Iptables

國內流量不返回

  • July 13, 2017

我正在嘗試使用 iptables 配置專用防火牆,

看這裡我的網路圖

我的防火牆有 5 個介面 4 個用於網路,其他用於 wan

  • 廣域網 eth0 192.168.1.2/24
  • 區域網路 1 eth1 192.150.1.1/24
  • 區域網路 2 eth2 192.131.1.1/24

我啟用了轉發

root@FW # cat /proc/sys/net/ipv4/ip_forward 1

我還創建了以下 nat 規則以允許流量到網際網路(通過路由器 192.168.1.1)

iptables -A POSTROUTING -t nat -o eth0 -s 192.131.1.0/24 -d 0/0 -j MASQUERADE

iptables -A POSTROUTING -t nat -o eth0 -s 192.150.1.0/24 -d 0/0 -j MASQUERADE

預設情況下使用“接受”策略,我們可以訪問網際網路,但是當我將策略 FORWARD 更改為 DROP 時。然後開始我的問題。我添加了以下規則,以便只允許 http/s 和 dns 流量

iptables -A FORWARD -s 192.131.1.0/24 -i eth2 -o eth0 -p tcp -m multiport --dports 80,443,53 -m state --state NEW,RELATED,ESTABLISHED  -j ACCEPT
iptables -A FORWARD -s 192.131.1.0/24 -i eth2 -o eth0 -p udp -m multiport --dports 53 -m state --state NEW,RELATED,ESTABLISHED  -j ACCEPT
iptables -A FORWARD -s 192.150.1.0/24 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443,53 -m state --state NEW,RELATED,ESTABLISHED  -j ACCEPT
iptables -A FORWARD -s 192.150.1.0/24 -i eth1 -o eth0 -p udp -m multiport --dports 53 -m state --state NEW,RELATED,ESTABLISHED  -j ACCEPT

這是我的實際 ip 路由表

root@FW ~ # ip route show
default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel  scope link  src 192.168.1.2 
192.130.1.0/24 via 192.131.1.2 dev eth2 
192.131.1.0/24 dev eth2  proto kernel  scope link  src 192.131.1.1 
192.150.1.0/24 dev eth1  proto kernel  scope link  src 192.150.1.1

看起來流量到達 DNS 但從未返回主機。Crhome 返回 DNS_PROBE_FINISHED_NO_INTERNET。我提供從 eth1 請求 192.150.1.0/24 到 8.8.8.8 192.168.1.0/24 的 tcpdump 輸出

