Bonjour, j'ai un serveur debian 10 et j'aimerais essayé de le passer en full IPV6.
mais impossible de pinger mon serveur. que cela soit depuis chez moi, ou depuis des sites fait pour.
voila ma conf car je pense que cela peut vous éclairer sur mon erreur. Si vous avez des pistes je suis preneur...
Le fichiert /etc/network/interfaces
iface eth0 inet6 static
address XXXX:XXXX:XXXX:5558:0000:0000:0000:0001
netmask 64
gateway fe80::1
accept_ra 0
autoconf 0
privent 0
j'ai volontairement masquer l'adresse IP.
après j'ai un firewall nftables:
#!/usr/sbin/nft -f
#https://docs.snowme34.com/en/latest/reference/devops/debian-firewall-nftables-and-iptables.html
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
ct state invalid drop
ct state new,related tcp flags & (fin|syn|rst|psh|ack|urg) != syn limit rate 2/second burst 3 packets log prefix "TCP INPUT without SYN " drop
tcp flags & (fin|syn|rst|psh|ack|urg) eq 0 limit rate 2/second burst 3 packets log prefix "INPUT_NULL " drop
tcp flags & (fin|psh|urg) eq (fin|psh|urg) limit rate 2/second burst 3 packets log prefix "INPUT_XMASS " drop
tcp dport 1212 ct state new log prefix "connexion SSH" accept # change to your own ssh port
ct state established,related accept
# no ping floods:
ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets log prefix "PING Flood" drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets log prefix "PING FLOOD IPV6" drop
# ICMP & IGMP
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-report } accept
ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
ip protocol igmp accept
# avoid brute force on ssh, and your ssh port here
tcp dport 1212 ct state new limit rate 15/minute accept # change to your own ssh port
# http server
tcp dport { http, https} ct state established,new accept
udp dport { http, https} ct state established,new accept
# some ports you like
tcp dport { 123, 25} ct state established,new accept
udp dport { 123, 25} ct state established,new accept
#ct state invalid log prefix "invalid paquet" drop
# uncomment to enable log, choose one
log flags all counter drop
#log prefix \"[nftables] Input Denied: \" flags all counter drop
}
chain forward {
type filter hook forward priority 0; policy drop;
tcp dport { http, https } ct state { established,new } accept
udp dport { http, https } ct state { established,new } accept
# for dockers
# dockers have plenty of networks, so it may be required to change accordingly
#iifname eth0 oifname docker0 ct state { established,new,related } accept
#oifname eth0 ct state { established,new,related } accept
# uncomment to enable log
#log prefix \"[nftables] Forward Denied: \" flags all counter drop
}
chain output {
type filter hook output priority 0; policy accept;
}
}
include "/etc/nftables/fail2ban.conf"
Merci par avance pour votre aide,
BBO
Dernière modification par BBO (12-11-2019 20:56:04)