태그 보관물: iptables

iptables

iptables : 마스 쿼 레이 딩으로 포트 전달이 작동하지 않습니다 tcp -i $WAN -m multiport

포트 포워드에 문제가 있습니다. NAT가 제대로 작동하는 것 같고 포트 중 하나가 작동하는 것 같습니다 (UDP 포트 7887은 시스템 192.168.1.100). 그러나 다른 사람들은 아닙니다.

나는 그것이 중요하다는 것을 의심하지만 eth1 & eth2는 듀얼 포트 NIC에 있습니다.

WAN 인터넷 액세스는 dhcp와 함께 제공되므로 가능한 경우 솔루션은 WAN_IP 독립적이어야합니다.

/opt/firewall.sh

#!/bin/sh

WAN="eth1"
LAN="eth2"

#ifconfig $LAN up
#ifconfig $LAN 192.168.1.1 netmask 255.255.255.0


echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $WAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Allow ICMP echo reply/destination unreachable/time exceeded.
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

# SSH
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT

# WWW
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT

# TOR
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT

# I2P
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT

iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 1047K packets, 80M bytes)
 pkts bytes target     prot opt in     out     source               destination
    5   232 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports ssh to:192.168.1.250
    1    60 DNAT       tcp  --  eth1   any     anywhere             anywhere            tcp dpt:www to:192.168.1.99:80
    0     0 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports 9001,9030 to:192.168.1.250
    0     0 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports 7887 to:192.168.1.100
12166 4042K DNAT       udp  --  eth1   any     anywhere             anywhere            multiport dports 7887 to:192.168.1.100
    0     0 DNAT       tcp  --  eth1   any     anywhere             anywhere            multiport dports 8887 to:192.168.1.250
    0     0 DNAT       udp  --  eth1   any     anywhere             anywhere            multiport dports 8887 to:192.168.1.250

Chain POSTROUTING (policy ACCEPT 12313 packets, 4085K bytes)
 pkts bytes target     prot opt in     out     source               destination
 637K   46M MASQUERADE  all  --  any    eth1    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 395 packets, 62752 bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables -L -v

Chain INPUT (policy DROP 9336 packets, 846K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    76 ACCEPT     all  --  lo     any     anywhere             anywhere
  467 55711 ACCEPT     all  --  eth2   any     anywhere             anywhere
   64  5598 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-reply
   18  1796 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
60586   29M ACCEPT     all  --  any    eth2    anywhere             anywhere            state RELATED,ESTABLISHED
70888  126M ACCEPT     all  --  eth2   eth1    anywhere             anywhere
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             192.168.1.99        tcp dpt:www state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports 9001,9030
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.100       multiport dports 7887
  646  310K ACCEPT     udp  --  eth1   eth2    anywhere             192.168.1.100       multiport dports 7887
    0     0 ACCEPT     tcp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports 8887
    0     0 ACCEPT     udp  --  eth1   eth2    anywhere             192.168.1.250       multiport dports 8887

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  157 13421 ACCEPT     all  --  any    lo      anywhere             anywhere
   76  9678 ACCEPT     all  --  any    eth1    anywhere             anywhere
  159 26706 ACCEPT     all  --  any    eth2    anywhere             anywhere

액세스 테스트 :

 me@external-host $ ssh WAN_IP
 ssh: connect to host WAN_IP port 22: Connection timed out

 me@external-host $ wget WAN_IP
 --2012-05-06 15:46:50--  http://WAN_IP/
 Connecting to |WAN_IP|:80... failed: Connection timed out.

액세스 테스트 로그 :

 May  8 21:04:18 router kernel: [11692.837693] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=35931 DF PROTO=TCP SPT=52319 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
 May  8 21:04:19 router kernel: [11693.837174] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24784 DF PROTO=TCP SPT=52320 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
 May  8 21:04:20 router kernel: [11694.835943] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=57280 DF PROTO=TCP SPT=52321 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
 May  8 21:04:21 router kernel: [11695.835159] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=10721 DF PROTO=TCP SPT=52322 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
 May  8 21:04:22 router kernel: [11696.833763] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19002 DF PROTO=TCP SPT=52323 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
 May  8 21:04:23 router kernel: [11697.832960] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=17468 DF PROTO=TCP SPT=52324 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
 May  8 21:04:24 router kernel: [11698.831733] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=32834 DF PROTO=TCP SPT=52325 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
 May  8 21:04:25 router kernel: [11699.830620] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=28252 DF PROTO=TCP SPT=52326 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
 May  8 21:04:26 router kernel: [11700.829493] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=43537 DF PROTO=TCP SPT=52327 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
 May  8 21:04:27 router kernel: [11701.829118] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=55720 DF PROTO=TCP SPT=52328 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0


답변

내부 시스템이 다운되어 내 WAN_IP가 변경되었음을 알 수 있습니다 (dhcp로 인해).

문제를 해결하는 동안 스크립트를 약간 강화했으며 지나치게 화려하지 않고 완벽하게 작동합니다. 사본을 자유롭게 가져 가십시오!

/opt/firewall.sh

#!/bin/sh

WAN="eth1"
LAN="eth2"

#ifconfig $LAN up
#ifconfig $LAN 192.168.1.1 netmask 255.255.255.0

echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

#
# Debug logging
#iptables -I INPUT 1 --source 130.235.35.233/31 -j LOG --log-prefix "INPUT: "
#iptables -I FORWARD 1 --source 130.235.35.233/31 -j LOG --log-prefix "FOWARD: "


#
# Default to drop packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#
# Allow all local loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#
# Allow output on $WAN and $LAN if. Allow input on $LAN if.
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $WAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Allow ICMP echo reply/echo request/destination unreachable/time exceeded
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# SSH
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT

# WWW
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT

# TOR
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT

# I2P
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT


exit 0 #report success

답변