Linux关闭ipv6 icmp reply

Linux主机通常会关闭ipv4的icmp reply来防止扫描,增加安全性

# 临时关闭icmp reply
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

#永久关闭
#在/etc/sysctl.conf文件中增加一行 
net.ipv4.icmp_echo_ignore_all=1
sysctl -p

对于ipv6,关闭icmp reply方法有所区别

# 临时关闭
echo 1 >/proc/sys/net/ipv6/icmp/echo_ignore_all

# 永久关闭
#在/etc/sysctl.conf增加一行
net.ipv6.icmp.echo_ignore_all=1
sysctl -p

 以上方法依赖内核版本,笔者测试4.15内核不支持,而4.19则可以。

如果低版本内核想关闭ipv6 icmp reply,可以尝试使用ip6tables

ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP

相比于ipv4,Linux对ipv6的icmp reply关闭支持似乎差了一些,原因笔者猜测跟ipv6的特性有关,以下文本摘自RFC4890

For Teredo tunneling [RFC4380] to IPv6 nodes on the site to be
   possible, it is essential that the connectivity checking messages are
   allowed through the firewall.  It has been common practice in IPv4
   networks to drop Echo Request messages in firewalls to minimize the
   risk of scanning attacks on the protected network.  As discussed in
   Section 3.2, the risks from port scanning in an IPv6 network are much
   less severe, and it is not necessary to filter IPv6 Echo Request
   messages.

ipv6非常大的地址空间使得ipv4时代的ping探测不太管用了,所以过滤reply报文的意义不大,而且过滤可能导致ipv6的某些服务出现非预期表现。

posted @ 2022-12-31 15:23  qjfoidnh  阅读(2764)  评论(0编辑  收藏  举报