iptables: Penerusan port dengan penyamaran tidak berfungsi

Saya mengalami beberapa masalah dengan porta depan saya. NAT tampaknya berfungsi dengan baik dan satu dari port ke depan tampaknya berfungsi (udp port 7887 ke mesin 192.168.1.100). Tapi tidak yang lain.

Saya ragu itu penting, tetapi eth1 & eth2 terletak di NIC dualport.

Akses internet WAN disediakan dengan dhcp, jadi solusi harus WAN_IP independen jika memungkinkan.

/opt/firewall.sh

#!/bin/sh

WAN="eth1"
LAN="eth2"

#ifconfig $LAN up
#ifconfig $LAN 192.168.1.1 netmask 255.255.255.0


echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $WAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Allow ICMP echo reply/destination unreachable/time exceeded.
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

# SSH
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT

# WWW
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT

# TOR
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT

# I2P
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT

iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 1047K packets, 80M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5   232 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports ssh to:192.168.1.250 
    1    60 DNAT       tcp  --  eth1   any     anywhere             anywhere            tcp dpt:www to:192.168.1.99:80 
    0     0 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports 9001,9030 to:192.168.1.250 
    0     0 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports 7887 to:192.168.1.100 
12166 4042K DNAT       udp  --  eth1   any     anywhere             anywhere            multiport dports 7887 to:192.168.1.100 
    0     0 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports 8887 to:192.168.1.250 
    0     0 DNAT       udp  --  eth1   any     anywhere             anywhere            multiport dports 8887 to:192.168.1.250 

Chain POSTROUTING (policy ACCEPT 12313 packets, 4085K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 637K   46M MASQUERADE  all  --  any    eth1    anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 395 packets, 62752 bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables -L -v

Chain INPUT (policy DROP 9336 packets, 846K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    76 ACCEPT     all  --  lo     any     anywhere             anywhere            
  467 55711 ACCEPT     all  --  eth2   any     anywhere             anywhere            
   64  5598 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-reply 
   18  1796 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp destination-unreachable 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
60586   29M ACCEPT     all  --  any    eth2    anywhere             anywhere            state RELATED,ESTABLISHED 
70888  126M ACCEPT     all  --  eth2   eth1    anywhere             anywhere            
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports ssh 
    0     0 ACCEPT     tcp  --  any    any     anywhere             192.168.1.99        tcp dpt:www state NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports 9001,9030 
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.100       multiport dports 7887 
  646  310K ACCEPT     udp  --  eth1   eth2    anywhere             192.168.1.100       multiport dports 7887 
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports 8887 
    0     0 ACCEPT     udp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports 8887 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  157 13421 ACCEPT     all  --  any    lo      anywhere             anywhere            
   76  9678 ACCEPT     all  --  any    eth1    anywhere             anywhere            
  159 26706 ACCEPT     all  --  any    eth2    anywhere             anywhere

Pengujian akses:

 me@external-host $ ssh WAN_IP        
 ssh: connect to host WAN_IP port 22: Connection timed out

 me@external-host $ wget WAN_IP                
 --2012-05-06 15:46:50--  http://WAN_IP/
 Connecting to |WAN_IP|:80... failed: Connection timed out.

Akses log pengujian:

 May  8 21:04:18 router kernel: [11692.837693] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=35931 DF PROTO=TCP SPT=52319 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:19 router kernel: [11693.837174] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24784 DF PROTO=TCP SPT=52320 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:20 router kernel: [11694.835943] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=57280 DF PROTO=TCP SPT=52321 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:21 router kernel: [11695.835159] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=10721 DF PROTO=TCP SPT=52322 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:22 router kernel: [11696.833763] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19002 DF PROTO=TCP SPT=52323 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:23 router kernel: [11697.832960] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=17468 DF PROTO=TCP SPT=52324 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:24 router kernel: [11698.831733] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=32834 DF PROTO=TCP SPT=52325 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:25 router kernel: [11699.830620] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=28252 DF PROTO=TCP SPT=52326 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:26 router kernel: [11700.829493] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=43537 DF PROTO=TCP SPT=52327 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 
 May  8 21:04:27 router kernel: [11701.829118] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=55720 DF PROTO=TCP SPT=52328 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0

iptables nat port-forwarding Robert Foss
sumber

Anda dapat mengaktifkan pencatatan dengan menambahkan aturan ingin iptables -I INPUT 1 -i $LAN -j LOGmen-debug masalah Anda

aland

Anda harus memeriksa penghitung di tabel filter untuk melihat apakah ada sesuatu yang melanggar aturan penerimaan Anda.

Falcon Momot

@ FalconKirtaran, saya memperbarui pertanyaan dengan counter aturan terima.

Robert Foss

Anda mungkin ingin menambahkan baris log ke akhir FORWARDrantai ( iptables -A FORWARD -j LOG) untuk melihat apakah itu dijatuhkan atau tidak.

Andy Smith

Seperti yang saya duga, mereka tidak melanggar aturan accept. Namun, mereka bahkan tidak mengenai rantai ke depan di filter sama sekali (karena tidak ada paket yang terjatuh di sana).

Falcon Momot

Ternyata satu mesin internal tidak berfungsi dan WAN_IP saya telah berubah (karena dhcp).

Selama pemecahan masalah saya, saya sedikit meningkatkan script dan sekarang berfungsi penuh tanpa terlalu mewah. Jangan ragu untuk mengambil salinan!

/opt/firewall.sh

#!/bin/sh

WAN="eth1"
LAN="eth2"

#ifconfig $LAN up
#ifconfig $LAN 192.168.1.1 netmask 255.255.255.0

echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

#
# Debug logging
#iptables -I INPUT 1 --source 130.235.35.233/31 -j LOG --log-prefix "INPUT: "
#iptables -I FORWARD 1 --source 130.235.35.233/31 -j LOG --log-prefix "FOWARD: "


#
# Default to drop packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#
# Allow all local loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#
# Allow output on $WAN and $LAN if. Allow input on $LAN if.
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $WAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Allow ICMP echo reply/echo request/destination unreachable/time exceeded
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# SSH
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT

# WWW
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT

# TOR
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT

# I2P
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT


exit 0 #report success

Robert Foss
sumber

iptables: Penerusan port dengan penyamaran tidak berfungsi

Jawaban: