作者dowbatw (Dowbatw)
看板IPv6
标题[问题] router设定gw6c不能连线问题
时间Fri Oct 24 17:56:31 2014
各位好
我在我的AP(Openwrt)上面已经安装并且设定好了gw6c
连线到中华电信的tunnel broker取得ipv6的ip
router 上面 ping6 ipv6.google.com 也没有问题
traceroute to ipv6.l.google.com (2404:6800:4008:c03::8b) from
2001:b020:0:71::281, 30 hops max, 16 byte packets
1 2001:b020:0:71::280 2.227 ms
2 2001:b020:0:24::254 2.099 ms
3 2001:b000:80:4:3011:3315:1:a 2.447 ms
4 2001:b000:80:3:80:81:3:1 2.999 ms
5 2001:b000:81:4:3201:3302:4:b 6.009 ms
6 2001:4860:1:1:0:d86:0:1a 3.505 ms
7 2001:4860::1:0:73ac 17.34 ms
8 2001:4860::8:0:73ad 11.252 ms
9 2001:4860::2:0:5046 34.833 ms
10 *
11 2404:6800:4008:c03::8b 9.448 ms
gw6c并设定ifprefix 为区域网路(br-lan),也就是会把拿到的ip广播给区域网路的设备
所以我的电脑目前网路卡有看到几个ip如下
IPv6 Address: 2001:b000:a:e:7850:fcd6:b5ce:1bac
IPv6 Address: fdb1:5979:7760::735
IPv6 Address: fdb1:5979:7760:0:7850:fcd6:b5ce:1bac
Temporary IPv6 Address:
2001:b000:a:e:9cbd:5445:da23:707e
Temporary IPv6 Address: fdb1:5979:7760:0:74dd:772e:1094:b49a
Link-Local IPv6 Address: fe80:7850:fcd6:b5ce:1bac%4
Default Gateway: fe80:126f:3fff:fe02:3dd6%4
DNS Servers: 2001:b000:a:2:1
在电脑上
ping ipv6.google.com 显示 Destination port unreacheable
tracert -d -6 显示 Destination protocol unreacheable
不知道是怎麽一回事
有试过把防火墙暂时先关掉测试,结果仍相同
PO上来希望各位解惑
--
※ 发信站: 批踢踢实业坊(ptt.cc), 来自: 140.112.230.135
※ 文章网址: http://webptt.com/cn.aspx?n=bbs/IPv6/M.1414144595.A.524.html
1F:→ danny8376: openwrt版本? 有可能是ipv6的forward没设好 10/24 23:41
2F:→ dowbatw: Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530) 10/24 23:55
这是我gw6c自动产生出的radvd设定值:
##### rtadvd.conf made by Gateway6 Client ####
interface br-lan
{
AdvSendAdvert on;
prefix 2001:b000:000a:000e::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
gw6c 执行记录
2014/10/24 23:38:21 I gw6c: /sbin/sysctl -w net.ipv6.conf.all.forwarding=1
2014/10/24 23:38:21 I gw6c: net.ipv6.conf.all.forwarding = 1
2014/10/24 23:38:21 I gw6c: /usr/sbin/radvd -p /var/run/radvd.pid -C /tmp/gw6c-radvd.conf
然後这是我用router撷取封包的纪录(tcpdump -i br-lan -vv ip6)
撷取过程中电脑ping ipv6.google.com
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 65535
bytes
00:24:20.307314 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40)
2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok]
ICMP6, echo request, seq 50
00:24:20.307675 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 88)
2001:b000:a:e::1 >
2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6,
destination unreachable, unreachable port[|icmp6]
00:24:21.309425 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40)
2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok]
ICMP6, echo request, seq 51
00:24:21.309721 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 88)
2001:b000:a:e::1 >
2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6,
destination unreachable, unreachable port[|icmp6]
00:24:22.312397 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40)
2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok]
ICMP6, echo request, seq 52
00:24:22.312691 IP6 (hlim 64, next-header ICMPv6 (58) payload length
: 88)
2001:b000:a:e::1 >
2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6,
destination unreachable, unreachable port[|icmp6]
00:24:22.433005 IP6 (hlim 1, next-header UDP (17) payload length: 154)
fe80::7850:fcd6:b5ce:1bac.55817 > ff02::c.1900: [udp sum ok] UDP, length 146
00:24:23.315871 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40)
2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok]
ICMP6, echo request, seq 53
00:24:23.316160 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 88)
2001:b000:a:e::1 >
2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6,
destination unreachable, unreachable port[|icmp6]
00:24:23.454334 IP6 (hlim 1, next-header Options (0) payload length: 32)
fe80::7850:fcd6:b5ce:1bac > ff02::c: HBH (rtalert: 0x0000) (padn) [icmp6 sum
ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::c
00:24:23.454430 IP6 (hlim 1, next-header Options (0) payload length: 32)
fe80::7850:fcd6:b5ce:1bac > ff02::1:3: HBH (rtalert: 0x0000) (padn) [icmp6
sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:3
00:24:23.454589 IP6 (hlim 1, next-header Options (0) payload length: 32)
fe80::7850:fcd6:b5ce:1bac > ff02::1:ffce:1bac: HBH (rtalert: 0x0000) (padn)
[icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr:
ff02::1:ffce:1bac
00:24:25.432870 IP6 (hlim 1, next-header UDP (17) payload length: 154)
fe80::7850:fcd6:b5ce:1bac.55817 > ff02::c.1900: [udp sum ok] UDP, length 146
00:24:25.454043 IP6 (hlim 1, next-header Options (0) payload length: 32)
fe80::7850:fcd6:b5ce:1bac > ff02::1:ff00:735: HBH (rtalert: 0x0000) (padn)
[icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr:
ff02::1:ff00:735
※ 编辑: dowbatw (140.112.230.135), 10/25/2014 00:25:16