root@FW ~ # tcpdump -vvv -i eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
21:41:15.611604 IP (tos 0x0, ttl 128, id 9100, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53613 > 65.55.223.33.http: Flags [S], cksum 0x0ee2 (correct), seq 2855330165, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:16.051447 IP (tos 0x0, ttl 128, id 15625, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53614 > 157.55.235.152.https: Flags [S], cksum 0xf970 (correct), seq 3105324572, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:16.339182 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has FW (02:53:02:81:98:91 (oui Unknown)) tell 192.150.1.200, length 46
21:41:16.339261 ARP, Ethernet (len 6), IPv4 (len 4), Reply FW is-at 02:53:02:81:98:91 (oui Unknown), length 28
21:41:16.462608 IP (tos 0x0, ttl 128, id 9473, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53615 > 157.56.52.16.40015: Flags [S], cksum 0x8130 (correct), seq 2382446181, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:16.462989 IP (tos 0x0, ttl 128, id 30784, offset 0, flags [none], proto UDP (17), length 61)
   192.150.1.200.63043 > 64.4.23.167.40004: [udp sum ok] UDP, length 33
21:41:16.463147 IP (tos 0x0, ttl 128, id 3241, offset 0, flags [none], proto UDP (17), length 61)
   192.150.1.200.63043 > 157.55.235.165.40001: [udp sum ok] UDP, length 33
21:41:16.463235 IP (tos 0x0, ttl 128, id 5293, offset 0, flags [none], proto UDP (17), length 64)
   192.150.1.200.63043 > 157.56.52.31.40027: [udp sum ok] UDP, length 36
21:41:16.873853 IP (tos 0x0, ttl 128, id 32090, offset 0, flags [none], proto UDP (17), length 63)
   192.150.1.200.54744 > 8.8.8.8.domain: [udp sum ok] 22934+ A? gfwsl.geforce.com. (35)
21:41:16.873957 IP (tos 0x0, ttl 128, id 31098, offset 0, flags [none], proto UDP (17), length 63)
   192.150.1.200.54744 > 8.8.4.4.domain: [udp sum ok] 22934+ A? gfwsl.geforce.com. (35)
21:41:17.001636 IP (tos 0x0, ttl 128, id 9101, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53611 > 65.55.223.33.https: Flags [S], cksum 0x22d2 (correct), seq 900743325, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:17.413618 IP (tos 0x0, ttl 128, id 16465, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53605 > 157.55.130.146.40017: Flags [S], cksum 0x668f (correct), seq 2041721579, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:17.414671 IP (tos 0x0, ttl 128, id 4478, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53604 > 65.55.223.14.40012: Flags [S], cksum 0xf23d (correct), seq 1566622488, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:17.441620 IP (tos 0x0, ttl 128, id 15628, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53612 > 157.55.235.152.40017: Flags [S], cksum 0xbdc7 (correct), seq 1961780058, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:17.662269 IP (tos 0x0, ttl 128, id 15629, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53616 > 157.55.235.152.http: Flags [S], cksum 0xaf6b (correct), seq 2477190907, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:18.074678 IP (tos 0x0, ttl 128, id 9475, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53617 > 157.56.52.16.https: Flags [S], cksum 0xac36 (correct), seq 923010287, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:18.436097 IP (tos 0x0, ttl 128, id 31792, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53618 > 157.55.56.150.40028: Flags [S], cksum 0x1b8d (correct), seq 4028513622, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:18.447987 IP (tos 0x0, ttl 128, id 32092, offset 0, flags [none], proto UDP (17), length 56)
   192.150.1.200.63422 > 8.8.8.8.domain: [udp sum ok] 40049+ A? google.com. (28)
21:41:18.448151 IP (tos 0x0, ttl 128, id 32093, offset 0, flags [none], proto UDP (17), length 56)
   192.150.1.200.63423 > 8.8.8.8.domain: [udp sum ok] 36172+ A? google.com. (28)
21:41:18.620387 IP (tos 0x0, ttl 128, id 9103, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53613 > 65.55.223.33.http: Flags [S], cksum 0x0ee2 (correct), seq 2855330165, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:18.765698 IP (tos 0x0, ttl 128, id 7901, offset 0, flags [none], proto UDP (17), length 229)
   192.150.1.200.netbios-dgm > 192.150.1.255.netbios-dgm: [udp sum ok] 
>>> NBT UDP PACKET(138) Res=0x110E ID=0x975E IP=192 (0xc0).169 (0xa9).1 (0x1).200 (0xc8) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
SourceName=LAPTOP-99GNDJNH NameType=0x20 (Server)
DestName=WORKGROUP       NameType=0x1D (Master Browser)

