Iptables
使用 iptables 防火牆的 NAT / 埠轉發
我有以下設置:
防火牆(iptables)
- eth0 內部介面,192.168.2.10
- ppp0 外部介面,public_ip(IP偽裝)
伺服器1(192.168.2.11),服務1(443埠)
server2(192.168.2.12),服務2(443埠)
客戶端 1 (192.168.2.21) …
防火牆將 iptables 用於以下埠轉發規則:
- 埠 10000 -> 192.168.2.11:443
- 埠 10001 -> 192.168.2.12:443
這樣,可以使用公共 IP 地址和埠 10001/10002 從 Internet 訪問這兩個服務。不幸的是,client1(以及來自內部網路的其他客戶端)必須使用伺服器 IP/埠:他們可以使用 192.168.2.11:443 和 192.168.2.12:443 訪問服務,但不能使用 public_ip:10001/10002。
也許這些問題是由 INPUT 與 FORWARD 鏈在 PREROUTING 鏈行為方面的差異引起的?
我能做些什麼來改變這種情況?(我使用“Arno 的 iptables 防火牆”腳本,如果這有幫助的話。)非常感謝任何指點。
編輯:這是 iptables 配置:
iptables -nvL
Chain INPUT (policy DROP 3 packets, 156 bytes) pkts bytes target prot opt in out source destination 27362 13M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 482K 35M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED tcp dpts:1024:65535 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED udp dpts:1024:65535 1012 57505 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED 411K 31M HOST_BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 409K 31M MAC_FILTER all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 MAC_FILTER all -- tun0 * 0.0.0.0/0 0.0.0.0/0 411K 31M SPOOF_CHK all -- * * 0.0.0.0/0 0.0.0.0/0 1606 128K VALID_CHK all -- ppp+ * 0.0.0.0/0 0.0.0.0/0 1179 108K EXT_INPUT_CHAIN !icmp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 state NEW 47 2340 EXT_INPUT_CHAIN icmp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 60/sec burst 100 0 0 EXT_ICMP_FLOOD_CHAIN icmp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 state NEW 409K 31M LAN_INPUT_CHAIN all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 LAN_INPUT_CHAIN all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Dropped INPUT packet: ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 98717 5423K TCPMSS tcp -- * ppp+ 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 41M 24G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 187 9724 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED tcp dpts:1024:65535 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED udp dpts:1024:65535 271 17208 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED 125K 7842K HOST_BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 78962 5186K MAC_FILTER all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 MAC_FILTER all -- tun0 * 0.0.0.0/0 0.0.0.0/0 46489 2656K UPNP_FORWARD all -- ppp+ !ppp+ 0.0.0.0/0 0.0.0.0/0 125K 7842K SPOOF_CHK all -- * * 0.0.0.0/0 0.0.0.0/0 46489 2656K VALID_CHK all -- ppp+ * 0.0.0.0/0 0.0.0.0/0 24 19108 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 78938 5167K LAN_INET_FORWARD_CHAIN all -- eth0 ppp+ 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 tun0 0.0.0.0/0 0.0.0.0/0 0 0 LAN_INET_FORWARD_CHAIN all -- tun0 ppp+ 0.0.0.0/0 0.0.0.0/0 698 41908 ACCEPT tcp -- ppp+ !ppp+ 0.0.0.0/0 192.168.2.38 tcp dpt:22 118 6564 ACCEPT tcp -- ppp+ !ppp+ 0.0.0.0/0 192.168.2.38 tcp dpt:443 45546 2601K ACCEPT tcp -- ppp+ !ppp+ 0.0.0.0/0 192.168.2.38 tcp dpt:8443 0 0 ACCEPT tcp -- ppp+ !ppp+ 0.0.0.0/0 192.168.2.38 tcp dpt:8899 7 364 ACCEPT tcp -- ppp+ !ppp+ 0.0.0.0/0 192.168.2.37 tcp dpt:22 15 788 ACCEPT tcp -- ppp+ !ppp+ 0.0.0.0/0 192.168.2.41 tcp dpt:443 105 5464 ACCEPT tcp -- ppp+ !ppp+ 0.0.0.0/0 192.168.2.45 tcp dpt:443 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 3 LOG flags 0 level 6 prefix `Dropped FORWARD packet: ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 5403 packets, 1746K bytes) pkts bytes target prot opt in out source destination 2 120 TCPMSS tcp -- * ppp+ 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 424K 66M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 437K 33M HOST_BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FRAGMENTED PACKET (OUT): ' 0 0 DROP all -f * * 0.0.0.0/0 0.0.0.0/0 431K 31M EXT_OUTPUT_CHAIN all -- * ppp+ 0.0.0.0/0 0.0.0.0/0 Chain DMZ_INET_FORWARD_CHAIN (0 references) pkts bytes target prot opt in out source destination Chain DMZ_INPUT_CHAIN (0 references) pkts bytes target prot opt in out source destination Chain DMZ_LAN_FORWARD_CHAIN (0 references) pkts bytes target prot opt in out source destination Chain EXT_ICMP_FLOOD_CHAIN (1 references) pkts bytes target prot opt in out source destination 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-request(ping) flood: ' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-unreachable flood: ' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-source-quench flood: ' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-time-exceeded flood: ' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-param.-problem flood: ' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP(other) flood: ' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain EXT_INPUT_CHAIN (2 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 6 prefix `TCP port 0 OS fingerprint: ' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 6 prefix `UDP port 0 OS fingerprint: ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:0 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 6 prefix `TCP source port 0: ' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 6 prefix `UDP source port 0: ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 31 1472 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix `ICMP-request: ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-unreachable: ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-source-quench: ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-time-exceeded: ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-param.