Iptables
國內流量不返回
我正在嘗試使用 iptables 配置專用防火牆,
我的防火牆有 5 個介面 4 個用於網路,其他用於 wan
- 廣域網 eth0 192.168.1.2/24
- 區域網路 1 eth1 192.150.1.1/24
- 區域網路 2 eth2 192.131.1.1/24
我啟用了轉發
root@FW # cat /proc/sys/net/ipv4/ip_forward 1
我還創建了以下 nat 規則以允許流量到網際網路(通過路由器 192.168.1.1)
iptables -A POSTROUTING -t nat -o eth0 -s 192.131.1.0/24 -d 0/0 -j MASQUERADE iptables -A POSTROUTING -t nat -o eth0 -s 192.150.1.0/24 -d 0/0 -j MASQUERADE
預設情況下使用“接受”策略,我們可以訪問網際網路,但是當我將策略 FORWARD 更改為 DROP 時。然後開始我的問題。我添加了以下規則,以便只允許 http/s 和 dns 流量
iptables -A FORWARD -s 192.131.1.0/24 -i eth2 -o eth0 -p tcp -m multiport --dports 80,443,53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.131.1.0/24 -i eth2 -o eth0 -p udp -m multiport --dports 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.150.1.0/24 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443,53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.150.1.0/24 -i eth1 -o eth0 -p udp -m multiport --dports 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
這是我的實際 ip 路由表
root@FW ~ # ip route show default via 192.168.1.1 dev eth0 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 192.130.1.0/24 via 192.131.1.2 dev eth2 192.131.1.0/24 dev eth2 proto kernel scope link src 192.131.1.1 192.150.1.0/24 dev eth1 proto kernel scope link src 192.150.1.1
看起來流量到達 DNS 但從未返回主機。Crhome 返回 DNS_PROBE_FINISHED_NO_INTERNET。我提供從 eth1 請求 192.150.1.0/24 到 8.8.8.8 192.168.1.0/24 的 tcpdump 輸出
root@FW ~ # tcpdump -vvv -i eth1 tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 21:41:15.611604 IP (tos 0x0, ttl 128, id 9100, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53613 > 65.55.223.33.http: Flags [S], cksum 0x0ee2 (correct), seq 2855330165, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:16.051447 IP (tos 0x0, ttl 128, id 15625, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53614 > 157.55.235.152.https: Flags [S], cksum 0xf970 (correct), seq 3105324572, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:16.339182 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has FW (02:53:02:81:98:91 (oui Unknown)) tell 192.150.1.200, length 46 21:41:16.339261 ARP, Ethernet (len 6), IPv4 (len 4), Reply FW is-at 02:53:02:81:98:91 (oui Unknown), length 28 21:41:16.462608 IP (tos 0x0, ttl 128, id 9473, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53615 > 157.56.52.16.40015: Flags [S], cksum 0x8130 (correct), seq 2382446181, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:16.462989 IP (tos 0x0, ttl 128, id 30784, offset 0, flags [none], proto UDP (17), length 61) 192.150.1.200.63043 > 64.4.23.167.40004: [udp sum ok] UDP, length 33 21:41:16.463147 IP (tos 0x0, ttl 128, id 3241, offset 0, flags [none], proto UDP (17), length 61) 192.150.1.200.63043 > 157.55.235.165.40001: [udp sum ok] UDP, length 33 21:41:16.463235 IP (tos 0x0, ttl 128, id 5293, offset 0, flags [none], proto UDP (17), length 64) 192.150.1.200.63043 > 157.56.52.31.40027: [udp sum ok] UDP, length 36 21:41:16.873853 IP (tos 0x0, ttl 128, id 32090, offset 0, flags [none], proto UDP (17), length 63) 192.150.1.200.54744 > 8.8.8.8.domain: [udp sum ok] 22934+ A? gfwsl.geforce.com. (35) 21:41:16.873957 IP (tos 0x0, ttl 128, id 31098, offset 0, flags [none], proto UDP (17), length 63) 192.150.1.200.54744 > 8.8.4.4.domain: [udp sum ok] 22934+ A? gfwsl.geforce.com. (35) 21:41:17.001636 IP (tos 0x0, ttl 128, id 9101, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53611 > 65.55.223.33.https: Flags [S], cksum 0x22d2 (correct), seq 900743325, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:17.413618 IP (tos 0x0, ttl 128, id 16465, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53605 > 157.55.130.146.40017: Flags [S], cksum 0x668f (correct), seq 2041721579, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:17.414671 IP (tos 0x0, ttl 128, id 4478, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53604 > 65.55.223.14.40012: Flags [S], cksum 0xf23d (correct), seq 1566622488, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:17.441620 IP (tos 0x0, ttl 128, id 