SMB PACKET: SMBtrans (REQUEST)
SMB Command   =  0x25
Error class   =  0x0
Error code    =  0 (0x0)
Flags1        =  0x0
Flags2        =  0x0
Tree ID       =  0 (0x0)
Proc ID       =  0 (0x0)
UID           =  0 (0x0)
MID           =  0 (0x0)
Word Count    =  17 (0x11)
TotParamCnt=0 (0x0) 
TotDataCnt=33 (0x21) 
MaxParmCnt=0 (0x0) 
MaxDataCnt=0 (0x0)
MaxSCnt=0 (0x0) 
TransFlags=0x0 
Res1=0x3E8 
Res2=0x0 
Res3=0x0
ParamCnt=0 (0x0) 
ParamOff=0 (0x0) 
DataCnt=33 (0x21) 
DataOff=86 (0x56) 
SUCnt=3 (0x3)
Data: (6 bytes)
[000] 01 00 00 00 02 00                                 \0x01\0x00\0x00\0x00\0x02\0x00 
smb_bcc=50
Name=\MAILSLOT\BROWSE
BROWSE PACKET
BROWSE PACKET:
Type=0x1 (HostAnnouncement)
UpdateCount=0x8000
Res1=0xFC
AnnounceInterval=10 (0xa)
Name=LAPTOP-99GNDJNH NameType=0x00 (Workstation)
MajorVersion=0xA
MinorVersion=0x0
ServerType=0x1003
ElectionVersion=0x10F
BrowserConstant=0xAA55
Data: (1 bytes)
[000] 00                                                \0x00 



