Iptables

無法從路由器 ping 特定介面:(sendmsg:不允許操作)

  • October 4, 2020

我有我建構的執行 Arch Linux 的路由器,我有一個奇怪的問題,可能指向錯誤配置。這是我的設置:

  • 區域網路介面:intern1
  • 廣域網介面:extern1
  • 區域網路地址:192.168.11.11/24
  • 廣域網地址:DHCP

我可以在 WAN 介面上 ping 任何東西而不會出錯:

> ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=2.78 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=2.60 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=2.87 ms

但是,我無法 ping 區域網路上的另一個地址(192.168.11.39 是區域網路上的伺服器):

> ping 192.168.11.39

PING 192.168.11.39 (192.168.11.39) 56(84) bytes of data.
From 192.168.11.11 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 192.168.11.11 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 192.168.11.11 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Operation not permitted

像這樣的其他問題似乎指向防火牆問題。我嘗試將過濾表中的所有鏈更改為 ACCEPT 預設策略,但沒有任何效果。我應該補充一點,除了這個 ping 問題,路由器還可以工作;區域網路上的東西可以訪問廣域網和區域網路上的任何設備,並ping區域網路上的另一台設備。

作為記錄,我發現了這個問題,因為我試圖在這個路由器上設置 OpenVPN,我無法從任何 VPN 客戶端 ping 區域網路上的任何東西。我想這可能是相關的。這裡的一切都是在沒有啟用 VPN 的情況下完成的,以消除可能的混淆變數。

有誰知道這可能是什麼原因造成的?

其他可能重要的資訊

路由表:

> ip route

default via 45.17.160.1 dev extern1 proto dhcp src 45.17.163.240 metric 1024 
45.17.160.0/22 dev extern1 proto kernel scope link src 45.17.163.240 
45.17.160.1 dev extern1 proto dhcp scope link src 45.17.163.240 metric 1024 
192.168.11.0/24 dev intern1 proto kernel scope link src 192.168.11.11 

iptables 規則(最小範例):

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:net_dnat - [0:0]

# potentially DNAT all incoming packets
-A PREROUTING -i extern1 -j net_dnat

# make all LAN-WAN traffic appear as if it came from this router
-A POSTROUTING -s 192.168.11.0/24 -o extern1 -j MASQUERADE

# make all VPN traffic appear as if it came from this router
-A POSTROUTING -s 10.8.0.0/24 -o intern1 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o extern1 -j MASQUERADE

# DNAT table for port forwards on LAN
-A net_dnat -m comment --comment "SSH" -p tcp -m tcp --dport 39022 -j DNAT --to-destination 192.168.11.39:39022
-A net_dnat -m comment --comment "HTTP" -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.11.39:80
-A net_dnat -m comment --comment "HTTPS" -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.11.39:443
-A net_dnat -m comment --comment "IMAP" -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.11.39:143
-A net_dnat -m comment --comment "IMAPS" -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.11.39:993
-A net_dnat -m comment --comment "WOL" -p udp -m udp --dport 39009 -j DNAT --to-destination 192.168.11.254:39009
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

系統網路配置:

> cat /etc/systemd/network/intern1.network

[Match]
Name=intern1

[Network]
Address=192.168.11.11/24
IPForward=ipv4

> cat /etc/systemd/network/intern1.network

[Match]
Name=extern1

[Network]
DHCP=ipv4
IPForward=ipv4

編輯 1

路由策略:

> ip rule ls
0:     from all lookup local
32766: from all lookup main
32767: from all lookup default

192.168.11.39 的 ARP 條目:

> ip n ls 192.168.11.39
192.168.11.39 dev intern1 lladdr f8:32:e4:9b:b9:55 REACHABLE

192.168.11.39 的路由查找:

> ip route get 192.168.11.39
192.168.11.39 dev intern1 src 192.168.11.11 uid 1000 
   cache

編輯 2

全過濾表:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:localhost-LAN - [0:0]
:localhost-WAN - [0:0]
:localhost-VPN - [0:0]
:VPN-localhost - [0:0]
:LAN-localhost - [0:0]
:WAN-localhost - [0:0]
:LAN-VPN - [0:0]
:LAN-WAN - [0:0]
:WAN-LAN - [0:0]
:WAN-VPN - [0:0]
:LAN-forward - [0:0]
:WAN-forward - [0:0]
:VPN-forward - [0:0]
:reject - [0:0]

-A INPUT -i intern1 -j LAN-localhost
-A INPUT -i extern1 -j WAN-localhost
-A INPUT -i tun0 -j VPN-localhost
-A INPUT -i lo -j ACCEPT
-A INPUT -g reject