15628, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53612 > 157.55.235.152.40017: Flags [S], cksum 0xbdc7 (correct), seq 1961780058, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:17.662269 IP (tos 0x0, ttl 128, id 15629, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53616 > 157.55.235.152.http: Flags [S], cksum 0xaf6b (correct), seq 2477190907, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:18.074678 IP (tos 0x0, ttl 128, id 9475, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53617 > 157.56.52.16.https: Flags [S], cksum 0xac36 (correct), seq 923010287, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:18.436097 IP (tos 0x0, ttl 128, id 31792, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53618 > 157.55.56.150.40028: Flags [S], cksum 0x1b8d (correct), seq 4028513622, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:18.447987 IP (tos 0x0, ttl 128, id 32092, offset 0, flags [none], proto UDP (17), length 56) 192.150.1.200.63422 > 8.8.8.8.domain: [udp sum ok] 40049+ A? google.com. (28) 21:41:18.448151 IP (tos 0x0, ttl 128, id 32093, offset 0, flags [none], proto UDP (17), length 56) 192.150.1.200.63423 > 8.8.8.8.domain: [udp sum ok] 36172+ A? google.com. (28) 21:41:18.620387 IP (tos 0x0, ttl 128, id 9103, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53613 > 65.55.223.33.http: Flags [S], cksum 0x0ee2 (correct), seq 2855330165, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:18.765698 IP (tos 0x0, ttl 128, id 7901, offset 0, flags [none], proto UDP (17), length 229) 192.150.1.200.netbios-dgm > 192.150.1.255.netbios-dgm: [udp sum ok] >>> NBT UDP PACKET(138) Res=0x110E ID=0x975E IP=192 (0xc0).169 (0xa9).1 (0x1).200 (0xc8) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0 SourceName=LAPTOP-99GNDJNH NameType=0x20 (Server) DestName=WORKGROUP NameType=0x1D (Master Browser) SMB PACKET: SMBtrans (REQUEST) SMB Command = 0x25 Error class = 0x0 Error code = 0 (0x0) Flags1 = 0x0 Flags2 = 0x0 Tree ID = 0 (0x0) Proc ID = 0 (0x0) UID = 0 (0x0) MID = 0 (0x0) Word Count = 17 (0x11) TotParamCnt=0 (0x0) TotDataCnt=33 (0x21) MaxParmCnt=0 (0x0) MaxDataCnt=0 (0x0) MaxSCnt=0 (0x0) TransFlags=0x0 Res1=0x3E8 Res2=0x0 Res3=0x0 ParamCnt=0 (0x0) ParamOff=0 (0x0) DataCnt=33 (0x21) DataOff=86 (0x56) SUCnt=3 (0x3) Data: (6 bytes) [000] 01 00 00 00 02 00 \0x01\0x00\0x00\0x00\0x02\0x00 smb_bcc=50 Name=\MAILSLOT\BROWSE BROWSE PACKET BROWSE PACKET: Type=0x1 (HostAnnouncement) UpdateCount=0x8000 Res1=0xFC AnnounceInterval=10 (0xa) Name=LAPTOP-99GNDJNH NameType=0x00 (Workstation) MajorVersion=0xA MinorVersion=0x0 ServerType=0x1003 ElectionVersion=0x10F BrowserConstant=0xAA55 Data: (1 bytes) [000] 00 \0x00 21:41:19.027797 IP (tos 0x0, ttl 128, id 4480, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53606 > 65.55.223.14.https: Flags [S], cksum 0x8ea0 (correct), seq 1025311113, win 65535, options [mss 1460,nop,nop,sackOK], length 0 21:41:19.027893 IP (tos 0x0, ttl 128, id 16469, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53607 > 157.55.130.146.https: Flags [S], cksum 0xda29 (correct), seq 4202952979, win 65535, options [mss 1460,nop,nop,sackOK], length 0 21:41:19.052327 IP (tos 0x0, ttl 128, id 15632, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53614 > 157.55.235.152.https: Flags [S], cksum 0xf970 (correct), seq 3105324572, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:19.458582 IP (tos 0x0, ttl 128, id 31101, offset 0, flags [none], proto UDP (17), length 56) 192.150.1.200.63425 > 8.8.4.4.domain: [udp sum ok] 32283+ A? google.com. (28) 21:41:19.458765 IP (tos 0x0, ttl 128, id 31102, offset 0, flags [none], proto UDP (17), length 56) 192.150.1.200.63426 > 8.8.4.4.domain: [udp sum ok] 53895+ A? google.com. (28) 21:41:19.463303 IP (tos 0x0, ttl 128, id 9476, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53615 > 157.56.52.16.40015: Flags [S], cksum 0x8130 (correct), seq 2382446181, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:19.692372 IP (tos 0x0, ttl 128, id 