21:41:19.027797 IP (tos 0x0, ttl 128, id 4480, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53606 > 65.55.223.14.https: Flags [S], cksum 0x8ea0 (correct), seq 1025311113, win 65535, options [mss 1460,nop,nop,sackOK], length 0
21:41:19.027893 IP (tos 0x0, ttl 128, id 16469, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53607 > 157.55.130.146.https: Flags [S], cksum 0xda29 (correct), seq 4202952979, win 65535, options [mss 1460,nop,nop,sackOK], length 0
21:41:19.052327 IP (tos 0x0, ttl 128, id 15632, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53614 > 157.55.235.152.https: Flags [S], cksum 0xf970 (correct), seq 3105324572, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:19.458582 IP (tos 0x0, ttl 128, id 31101, offset 0, flags [none], proto UDP (17), length 56)
   192.150.1.200.63425 > 8.8.4.4.domain: [udp sum ok] 32283+ A? google.com. (28)
21:41:19.458765 IP (tos 0x0, ttl 128, id 31102, offset 0, flags [none], proto UDP (17), length 56)
   192.150.1.200.63426 > 8.8.4.4.domain: [udp sum ok] 53895+ A? google.com. (28)
21:41:19.463303 IP (tos 0x0, ttl 128, id 9476, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53615 > 157.56.52.16.40015: Flags [S], cksum 0x8130 (correct), seq 2382446181, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:19.692372 IP (tos 0x0, ttl 128, id 9477, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53619 > 157.56.52.16.http: Flags [S], cksum 0x1d9f (correct), seq 719167766, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:20.061944 IP (tos 0x0, ttl 128, id 31795, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53620 > 157.55.56.150.https: Flags [S], cksum 0x211b (correct), seq 3246391558, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:20.630606 IP (tos 0x0, ttl 128, id 4481, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53608 > 65.55.223.14.http: Flags [S], cksum 0xb3e2 (correct), seq 665768734, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:20.630726 IP (tos 0x0, ttl 128, id 16472, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53609 > 157.55.130.146.http: Flags [S], cksum 0xb4b9 (correct), seq 3498846692, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:20.662191 IP (tos 0x0, ttl 128, id 15635, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53616 > 157.55.235.152.http: Flags [S], cksum 0xaf6b (correct), seq 2477190907, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:20.884881 IP (tos 0x0, ttl 128, id 31103, offset 0, flags [none], proto UDP (17), length 63)
   192.150.1.200.57774 > 8.8.4.4.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35)
21:41:21.075165 IP (tos 0x0, ttl 128, id 9478, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53617 > 157.56.52.16.https: Flags [S], cksum 0xac36 (correct), seq 923010287, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:21.394390 IP (tos 0x0, ttl 128, id 9106, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53610 > 65.55.223.33.40008: Flags [S], cksum 0x39e9 (correct), seq 3395956302, win 65535, options [mss 1460,nop,nop,sackOK], length 0
21:41:21.436455 IP (tos 0x0, ttl 128, id 31798, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53618 > 157.55.56.150.40028: Flags [S], cksum 0x1b8d (correct), seq 4028513622, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:21.673410 IP (tos 0x0, ttl 128, id 31799, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53621 > 157.55.56.150.http: Flags [S], cksum 0xaffe (correct), seq 2772406221, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:21.885789 IP (tos 0x0, ttl 128, id 32097, offset 0, flags [none], proto UDP (17), length 63)
   192.150.1.200.57774 > 8.8.8.8.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35)
21:41:22.340262 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has FW (02:53:02:81:98:91 (oui Unknown)) tell 192.150.1.200, length 46
21:41:22.340331 ARP, Ethernet (len 6), IPv4 (len 4), Reply FW is-at 02:53:02:81:98:91 (oui Unknown), length 28
21:41:22.693442 IP (tos 0x0, ttl 128, id 9479, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53619 > 157.56.52.16.http: Flags [S], cksum 0x1d9f (correct), seq 719167766, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:22.885826 IP (tos 0x0, ttl 128, id 31105, offset 0, flags [none], proto UDP (17), length 63)
   192.150.1.200.57774 > 8.8.4.4.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35)
21:41:23.002899 IP (tos 0x0, ttl 128, id 9107, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53611 > 65.55.223.33.https: Flags [S], cksum 0x36e1 (correct), seq 900743325, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:23.061622 IP (tos 0x0, ttl 128, id 31800, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53620 > 157.55.56.150.https: Flags [S], cksum 0x211b (correct), seq 3246391558, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:23.442415 IP (tos 0x0, ttl 128, id 15639, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53612 > 157.55.235.152.40017: Flags [S], cksum 0xd1d6 (correct), seq 1961780058, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:23.464332 IP (tos 0x0, ttl 255, id 21983, offset 0, flags [none], proto UDP (17), length 419)
   192.150.1.200.mdns > 224.0.0.251.mdns: [udp sum ok] 0*- [0q] 8/0/4 200.1.169.192.in-addr.arpa. (Cache flush) [2m] PTR LAPTOP-99GNDJNH.local., 1.8.F.5.B.2.6.7.1.9.E.6.9.9.4.C.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) [2m] PTR LAPTOP-99GNDJNH.local., LAPTOP-99GNDJNH.local. (Cache flush) [2m] A 192.150.1.200, LAPTOP-99GNDJNH.local. (Cache flush) [2m] AAAA fe80::c499:6e91:762b:5f81, LAPTOP-99GNDJNH._nvstream._tcp.local. (Cache flush) [1h15m] TXT "", _services._dns-sd._udp.local. [1h15m] PTR _nvstream._tcp.local., _nvstream._tcp.local. [1h15m] PTR LAPTOP-99GNDJNH._nvstream._tcp.local., LAPTOP-99GNDJNH._nvstream._tcp.local. (Cache flush) [2m] SRV LAPTOP-99GNDJNH.local.:47989 0 0 ar: 200.1.169.192.in-addr.arpa. (Cache flush) [2m] NSEC, 1.8.F.5.B.2.6.7.1.9.E.6.9.9.4.C.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) [2m] NSEC, LAPTOP-99GNDJNH.local. (Cache flush) [2m] NSEC, LAPTOP-99GNDJNH._nvstream._tcp.local. (Cache flush) [1h15m] NSEC (391)
