Iptables
無法從路由器 ping 特定介面:(sendmsg:不允許操作)
我有我建構的執行 Arch Linux 的路由器,我有一個奇怪的問題,可能指向錯誤配置。這是我的設置:
- 區域網路介面:intern1
- 廣域網介面:extern1
- 區域網路地址:192.168.11.11/24
- 廣域網地址:DHCP
我可以在 WAN 介面上 ping 任何東西而不會出錯:
> ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=2.78 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=2.60 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=2.87 ms
但是,我無法 ping 區域網路上的另一個地址(192.168.11.39 是區域網路上的伺服器):
> ping 192.168.11.39 PING 192.168.11.39 (192.168.11.39) 56(84) bytes of data. From 192.168.11.11 icmp_seq=1 Destination Host Unreachable ping: sendmsg: Operation not permitted From 192.168.11.11 icmp_seq=2 Destination Host Unreachable ping: sendmsg: Operation not permitted From 192.168.11.11 icmp_seq=3 Destination Host Unreachable ping: sendmsg: Operation not permitted
像這樣的其他問題似乎指向防火牆問題。我嘗試將過濾表中的所有鏈更改為 ACCEPT 預設策略,但沒有任何效果。我應該補充一點,除了這個 ping 問題,路由器還可以工作;區域網路上的東西可以訪問廣域網和區域網路上的任何設備,並ping區域網路上的另一台設備。
作為記錄,我發現了這個問題,因為我試圖在這個路由器上設置 OpenVPN,我無法從任何 VPN 客戶端 ping 區域網路上的任何東西。我想這可能是相關的。這裡的一切都是在沒有啟用 VPN 的情況下完成的,以消除可能的混淆變數。
有誰知道這可能是什麼原因造成的?
其他可能重要的資訊
路由表:
> ip route default via 45.17.160.1 dev extern1 proto dhcp src 45.17.163.240 metric 1024 45.17.160.0/22 dev extern1 proto kernel scope link src 45.17.163.240 45.17.160.1 dev extern1 proto dhcp scope link src 45.17.163.240 metric 1024 192.168.11.0/24 dev intern1 proto kernel scope link src 192.168.11.11
iptables 規則(最小範例):
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :net_dnat - [0:0] # potentially DNAT all incoming packets -A PREROUTING -i extern1 -j net_dnat # make all LAN-WAN traffic appear as if it came from this router -A POSTROUTING -s 192.168.11.0/24 -o extern1 -j MASQUERADE # make all VPN traffic appear as if it came from this router -A POSTROUTING -s 10.8.0.0/24 -o intern1 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o extern1 -j MASQUERADE # DNAT table for port forwards on LAN -A net_dnat -m comment --comment "SSH" -p tcp -m tcp --dport 39022 -j DNAT --to-destination 192.168.11.39:39022 -A net_dnat -m comment --comment "HTTP" -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.11.39:80 -A net_dnat -m comment --comment "HTTPS" -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.11.39:443 -A net_dnat -m comment --comment "IMAP" -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.11.39:143 -A net_dnat -m comment --comment "IMAPS" -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.11.39:993 -A net_dnat -m comment --comment "WOL" -p udp -m udp --dport 39009 -j DNAT --to-destination 192.168.11.254:39009 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT
系統網路配置:
> cat /etc/systemd/network/intern1.network [Match] Name=intern1 [Network] Address=192.168.11.11/24 IPForward=ipv4 > cat /etc/systemd/network/intern1.network [Match] Name=extern1 [Network] DHCP=ipv4 IPForward=ipv4
編輯 1
路由策略:
> ip rule ls 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
192.168.11.39 的 ARP 條目:
> ip n ls 192.168.11.39 192.168.11.39 dev intern1 lladdr f8:32:e4:9b:b9:55 REACHABLE
192.168.11.39 的路由查找:
> ip route get 192.168.11.39 192.168.11.39 dev intern1 src 192.168.11.11 uid 1000 cache
編輯 2