9477, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53619 > 157.56.52.16.http: Flags [S], cksum 0x1d9f (correct), seq 719167766, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:20.061944 IP (tos 0x0, ttl 128, id 31795, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53620 > 157.55.56.150.https: Flags [S], cksum 0x211b (correct), seq 3246391558, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:20.630606 IP (tos 0x0, ttl 128, id 4481, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53608 > 65.55.223.14.http: Flags [S], cksum 0xb3e2 (correct), seq 665768734, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:20.630726 IP (tos 0x0, ttl 128, id 16472, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53609 > 157.55.130.146.http: Flags [S], cksum 0xb4b9 (correct), seq 3498846692, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:20.662191 IP (tos 0x0, ttl 128, id 15635, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53616 > 157.55.235.152.http: Flags [S], cksum 0xaf6b (correct), seq 2477190907, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:20.884881 IP (tos 0x0, ttl 128, id 31103, offset 0, flags [none], proto UDP (17), length 63) 192.150.1.200.57774 > 8.8.4.4.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35) 21:41:21.075165 IP (tos 0x0, ttl 128, id 9478, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53617 > 157.56.52.16.https: Flags [S], cksum 0xac36 (correct), seq 923010287, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:21.394390 IP (tos 0x0, ttl 128, id 9106, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53610 > 65.55.223.33.40008: Flags [S], cksum 0x39e9 (correct), seq 3395956302, win 65535, options [mss 1460,nop,nop,sackOK], length 0 21:41:21.436455 IP (tos 0x0, ttl 128, id 31798, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53618 > 157.55.56.150.40028: Flags [S], cksum 0x1b8d (correct), seq 4028513622, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:21.673410 IP (tos 0x0, ttl 128, id 31799, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53621 > 157.55.56.150.http: Flags [S], cksum 0xaffe (correct), seq 2772406221, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:21.885789 IP (tos 0x0, ttl 128, id 32097, offset 0, flags [none], proto UDP (17), length 63) 192.150.1.200.57774 > 8.8.8.8.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35) 21:41:22.340262 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has FW (02:53:02:81:98:91 (oui Unknown)) tell 192.150.1.200, length 46 21:41:22.340331 ARP, Ethernet (len 6), IPv4 (len 4), Reply FW is-at 02:53:02:81:98:91 (oui Unknown), length 28 21:41:22.693442 IP (tos 0x0, ttl 128, id 9479, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53619 > 157.56.52.16.http: Flags [S], cksum 0x1d9f (correct), seq 719167766, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:22.885826 IP (tos 0x0, ttl 128, id 31105, offset 0, flags [none], proto UDP (17), length 63) 192.150.1.200.57774 > 8.8.4.4.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35) 21:41:23.002899 IP (tos 0x0, ttl 128, id 9107, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53611 > 65.55.223.33.https: Flags [S], cksum 0x36e1 (correct), seq 900743325, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:23.061622 IP (tos 0x0, ttl 128, id 31800, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53620 > 157.55.56.150.https: Flags [S], cksum 0x211b (correct), seq 3246391558, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:23.442415 IP (tos 0x0, ttl 128, id 15639, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53612 > 157.55.235.152.40017: Flags [S], cksum 0xd1d6 (correct), seq 1961780058, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:23.464332 IP (tos 0x0, ttl 255, id 21983, offset 0, flags [none], proto UDP (17), length 419) 192.150.1.200.mdns > 224.0.0.251.mdns: [udp sum ok] 0*- [0q] 8/0/4 200.1.169.192.in-addr.arpa. (Cache flush) [2m] PTR LAPTOP-99GNDJNH.local., 1.8.F.5.B.2.6.7.1.9.E.6.9.9.4.C.