记录 centos firewall 引起ipv6隧道失效的故障排查

由于宝塔会在centos7 默认开启firewall 

首先ipv6 是由v4隧道中转过来的:

ip addr show sit1
5: sit1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
link/sit 0.0.0.0 peer 99.99.104.74
inet6 2001:232:232:232::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::68e0:ab18/64 scope link
valid_lft forever preferred_lft forever

 

但firewall 的管理监听端口是

firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: dhcpv6-client http https ssh
ports: 80/tcp 9086/tcp 9089/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="99.99.104.74" port port="80" protocol="tcp" accept
rule family="ipv4" source address="99.99.104.74" port port="80" protocol="udp" accept
rule family="ipv6" source address="2005:232:232:232::2" port port="80" protocol="tcp" accept
rule family="ipv6" source address="2005:232:232:232::2" port port="80" protocol="udp" accept

问题就是 启动

firewall,会导致ipv6 所有服务中断


这时候怎么办呢,最简单的办法:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source address="2005:232:232:232::2" accept'

sudo firewall-cmd --reload

然后ipv6服务就恢复了

posted @ 2023-08-16 16:01  千家诗  阅读(167)  评论(0编辑  收藏  举报