从运营商分配到IPv6地址后,并通过路由器分配到内网主机IPv6地址,内网的主机将获取公网IPv6地址,这样带来一个安全问题,即全球互联网都可以访问到你的主机,而不是像IPv4通过路由器的nat转换后到互联网,nat可以隐藏私网IPv4地址,通过配置相应的防火墙保护路由器后的主机非常重要,大致配置方式如下:

  1. 接受established/related 数据包;
  2. 丢弃非法数据包,并记录到日志中;
  3. 接受除了WAN(外网接口)ICMPv6数据包;
  4. 接受从客户端到互联网的连接;
  5. 丢弃其他所有数据。

 

首先定义地址列表,这些地址包括本地链路地址、组播地址和你获取的IPv6地址

/ipv6 firewall address-list

add address=fe80::/16 list=allowed

add address=your_ipv6 address  list=allowed

add address=ff02::/16 comment=multicast list=allowed

 

防火墙1,4,5规则策略组合非常重要,允许从内网到外网的访问,但外网向内网访问被拒绝,保证网络内部IPv6网络的安全性,避免别外部恶意访问,配置如下:

/ipv6 firewall filter

add action=accept chain=forward comment=established,related connection-state=established,related

add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid

add action=accept chain=forward comment=icmpv6 in-interface=! WAN protocol=icmpv6

add action=accept chain=forward comment=”local network” in-interface=!WAN src-address-list=allowed

add action=drop chain=forward log-prefix=IPV6

 

这个配置是一组IPv6防火墙访问策略,对于内网主机来说是单向策略,只能从内到外,不能从外到内,如果你理解到了,也可以应用于IPv4的防火墙的单向访问策略

 

如果需要指定外部IPv6地址访问,需在最后一条规则drop所有数据前面加上目标IPv6地址段2001:db8:1::/64

[admin@MikroTik] /ipv6 firewall filter> print       

Flags: X – disabled, I – invalid, D – dynamic

 0    ;;; allow established and related

      chain=input action=accept connection-state=established,related log=no log-prefix=””

 1    ;;; accept ICMPv6

      chain=input action=accept protocol=icmpv6 log=no log-prefix=””

 2    ;;; defconf: accept UDP traceroute

      chain=input action=accept protocol=udp port=33434-33534 log=no log-prefix=””

 3    ;;; accept DHCPv6-Client prefix delegation.

      chain=input action=accept protocol=udp src-address=fe80::/16 dst-port=546 log=no log-prefix=””

 4    chain=input action=drop src-address=fe80::/16 in-interface=pppoe-out2 log=yes log-prefix=”dropLL_from_public”

 5    ;;; allow allowed addresses

      chain=input action=accept src-address-list=allowed log=no log-prefix=””

 6    chain=input action=drop log=no log-prefix=””

 7    ;;; established,related

      chain=forward action=accept connection-state=established,related log=no log-prefix=””

 8    ;;; invalid

      chain=forward action=drop connection-state=invalid log=yes log-prefix=”ipv6,invalid”

 9    ;;; icmpv6

      chain=forward action=accept protocol=icmpv6 in-interface=!WAN log=no log-prefix=””

10    ;;; local network

      chain=forward action=accept in-interface=!WAN src-address-list=allowed log=no log-prefix=””

11    chain=forward action=drop log=no log-prefix=”IPV6″

[admin@MikroTik] /ipv6 firewall filter> add action=accept chain=forward dst-address=2001:db8:1::1/64

[admin@MikroTik] /ipv6 firewall filter> move 12 11