全過濾表:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :localhost-LAN - [0:0] :localhost-WAN - [0:0] :localhost-VPN - [0:0] :VPN-localhost - [0:0] :LAN-localhost - [0:0] :WAN-localhost - [0:0] :LAN-VPN - [0:0] :LAN-WAN - [0:0] :WAN-LAN - [0:0] :WAN-VPN - [0:0] :LAN-forward - [0:0] :WAN-forward - [0:0] :VPN-forward - [0:0] :reject - [0:0] -A INPUT -i intern1 -j LAN-localhost -A INPUT -i extern1 -j WAN-localhost -A INPUT -i tun0 -j VPN-localhost -A INPUT -i lo -j ACCEPT -A INPUT -g reject -A FORWARD -i extern1 -j WAN-forward -A FORWARD -i intern1 -j LAN-forward -A FORWARD -i tun0 -j VPN-forward -A FORWARD -g reject -A OUTPUT -o extern1 -j localhost-WAN -A OUTPUT -o intern1 -j localhost-LAN -A OUTPUT -o tun0 -j localhost-VPN -A OUTPUT -o lo -j ACCEPT -A OUTPUT -g reject -A LAN-forward -o extern1 -j ACCEPT -A LAN-forward -o tun0 -j LAN-VPN -A WAN-forward -o intern1 -j WAN-LAN -A WAN-forward -o tun0 -j WAN-VPN -A VPN-forward -o intern1 -j ACCEPT -A VPN-forward -o extern1 -j ACCEPT -A WAN-LAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A WAN-LAN -m comment --comment "SSH" -d 192.168.11.39/32 -p tcp -m tcp --dport 39022 -m conntrack --ctorigdstport 39022 -j ACCEPT -A WAN-LAN -m comment --comment "HTTP" -d 192.168.11.39/32 -p tcp -m tcp --dport 80 -m conntrack --ctorigdstport 80 -j ACCEPT -A WAN-LAN -m comment --comment "HTTPS" -d 192.168.11.39/32 -p tcp -m tcp --dport 443 -m conntrack --ctorigdstport 443 -j ACCEPT -A WAN-LAN -m comment --comment "IMAP" -d 192.168.11.39/32 -p tcp -m tcp --dport 143 -m conntrack --ctorigdstport 143 -j ACCEPT -A WAN-LAN -m comment --comment "IMAPS" -d 192.168.11.39/32 -p tcp -m tcp --dport 993 -m conntrack --ctorigdstport 993 -j ACCEPT -A WAN-LAN -m comment --comment "WOL" -d 192.168.11.254/32 -p udp -m udp --dport 39009 -m conntrack --ctorigdstport 39009 -j ACCEPT -A WAN-LAN -j DROP -A localhost-LAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A localhost-LAN -m comment --comment "Local DHCP" -p udp -m udp --dport 67:68 -j ACCEPT -A localhost-LAN -m comment --comment "Local SSH" -d 192.168.11.39/32 -p tcp -m tcp --dport 39022 -m conntrack --ctorigdstport 39022 -j ACCEPT -A localhost-LAN -g reject -A LAN-VPN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LAN-VPN -j DROP -A WAN-VPN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A WAN-VPN -j DROP -A localhost-VPN -j ACCEPT -A localhost-WAN -j ACCEPT -A LAN-localhost -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LAN-localhost -m comment --comment "LAN OpenVPN" -p udp --dport 21194 -j ACCEPT -A LAN-localhost -m comment --comment "LAN DHCP" -p udp -m udp --dport 67:68 -j ACCEPT -A LAN-localhost -m comment --comment "LAN SSH" -p tcp --dport 29022 -j ACCEPT -A LAN-localhost -m comment --comment "LAN DNS (zone transfer)" -p tcp --dport 53 -j ACCEPT -A LAN-localhost -m comment --comment "LAN DNS" -p udp -m udp --dport 53 -j ACCEPT -A LAN-localhost -m comment --comment "LAN Ping" -p icmp -m icmp --icmp-type 8 -j ACCEPT -A LAN-localhost -g reject -A WAN-localhost -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A WAN-localhost -m comment --comment "WAN OpenVPN" -p udp --dport 21194 -j ACCEPT -A WAN-localhost -m comment --comment "WAN SSH" -p tcp --dport 29022 -j ACCEPT -A WAN-localhost -m comment --comment "WAN Ping" -p icmp -m icmp --icmp-type 8 -j ACCEPT -A WAN-localhost -j DROP -A VPN-localhost -j ACCEPT -A reject -m addrtype --src-type BROADCAST -j DROP -A reject -s 224.0.0.0/4 -j DROP -A reject -p igmp -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT --reject-with icmp-port-unreachable -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited COMMIT
解決方案
這實際上是一個防火牆問題。我錯誤地認為使用 ACCEPT 作為“INPUT/OUTPUT/FORWARD”鏈上的預設策略會使過濾表中的所有剩餘鏈無效,這讓我認為這首先不是防火牆問題
實際上,當沒有匹配項時,最後應用預設策略,但在這種情況下,“localhost-LAN”鏈正在攔截傳出的 ping 並應用“拒絕”。在“拒絕”目標之前添加這個可以解決問題:
-A localhost-LAN -m comment --comment "LAN Ping" -p icmp -m icmp --icmp-type 8 -j ACCEPT
到 LAN 的傳出 ping 現在可以工作了:)