1. 政策趋势
从去年年底开始国家开始力推IPV6。目前看到的相关文件有
1. “推进互联网协议第六版(IPv6)规模部署行动计划”,这个由中共中央办公厅、国务院办公厅印发。
2. “工业和信息化部关于贯彻落实《推进互联网协议第六版(IPv6)规模部署行动计划》的通知”,这是由工信部印发。
2. 基本方案
周末有时间,把blog重新整理了一下,目前支持native IPV6 only环境访问。相关的方案
1. DNS服务器迁移到cloudflare。原本是准备自己再弄个VM,部署IPV6的DNS。后来觉得太费钱,直接用了cloudflare。
2. V6地址是通过He.net的隧道接入。
3. 注意事项
使用隧道接入V6,需要注意防火墙规则的设定,主要是以下几点:
1. 阿里云的网络安全组上放开he的隧道接入IP。
2. 服务器上itables-v4放开he的隧道接入IP。
3. 服务器上的ip6tables打开相关的端口。
4. nginx的上的geoip库都使用IPV6(V6的包括了V4)的
geoip_country /usr/share/GeoIP/GeoIPv6.dat;
geoip_city /usr/share/GeoIP/GeoIPCityv6.dat;
log_format main '$remote_addr - "$geoip_city_country_code:$geoip_city" - $remote_addr:$remote_port - $remote_user [$time_local] $host "$request"'
' $status $body_bytes_sent "$http_referer" '
'"$http_user_agent - $agent - $upstream_cache_status" "$http_x_forwarded_for" "$upstream_addr" "$ssl_protocol $ssl_cipher http=$http2" $request_time $upst
ream_response_time $tcpinfo_rtt';
geoip_city /usr/share/GeoIP/GeoIPCityv6.dat;
log_format main '$remote_addr - "$geoip_city_country_code:$geoip_city" - $remote_addr:$remote_port - $remote_user [$time_local] $host "$request"'
' $status $body_bytes_sent "$http_referer" '
'"$http_user_agent - $agent - $upstream_cache_status" "$http_x_forwarded_for" "$upstream_addr" "$ssl_protocol $ssl_cipher http=$http2" $request_time $upst
ream_response_time $tcpinfo_rtt';
相关的防火墙规则如下:
v4规则
# Generated by iptables-save v1.4.21 on Mon Jun 11 09:07:48 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [154797:201811368]
-A INPUT -s 216.218.221.6/32 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jun 11 09:07:48 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [154797:201811368]
-A INPUT -s 216.218.221.6/32 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jun 11 09:07:48 2018
v6规则
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [56:3808]
:OUTPUT ACCEPT [7834:1611396]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Mon Jun 11 09:08:18 2018
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [56:3808]
:OUTPUT ACCEPT [7834:1611396]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Mon Jun 11 09:08:18 2018
4. 参考链接
1. http://www.gov.cn/zhengce/2017-11/26/content_5242389.htm
2. http://www.miit.gov.cn/n1146295/n1652858/n1652930/n3757020/c6154756/content.html