※ 编辑: dowbatw (140.112.230.135), 10/25/2014 00:35:34
3F:→ danny8376: 看起来是router端出不到google 10/25 01:52
4F:→ danny8376: 你有试着从router上ping google吗? 10/25 01:53
5F:→ dowbatw: 前面有提到router上面ping没问题 10/25 01:55
※ 编辑: dowbatw (140.112.230.135), 10/25/2014 02:38:53
6F:→ dowbatw: 看来是wan送到电脑出了一些问题,不知道怎麽调整? 10/25 02:39
7F:推 danny8376: 那可能先看一下ip6tables 10/25 03:42
8F:→ danny8376: 看是不是forward部分没被允许 10/25 03:43
9F:→ danny8376: 对了 你firewall的wan里面是不是没多加gogo6用的介面 10/25 03:46
10F:→ danny8376: (没动过应该会是sit1) 10/25 03:47
11F:→ dowbatw: 我的是tun不是sit;我有在network设定值里面把tun和wan桥 10/25 09:16
12F:→ dowbatw: 接变成br-wan 10/25 09:17
/etc/config/network
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option _orig_ifname 'eth0.1 wlan0'
option _orig_bridge 'true'
option ifname 'eth0.1 tun'
config interface 'wan'
option proto 'dhcp'
option _orig_ifname 'eth0.2'
option _orig_bridge 'true'
option type 'bridge'
option ifname 'eth0.2 tun'
config interface 'wan6'
option proto 'dhcp'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option type 'bridge'
option ifname 'eth0.2 tun'
/etc/config/firewall
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
※ 编辑: dowbatw (140.112.230.135), 10/25/2014 09:23:41
13F:→ danny8376: 你怎设定不重要... 10/25 10:19
14F:→ danny8376: ifconfig跟ip6tables出来的才是实际设定 10/25 10:19
15F:→ danny8376: 再说跟wan bridge是很奇妙的设定啊... 10/25 10:20
ifconfig
br-lan Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2001:b000:a:d::1/64 Scope:Global
inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link
inet6 addr: fdb1:5979:7760::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70199 errors:0 dropped:0 overruns:0 frame:0
TX packets:79433 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:37825616 (36.0 MiB) TX bytes:51010066 (48.6 MiB)
eth0 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6
inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:447605 errors:0 dropped:10 overruns:0 frame:0
TX packets:91849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:119217969 (113.6 MiB) TX bytes:56233397 (53.6 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23436 errors:0 dropped:2 overruns:0 frame:0
TX packets:27686 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11344259 (10.8 MiB) TX bytes:17254222 (16.4 MiB)
eth0.2 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6
inet addr:140.112.230.135 Bcast:140.112.230.255 Mask:255.255.255.0
inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:424109 errors:0 dropped:0 overruns:0 frame:0
TX packets:64152 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:99812759 (95.1 MiB) TX bytes:38610658 (36.8 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:476 errors:0 dropped:0 overruns:0 frame:0
TX packets:476 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:51192 (49.9 KiB) TX bytes:51192 (49.9 KiB)
tun Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6 addr: 2001:b020:0:71::47f/128 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:2399 errors:0 dropped:83 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:200 (200.0 B) TX bytes:730504 (713.3 KiB)
wlan0 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6
inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48436 errors:0 dropped:0 overruns:0 frame:0
TX packets:57669 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27536078 (26.2 MiB) TX bytes:35613035 (33.9 MiB)
ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
delegate_input all anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
delegate_forward all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
delegate_output all anywhere anywhere
Chain delegate_forward (1 references)
target prot opt source destination
forwarding_rule all anywhere anywhere
/* user chain for forwarding */
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_forward all anywhere anywhere
zone_wan_forward all anywhere anywhere
zone_wan_forward all anywhere anywhere
reject all anywhere anywhere
Chain delegate_input (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
input_rule all anywhere anywhere
/* user chain for input */
ACCEPT all anywhere anywhere ctstate
RELATED,ESTABLISHED
syn_flood tcp anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN
zone_lan_input all anywhere anywhere
zone_wan_input all anywhere anywhere
zone_wan_input all anywhere anywhere
Chain delegate_output (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
output_rule all anywhere anywhere
/* user chain for output */
ACCEPT all anywhere anywhere ctstateRELATED,ESTABLISHED
zone_lan_output all anywhere anywhere
zone_wan_output all anywhere anywhere
zone_wan_output all anywhere anywhere
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan_rule (1 references)
target prot opt source destination