21:41:24.620554 IP (tos 0x0, ttl 128, id 9108, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53613 > 65.55.223.33.http: Flags [S], cksum 0x22f1 (correct), seq 2855330165, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:24.674211 IP (tos 0x0, ttl 128, id 31802, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53621 > 157.55.56.150.http: Flags [S], cksum 0xaffe (correct), seq 2772406221, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:24.886861 IP (tos 0x0, ttl 128, id 32099, offset 0, flags [none], proto UDP (17), length 63)
   192.150.1.200.57774 > 8.8.8.8.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35)
21:41:24.887037 IP (tos 0x0, ttl 128, id 31107, offset 0, flags [none], proto UDP (17), length 63)
   192.150.1.200.57774 > 8.8.4.4.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35)
21:41:25.053331 IP (tos 0x0, ttl 128, id 15641, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53614 > 157.55.235.152.https: Flags [S], cksum 0x0d80 (correct), seq 3105324572, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:25.464672 IP (tos 0x0, ttl 128, id 9480, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53615 > 157.56.52.16.40015: Flags [S], cksum 0x953f (correct), seq 2382446181, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:25.613906 IP (tos 0x0, ttl 128, id 4218, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53622 > 65.55.223.37.40003: Flags [S], cksum 0x4dec (correct), seq 994407766, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:26.661518 IP (tos 0x0, ttl 128, id 15642, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53616 > 157.55.235.152.http: Flags [S], cksum 0xc37a (correct), seq 2477190907, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:26.992828 IP (tos 0x0, ttl 128, id 31108, offset 0, flags [none], proto UDP (17), length 65)
   192.150.1.200.64992 > 8.8.4.4.domain: [udp sum ok] 21716+ A? ws12.gti.mcafee.com. (37)
21:41:26.998580 IP (tos 0x0, ttl 128, id 32102, offset 0, flags [none], proto UDP (17), length 56)
   192.150.1.200.64993 > 8.8.8.8.domain: [udp sum ok] 35561+ A? google.com. (28)
21:41:26.998842 IP (tos 0x0, ttl 128, id 32103, offset 0, flags [none], proto UDP (17), length 56)
   192.150.1.200.64994 > 8.8.8.8.domain: [udp sum ok] 185+ A? google.com. (28)
21:41:27.010390 IP (tos 0x0, ttl 128, id 31111, offset 0, flags [none], proto UDP (17), length 65)
   192.150.1.200.62055 > 8.8.4.4.domain: [udp sum ok] 60785+ AAAA? ws12.gti.mcafee.com. (37)
21:41:27.074715 IP (tos 0x0, ttl 128, id 9481, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53617 > 157.56.52.16.https: Flags [S], cksum 0xc045 (correct), seq 923010287, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:27.224280 IP (tos 0x0, ttl 128, id 4219, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53623 > 65.55.223.37.https: Flags [S], cksum 0x2bd4 (correct), seq 1595412003, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:27.450803 IP (tos 0x0, ttl 128, id 31805, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53618 > 157.55.56.150.40028: Flags [S], cksum 0x2f9c (correct), seq 4028513622, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:27.850386 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has FW (02:53:02:81:98:91 (oui Unknown)) tell 192.150.1.200, length 46
21:41:27.850448 ARP, Ethernet (len 6), IPv4 (len 4), Reply FW is-at 02:53:02:81:98:91 (oui Unknown), length 28
21:41:27.994381 IP (tos 0x0, ttl 128, id 32105, offset 0, flags [none], proto UDP (17), length 65)
   192.150.1.200.64992 > 8.8.8.8.domain: [udp sum ok] 21716+ A? ws12.gti.mcafee.com. (37)
21:41:28.010271 IP (tos 0x0, ttl 128, id 32106, offset 0, flags [none], proto UDP (17), length 65)
   192.150.1.200.62055 > 8.8.8.8.domain: [udp sum ok] 60785+ AAAA? ws12.gti.mcafee.com. (37)
21:41:28.010401 IP (tos 0x0, ttl 128, id 31114, offset 0, flags [none], proto UDP (17), length 56)
   192.150.1.200.62057 > 8.8.4.4.domain: [udp sum ok] 34410+ A? google.com. (28)
21:41:28.010474 IP (tos 0x0, ttl 128, id 31115, offset 0, flags [none], proto UDP (17), length 56)
   192.150.1.200.62058 > 8.8.4.4.domain: [udp sum ok] 56428+ A? google.com. (28)
21:41:28.619868 IP (tos 0x0, ttl 128, id 4220, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53622 > 65.55.223.37.40003: Flags [S], cksum 0x4dec (correct), seq 994407766, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:28.704219 IP (tos 0x0, ttl 128, id 9482, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53619 > 157.56.52.16.http: Flags [S], cksum 0x31ae (correct), seq 719167766, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:28.852916 IP (tos 0x0, ttl 128, id 4221, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53624 > 65.55.223.37.http: Flags [S], cksum 0x680d (correct), seq 3601685438, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:28.888538 IP (tos 0x0, ttl 128, id 32109, offset 0, flags [none], proto UDP (17), length 63)
   192.150.1.200.57774 > 8.8.8.8.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35)
21:41:28.888619 IP (tos 0x0, ttl 128, id 31117, offset 0, flags [none], proto UDP (17), length 63)
   192.150.1.200.57774 > 8.8.4.4.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35)
21:41:29.004117 IP (tos 0x0, ttl 128, id 31118, offset 0, flags [none], proto UDP (17), length 65)
   192.150.1.200.64992 > 8.8.4.4.domain: [udp sum ok] 21716+ A? ws12.gti.mcafee.com. (37)
21:41:29.020027 IP (tos 0x0, ttl 128, id 31119, offset 0, flags [none], proto UDP (17), length 65)
   192.150.1.200.62055 > 8.8.4.4.domain: [udp sum ok] 60785+ AAAA? ws12.gti.mcafee.com. (37)
21:41:29.061880 IP (tos 0x0, ttl 128, id 31806, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53620 > 157.55.56.150.https: Flags [S], cksum 0x352a (correct), seq 3246391558, win 8192, options [mss 1460,nop,nop,sackOK], length 0
21:41:30.223919 IP (tos 0x0, ttl 128, id 4222, offset 0, flags [DF], proto TCP (6), length 52)
   192.150.1.200.53623 > 65.55.223.37.https: Flags [S], cksum 0x2bd4 (correct), seq 1595412003, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:41:30.673826 IP (tos 0x0, ttl 128, id 31807, offset 0, flags [DF], proto TCP (6), length 48)
   192.150.1.200.53621 > 157.55.56.150.http: Flags [S], cksum 0xc40d (correct), seq 2772406221, win 8192, options [mss 1460,nop,nop,sackOK], length 0
^C
77 packets captured
77 packets received by filter

