860:4860::8888"
push "dhcp-option DNS nameserver 2001:4860:4860::8844"
push "dhcp-option DOMAIN-SEARCH example.com"

push "route-ipv6 2001:xxxx:y:8ade::/64"
push "route-ipv6 2000::/3"

tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
auth SHA512

crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem
cipher AES-256-GCM

compress lz4
user nobody
group nogroup

;client-to-client
verify-client-cert require

remote-cert-tls client

username-as-common-name
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
client-connect /etc/openvpn/scripts/connect.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh

management /run/openvpn/openvpn.sock unix pw-management-file

keepalive 10 120
persist-key
persist-tun

status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log

verb 3
explicit-exit-notify 1
max-clients 5

Это конфигурация сетевых интерфейсов:

enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet w.x.y.z  netmask 255.255.255.0  broadcast w.x.y.255
        inet6 fe80::xxx:yyyy:zzzz:24f2  prefixlen 64  scopeid 0x20<link>
        inet6 2001:xxxx:1:zzzz::1  prefixlen 128  scopeid 0x0<global>
        ether aa:bb:cc:dd:ee:ff  txqueuelen 1000  (Ethernet)
        RX packets 68711957  bytes 17404677376 (17.4 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11570407  bytes 4045695904 (4.0 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xfbce0000-fbd00000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 7069763  bytes 5800523658 (5.8 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7069763  bytes 5800523658 (5.8 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        inet6 fe80::xxxx:yyyy:zzzz:e621  prefixlen 64  scopeid 0x20<link>
        inet6 2001:xxxx:y:abcd::1  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 17574  bytes 2074557 (2.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16852  bytes 7690971 (7.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Это правила ipv4 iptables, которые, похоже, работают нормально:

#!/bin/bash

# https://gist.githubusercontent.com/jirutka/3742890/raw/c9f6bdbfcf597578e562c92ea1e256a9ebcf3a2c/rules-ipv4.iptables

hwaddrs=('aa:bb:cc:dd:ee:ff' 'a1:b1:c1:d1:e1:f1')
vpn_ipv4="10.8.0.0"
server_ipv4="w.x.y.z"
server_if="enp1s0"

iptables_cmd="/sbin/iptables"

#echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
#sysctl -w net/ipv4/ip_forward=1

#sysctl sys.net.ipv6.conf.all.forwarding=1

# Flush all rules
iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT

iptables -F SSHBRUTE
iptables -F ICMPFLOOD

iptables -X

# Drop all packets by default
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP

# Temporarily remove the previous drop rule
#iptables -D INPUT -j DROP

# Accept all packets by default
iptables -P INPUT ACCEPT

# Allow current active connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Drop non-conforming packets, such as malformed headers, etc.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Block remote packets claiming to be from a loopback address.
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP

# Drop all packets that are going to broadcast, multicast or anycast address.
iptables -A INPUT -m addrtype --dst-type BROADCAST -j DROP
iptables -A INPUT -m addrtype --dst-type MULTICAST -j DROP
iptables -A INPUT -m addrtype --dst-type ANYCAST -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP

# Chain for preventing SSH brute-force attacks.
# Permits 10 new connections within 5 minutes from a single host then drops 
# incomming connections from that host. Beyond a burst of 100 connections we 
# log at up 1 attempt per second to prevent filling of logs.
iptables -N SSHBRUTE
iptables -A SSHBRUTE -m recent --name SSH --set
iptables -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
iptables -A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
iptables -A SSHBRUTE -j ACCEPT

# Chain for preventing ping flooding - up to 6 pings per second from a single 
# source, again with log limiting. Also prevents us from ICMP REPLY flooding 
# some victim when replying to ICMP ECHO from a spoofed source.
iptables -N ICMPFLOOD
iptables -A ICMPFLOOD -m recent --set --name ICMP --rsource
iptables -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
iptables -A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
iptables -A ICMPFLOOD -j ACCEPT

# Allow Loopback traffic and place this rules
# as the very first rule of the INPUT chain.
iptables -I INPUT 1 -i lo -j ACCEPT
#iptables -I OUTPUT 1 -o lo -j ACCEPT

# FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# SSH
for i in "${hwaddrs[@]}"
do
    iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source $i -j ACCEPT
done
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing 
# brute-force attacks.
iptables -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
# SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# DNS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# IMAP
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
# HTTPS
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# SMTPS
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
# Submission
iptables -A INPUT -p tcp --dport 587 -j ACCEPT
# IMAPS
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
# WEB-DAV
iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
# OpenVPN
# Allow the udp connection on the openvpn port
iptables -A INPUT -i enp1s0 -m state --state NEW -p udp --dport 1194 -j ACCEPT

# Allow everything from within your VPN
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp1s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

# Block client-to-client routing on the VPN
iptables -A FORWARD -i tun+ -s $vpn_ipv4/24 -d $vpn_ipv4/24 -j DROP

# NAT the VPN client traffic to the Internet. Change the ip address mask
# according to your info of tun0 result while running "ifconfig" command.
# ** Use MASQUERADE when we do not know the public ip address (dadsl ynamic addresses)
# iptables -t nat -A POSTROUTING -s $vpn_ipv4/24 -o enp1s0 -j MASQUERADE
# ** Use SNAT when we know the public ip address (static addresses)
iptables -t nat -A POSTROUTING -s $vpn_ipv4/24 -o enp1s0 -j SNAT --to-source $server_ipv4

# Only if default iptables OUTPUT value is not ACCEPT
#iptables -A OUTPUT -o tun+ -j ACCEPT

# Permit useful IMCP packet types.
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
# Blocking these can make diagnosing of even simple faults much more tricky.
# Real security lies in locking down and hardening all services, not by hiding.
iptables -A INPUT -p icmp --icmp-type 0  -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3  -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8  -m conntrack --ctstate NEW -j ICMPFLOOD
iptables -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT

# Allow incoming ICMP PING
# The Internet Control Message Protocol (ICMP) has many messages that are identified by 
# a “type” field. You need to use 0 and 8 ICMP code types.
#   => Zero (0) is for echo-reply
#   => Eight (8) is for echo-request.
# Help: /sbin/iptables -p icmp -h
# https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
#iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $server_ipv4 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -p icmp --icmp-type 0 -s $server_ipv4 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Logging
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Do not log late replies from nameservers.
#iptables -A INPUT -p udp --sport 53 -j DROP

# Good practise is to explicately reject AUTH traffic so that it fails fast.
iptables -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset

# Prevent DOS by filling log files.
iptables -A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "

# Drop remaining packets. Only needed if first rule is not drop by default.
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

К настоящему времени я заменил ip6tables -t nat -A POSTROUTING -s $vpn_ipv6/64 -o enp1s0 -j SNAT --to-source $server_ipv6 по:

ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT

Но мне интересно, действительно ли мне нужно принимать все типы icmpv6.