-problem: ' 53 8304 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 flags:!0x17/0x02 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth scan (UNPRIV)?: ' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 flags:!0x17/0x02 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth scan (PRIV)?: ' 85 17495 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 167 9228 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix `Connection attempt (PRIV): ' 18 1193 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix `Connection attempt (PRIV): ' 481 22848 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix `Connection attempt (UNPRIV): ' 172 44040 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix `Connection attempt (UNPRIV): ' 870 43344 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 224 47492 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 47 2340 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 5 LOG flags 0 level 6 prefix `Other-IP connection attempt: ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain EXT_OUTPUT_CHAIN (1 references) pkts bytes target prot opt in out source destination 431K 31M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain HOST_BLOCK (3 references) pkts bytes target prot opt in out source destination Chain INET_DMZ_FORWARD_CHAIN (0 references) pkts bytes target prot opt in out source destination Chain LAN_INET_FORWARD_CHAIN (2 references) pkts bytes target prot opt in out source destination 354 21240 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 20/sec burst 100 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix `ICMP-request: ' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 78584 5145K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LAN_INPUT_CHAIN (2 references) pkts bytes target prot opt in out source destination 18741 1705K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 20/sec burst 100 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix `ICMP-request: ' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 390K 30M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MAC_FILTER (4 references) pkts bytes target prot opt in out source destination Chain RESERVED_NET_CHK (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 10.0.0.0/8 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 6 prefix `Class A address: ' 0 0 LOG all -- * * 172.16.0.0/12 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 6 prefix `Class B address: ' 0 0 LOG all -- * * 192.168.0.0/16 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 6 prefix `Class C address: ' 0 0 LOG all -- * * 169.254.0.0/16 0.0.0.0/0 limit: avg 1/min burst 1 LOG flags 0 level 6 prefix `Class M$ address: ' 0 0 DROP all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 DROP all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0 Chain SPOOF_CHK (2 references) pkts bytes target prot opt in out source destination 488K 37M RETURN all -- eth0 * 192.168.2.0/24 0.0.0.0/0 0 0 RETURN all -- tun0 * 192.168.2.0/24 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Spoofed packet: ' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 48223 2834K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain UPNP_FORWARD (1 references) pkts bytes target prot opt in out source destination Chain VALID_CHK (2 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth XMAS scan: ' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth XMAS-PSH scan: ' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth XMAS-ALL scan: ' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth FIN scan: ' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth SYN/RST scan: ' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth SYN/FIN scan(?): ' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth Null scan: ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp option=64 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix `Bad TCP flag(64): ' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp option=128 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix `Bad TCP flag(128): ' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp option=64 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp option=128 380 17623 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 LOG all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 1 LOG flags 0 level 4 prefix `Fragmented packet: ' 0 0 DROP all -f * * 0.0.0.0/0 0.0.0.0/0
iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 428K packets, 31M bytes) pkts bytes target prot opt in out source destination 697 41688 DNAT tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.2.38 118 6564 DNAT tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.2.38 45542 2601K DNAT tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 to:192.168.2.38 0 0 DNAT tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8899 to:192.168.2.38 7 364 DNAT tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:222 to:192.168.2.37:22 15 788 DNAT tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 to:192.168.2.41:443 105 5464 DNAT tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083 to:192.168.2.45:443 Chain POSTROUTING (policy ACCEPT 479K packets, 34M bytes) pkts bytes target prot opt in out source destination 49079 2610K TCPMSS tcp -- * ppp+ 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 62427 3638K MASQUERADE all -- * ppp+ 192.168.2.0/24 !192.168.2.0/24 Chain OUTPUT (policy ACCEPT 432K packets, 31M bytes) pkts bytes target prot opt in out source destination
謝謝,搜尋“Hairpin NAT”的提示幫助我解決了我的問題。對於其他感興趣的使用者,這裡有一些神奇的規則:
iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 443 -j DNAT --to-destination $OFFICE iptables -t nat -A POSTROUTING -s $INT_NET -d $SERVER-p tcp --dport 443 -j SNAT --to-source $FIREWALL
謝謝你的幫助!