记录 centos firewall 引起ipv6隧道失效的故障排查
由于宝塔会在centos7 默认开启firewall
首先ipv6 是由v4隧道中转过来的:
ip addr show sit1 5: sit1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000 link/sit 0.0.0.0 peer 99.99.104.74 inet6 2001:232:232:232::2/64 scope global valid_lft forever preferred_lft forever inet6 fe80::68e0:ab18/64 scope link valid_lft forever preferred_lft forever
但firewall 的管理监听端口是
firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: dhcpv6-client http https ssh ports: 80/tcp 9086/tcp 9089/tcp protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="99.99.104.74" port port="80" protocol="tcp" accept rule family="ipv4" source address="99.99.104.74" port port="80" protocol="udp" accept rule family="ipv6" source address="2005:232:232:232::2" port port="80" protocol="tcp" accept rule family="ipv6" source address="2005:232:232:232::2" port port="80" protocol="udp" accept
问题就是 启动
firewall,会导致ipv6 所有服务中断
这时候怎么办呢,最简单的办法:
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source address="2005:232:232:232::2" accept'
sudo firewall-cmd --reload
然后ipv6服务就恢复了