任何人都可以看到我看不到的解決此問題的方法?提前謝謝。

PD 我的 disto 是 Debian,但我認為這不相關

編輯廣告 iptables -S

root@FW ~ # iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -s 192.168.1.7/32 -d 192.168.1.2/32 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.131.1.0/24 -i eth2 -o eth0 -p udp -m multiport --dports 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.131.1.0/24 -i eth2 -o eth0 -p tcp -m multiport --dports 80,443,53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.150.1.0/24 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443,53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.131.1.0/24 -i eth1 -o eth0 -p udp -m multiport --dports 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.150.1.0/24 -i eth1 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.2/32 -d 192.168.1.7/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

root@FW ~ # iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 192.150.1.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.131.1.0/24 -o eth0 -j MASQUERADE

我看不到允許轉發返回流量的規則 - 類似於-A FORWARD -i eth0 --state RELATED,ESTABLISHED -j ACCEPT.

嘗試在第一個實例中減少限制,然後在可行後限制訪問。這樣的事情對你有用嗎:

-P FORWARD ALLOW -t nat -I POSTROUTING -o eth0 -j MASQUERADE

一旦你讓它以最簡單的方式工作,然後嘗試逐行按源、目標和協議限制流量,看看哪些有效,哪些無效。

該連接在客戶端使用隨機/動態放置編號,因此您不能以相同的方式處理返回流量。只需依賴已建立的相關 - 這將有效地阻止任何其他流量。

引用自:https://serverfault.com/questions/861612