-A FORWARD -i extern1 -j WAN-forward
-A FORWARD -i intern1 -j LAN-forward
-A FORWARD -i tun0 -j VPN-forward
-A FORWARD -g reject

-A OUTPUT -o extern1 -j localhost-WAN
-A OUTPUT -o intern1 -j localhost-LAN
-A OUTPUT -o tun0 -j localhost-VPN
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -g reject

-A LAN-forward -o extern1 -j ACCEPT
-A LAN-forward -o tun0 -j LAN-VPN

-A WAN-forward -o intern1 -j WAN-LAN
-A WAN-forward -o tun0 -j WAN-VPN

-A VPN-forward -o intern1 -j ACCEPT
-A VPN-forward -o extern1 -j ACCEPT

-A WAN-LAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A WAN-LAN -m comment --comment "SSH" -d 192.168.11.39/32 -p tcp -m tcp --dport 39022 -m conntrack --ctorigdstport 39022 -j ACCEPT
-A WAN-LAN -m comment --comment "HTTP" -d 192.168.11.39/32 -p tcp -m tcp --dport 80 -m conntrack --ctorigdstport 80 -j ACCEPT
-A WAN-LAN -m comment --comment "HTTPS" -d 192.168.11.39/32 -p tcp -m tcp --dport 443 -m conntrack --ctorigdstport 443 -j ACCEPT
-A WAN-LAN -m comment --comment "IMAP" -d 192.168.11.39/32 -p tcp -m tcp --dport 143 -m conntrack --ctorigdstport 143 -j ACCEPT
-A WAN-LAN -m comment --comment "IMAPS" -d 192.168.11.39/32 -p tcp -m tcp --dport 993 -m conntrack --ctorigdstport 993 -j ACCEPT
-A WAN-LAN -m comment --comment "WOL" -d 192.168.11.254/32 -p udp -m udp --dport 39009 -m conntrack --ctorigdstport 39009 -j ACCEPT
-A WAN-LAN -j DROP

-A localhost-LAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A localhost-LAN -m comment --comment "Local DHCP" -p udp -m udp --dport 67:68 -j ACCEPT
-A localhost-LAN -m comment --comment "Local SSH" -d 192.168.11.39/32 -p tcp -m tcp --dport 39022 -m conntrack --ctorigdstport 39022 -j ACCEPT
-A localhost-LAN -g reject

-A LAN-VPN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LAN-VPN -j DROP

-A WAN-VPN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A WAN-VPN -j DROP

-A localhost-VPN -j ACCEPT

-A localhost-WAN -j ACCEPT

-A LAN-localhost -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LAN-localhost -m comment --comment "LAN OpenVPN" -p udp --dport 21194 -j ACCEPT
-A LAN-localhost -m comment --comment "LAN DHCP" -p udp -m udp --dport 67:68 -j ACCEPT
-A LAN-localhost -m comment --comment "LAN SSH" -p tcp --dport 29022 -j ACCEPT
-A LAN-localhost -m comment --comment "LAN DNS (zone transfer)" -p tcp --dport 53 -j ACCEPT
-A LAN-localhost -m comment --comment "LAN DNS" -p udp -m udp --dport 53 -j ACCEPT
-A LAN-localhost -m comment --comment "LAN Ping" -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A LAN-localhost -g reject

-A WAN-localhost -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A WAN-localhost -m comment --comment "WAN OpenVPN" -p udp --dport 21194 -j ACCEPT
-A WAN-localhost -m comment --comment "WAN SSH" -p tcp --dport 29022 -j ACCEPT
-A WAN-localhost -m comment --comment "WAN Ping" -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A WAN-localhost -j DROP

-A VPN-localhost -j ACCEPT

-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
COMMIT

解決方案

這實際上是一個防火牆問題。我錯誤地認為使用 ACCEPT 作為“INPUT/OUTPUT/FORWARD”鏈上的預設策略會使過濾表中的所有剩餘鏈無效,這讓我認為這首先不是防火牆問題

實際上,當沒有匹配項時,最後應用預設策略,但在這種情況下,“localhost-LAN​​”鏈正在攔截傳出的 ping 並應用“拒絕”。在“拒絕”目標之前添加這個可以解決問題:

-A localhost-LAN -m comment --comment "LAN Ping" -p icmp -m icmp --icmp-type 8 -j ACCEPT

到 LAN 的傳出 ping 現在可以工作了:)

引用自:https://serverfault.com/questions/1036085