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
Chain output_wan_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp anywhere anywhere reject-with tcp-reset
REJECT all anywhere anywhere reject-with icmp6-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all anywhere anywhere
Chain zone_lan_dest_ACCEPT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all anywhere anywhere
/* user chain for forwarding */
zone_wan_dest_ACCEPT all anywhere anywhere
/* forwarding lan -> wan */
zone_lan_dest_ACCEPT all anywhere anywhere
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all anywhere anywhere
/* user chain for input */
zone_lan_src_ACCEPT all anywhere anywhere
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all anywhere anywhere
/* user chain for output */
zone_lan_dest_ACCEPT all anywhere anywhere
Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
Chain zone_wan_dest_ACCEPT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere
Chain zone_wan_forward (2 references)
target prot opt source destination
forwarding_wan_rule all anywhere anywhere
/* user chain for forwarding */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp bad-header
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type
/* Allow-ICMPv6-Forward */
zone_wan_dest_REJECT all anywhere anywhere
Chain zone_wan_input (2 references)
target prot opt source destination
input_wan_rule all anywhere anywhere
/* user chain for input */
ACCEPT udp fe80::/10 fe80::/10 udp
spt:dhcpv6-server dpt:dhcpv6-client
/* Allow-DHCPv6 */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp bad-header
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement
/* Allow-ICMPv6-Input */
zone_wan_src_REJECT all anywhere anywhere
Chain zone_wan_output (2 references)
target prot opt source destination
output_wan_rule all anywhere anywhere
/* user chain for output */
zone_wan_dest_ACCEPT all anywhere anywhere
Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere
ip6tables-save
# Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014
*nat
:PREROUTING ACCEPT [8489:2118004]
:INPUT ACCEPT [220:18732]
:OUTPUT ACCEPT [72:5117]
:POSTROUTING ACCEPT [377:23457]
COMMIT
# Completed on Sat Oct 25 16:11:11 2014
# Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014
*raw
:PREROUTING ACCEPT [6740:1197649]
:OUTPUT ACCEPT [457:40178]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Sat Oct 25 16:11:11 2014
# Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014
*mangle
:PREROUTING ACCEPT [6740:1197649]
:INPUT ACCEPT [275:20918]
:FORWARD ACCEPT [189:15796]
:OUTPUT ACCEPT [457:40178]
:POSTROUTING ACCEPT [495:42962]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment
--comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Oct 25 16:11:11 2014
# Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9:936]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j
forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit
25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j
forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j
zone_wan_dest_ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j
input_lan_rule
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j
output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -j reject
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j
forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j
input_wan_rule
-A zone_wan_input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport
546 -m comment --comment Allow-DHCPv6 -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j
output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -j reject
COMMIT
# Completed on Sat Oct 25 16:11:11 2014
※ 编辑: dowbatw (140.112.230.135), 10/25/2014 15:56:11
16F:→ danny8376: ifconfig里没有br-wan存在 这说明你的wan没有bridge 10/25 16:54
17F:→ danny8376: (gogoc的介面无法bridge 因为他要gw6c启动後才会出现) 10/25 16:59
18F:→ dowbatw: 其实是我後来看了大大你的建议之後改掉的 10/25 18:28
19F:→ dowbatw: 要有br-wan也是可以,只是我没贴上来。不过,这终究还不 10/25 18:29
20F:→ dowbatw: 是重点,我还在看iptable 10/25 18:30
21F:→ dowbatw: 我有试过把iptable中最上层的forward设定为accept,结果 10/25 18:31
23F:→ danny8376: 你知道iptables跟ip6tables是不同东西吗... 10/25 18:56
24F:→ danny8376: ipv4跟ipv6是分开两组iptables 两者设定无关的 10/25 18:57
25F:→ dowbatw: 一样,我上面讲的就是ip6table中的设定 10/25 19:57
26F:→ dowbatw: 我刚刚试了一下,要把table最上层的forward打开成accept 10/25 19:59
27F:→ dowbatw: 就可以成功,只是这样就很危险 10/25 19:59
※ 编辑: dowbatw (140.112.230.135), 10/25/2014 20:30:41
※ 编辑: dowbatw (140.112.230.135), 10/25/2014 20:33:01
28F:→ danny8376: 所以就说问题在於你防火墙(forward)没设对啊... 10/25 20:49
29F:→ danny8376: ip6tables -L -v连介面一起出来就比较清楚状况了 10/25 20:49
30F:→ danny8376: 不过主要应该是lan>wan这段被reject掉了 10/25 20:49
31F:→ danny8376: 所以回了dest unreachable 10/25 20:50
32F:→ danny8376: 然後找个pastebin之类的地方贴 不然整串有够长OTZ 10/25 20:51