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) [2m] PTR LAPTOP-99GNDJNH.local., LAPTOP-99GNDJNH.local. (Cache flush) [2m] A 192.150.1.200, LAPTOP-99GNDJNH.local. (Cache flush) [2m] AAAA fe80::c499:6e91:762b:5f81, LAPTOP-99GNDJNH._nvstream._tcp.local. (Cache flush) [1h15m] TXT "", _services._dns-sd._udp.local. [1h15m] PTR _nvstream._tcp.local., _nvstream._tcp.local. [1h15m] PTR LAPTOP-99GNDJNH._nvstream._tcp.local., LAPTOP-99GNDJNH._nvstream._tcp.local. (Cache flush) [2m] SRV LAPTOP-99GNDJNH.local.:47989 0 0 ar: 200.1.169.192.in-addr.arpa. (Cache flush) [2m] NSEC, 1.8.F.5.B.2.6.7.1.9.E.6.9.9.4.C.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) [2m] NSEC, LAPTOP-99GNDJNH.local. (Cache flush) [2m] NSEC, LAPTOP-99GNDJNH._nvstream._tcp.local. (Cache flush) [1h15m] NSEC (391) 21:41:24.620554 IP (tos 0x0, ttl 128, id 9108, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53613 > 65.55.223.33.http: Flags [S], cksum 0x22f1 (correct), seq 2855330165, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:24.674211 IP (tos 0x0, ttl 128, id 31802, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53621 > 157.55.56.150.http: Flags [S], cksum 0xaffe (correct), seq 2772406221, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:24.886861 IP (tos 0x0, ttl 128, id 32099, offset 0, flags [none], proto UDP (17), length 63) 192.150.1.200.57774 > 8.8.8.8.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35) 21:41:24.887037 IP (tos 0x0, ttl 128, id 31107, offset 0, flags [none], proto UDP (17), length 63) 192.150.1.200.57774 > 8.8.4.4.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35) 21:41:25.053331 IP (tos 0x0, ttl 128, id 15641, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53614 > 157.55.235.152.https: Flags [S], cksum 0x0d80 (correct), seq 3105324572, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:25.464672 IP (tos 0x0, ttl 128, id 9480, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53615 > 157.56.52.16.40015: Flags [S], cksum 0x953f (correct), seq 2382446181, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:25.613906 IP (tos 0x0, ttl 128, id 4218, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53622 > 65.55.223.37.40003: Flags [S], cksum 0x4dec (correct), seq 994407766, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:26.661518 IP (tos 0x0, ttl 128, id 15642, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53616 > 157.55.235.152.http: Flags [S], cksum 0xc37a (correct), seq 2477190907, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:26.992828 IP (tos 0x0, ttl 128, id 31108, offset 0, flags [none], proto UDP (17), length 65) 192.150.1.200.64992 > 8.8.4.4.domain: [udp sum ok] 21716+ A? ws12.gti.mcafee.com. (37) 21:41:26.998580 IP (tos 0x0, ttl 128, id 32102, offset 0, flags [none], proto UDP (17), length 56) 192.150.1.200.64993 > 8.8.8.8.domain: [udp sum ok] 35561+ A? google.com. (28) 21:41:26.998842 IP (tos 0x0, ttl 128, id 32103, offset 0, flags [none], proto UDP (17), length 56) 192.150.1.200.64994 > 8.8.8.8.domain: [udp sum ok] 185+ A? google.com. (28) 21:41:27.010390 IP (tos 0x0, ttl 128, id 31111, offset 0, flags [none], proto UDP (17), length 65) 192.150.1.200.62055 > 8.8.4.4.domain: [udp sum ok] 60785+ AAAA? ws12.gti.mcafee.com. (37) 21:41:27.074715 IP (tos 0x0, ttl 128, id 9481, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53617 > 157.56.52.16.https: Flags [S], cksum 0xc045 (correct), seq 923010287, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:27.224280 IP (tos 0x0, ttl 128, id 4219, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53623 > 65.55.223.37.https: Flags [S], cksum 0x2bd4 (correct), seq 1595412003, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:27.450803 IP (tos 0x0, ttl 128, id 31805, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53618 > 157.55.56.150.40028: Flags [S], cksum 0x2f9c (correct), seq 4028513622, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:27.850386 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has FW (02:53:02:81:98:91 (oui Unknown)) tell 192.150.1.200, length 46 21:41:27.850448 ARP, Ethernet (len 6), IPv4 (len 4), Reply FW is-at 02:53:02:81:98:91 (oui Unknown), length 28 21:41:27.994381 IP (tos 0x0, ttl 128, id 32105, offset 0, flags [none], proto UDP (17), length 65) 192.150.1.200.64992 > 8.8.8.8.domain: [udp sum ok] 21716+ A? ws12.gti.mcafee.com. (37) 21:41:28.010271 IP (tos 0x0, ttl 128, id 32106, offset 0, flags [none], proto UDP (17), length 65) 192.150.1.200.62055 > 8.8.8.8.domain: [udp sum ok] 60785+ AAAA? ws12.gti.mcafee.com. (37) 21:41:28.010401 IP (tos 0x0, ttl 128, id 31114, offset 0, flags [none], proto UDP (17), length 56) 192.150.1.200.62057 > 8.8.4.4.domain: [udp sum ok] 34410+ A? google.com. (28) 21:41:28.010474 IP (tos 0x0, ttl 128, id 31115, offset 0, flags [none], proto UDP (17), length 56) 192.150.1.200.62058 > 8.8.4.4.domain: [udp sum ok] 56428+ A? google.com. (28) 21:41:28.619868 IP (tos 0x0, ttl 128, id 4220, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53622 > 65.55.223.37.40003: Flags [S], cksum 0x4dec (correct), seq 994407766, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:28.704219 IP (tos 0x0, ttl 128, id 9482, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53619 > 157.56.52.16.http: Flags [S], cksum 0x31ae (correct), seq 719167766, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:28.852916 IP (tos 0x0, ttl 128, id 4221, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53624 > 65.55.223.37.http: Flags [S], cksum 0x680d (correct), seq 3601685438, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:28.888538 IP (tos 0x0, ttl 128, id 32109, offset 0, flags [none], proto UDP (17), length 63) 192.150.1.200.57774 > 8.8.8.8.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35) 21:41:28.888619 IP (tos 0x0, ttl 128, id 31117, offset 0, flags [none], proto UDP (17), length 63) 192.150.1.200.57774 > 8.8.4.4.domain: [udp sum ok] 38873+ A? app.standsapp.org. (35) 21:41:29.004117 IP (tos 0x0, ttl 128, id 31118, offset 0, flags [none], proto UDP (17), length 65) 192.150.1.200.64992 > 8.8.4.4.domain: [udp sum ok] 21716+ A? ws12.gti.mcafee.com. (37) 21:41:29.020027 IP (tos 0x0, ttl 128, id 31119, offset 0, flags [none], proto UDP (17), length 65) 192.150.1.200.62055 > 8.8.4.4.domain: [udp sum ok] 60785+ AAAA? ws12.gti.mcafee.com. (37) 21:41:29.061880 IP (tos 0x0, ttl 128, id 31806, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53620 > 157.55.56.150.https: Flags [S], cksum 0x352a (correct), seq 3246391558, win 8192, options [mss 1460,nop,nop,sackOK], length 0 21:41:30.223919 IP (tos 0x0, ttl 128, id 4222, offset 0, flags [DF], proto TCP (6), length 52) 192.150.1.200.53623 > 65.55.223.37.https: Flags [S], cksum 0x2bd4 (correct), seq 1595412003, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 21:41:30.673826 IP (tos 0x0, ttl 128, id 31807, offset 0, flags [DF], proto TCP (6), length 48) 192.150.1.200.53621 > 157.55.56.150.http: Flags [S], cksum 0xc40d (correct), seq 2772406221, win 8192, options [mss 1460,nop,nop,sackOK], length 0 ^C 77 packets captured 77 packets received by filter
任何人都可以看到我看不到的解決此問題的方法?提前謝謝。
PD 我的 disto 是 Debian,但我認為這不相關
編輯廣告 iptables -S
root@FW ~ # iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -A INPUT -s 192.168.1.7/32 -d 192.168.1.2/32 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.131.1.0/24 -i eth2 -o eth0 -p udp -m multiport --dports 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.131.1.0/24 -i eth2 -o eth0 -p tcp -m multiport --dports 80,443,53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.150.1.0/24 -i eth1 -o eth0 -p tcp -m multiport --dports 80,443,53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.131.1.0/24 -i eth1 -o eth0 -p udp -m multiport --dports 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.150.1.0/24 -i eth1 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -s 192.168.1.2/32 -d 192.168.1.7/32 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT root@FW ~ # iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -A POSTROUTING -s 192.150.1.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.131.1.0/24 -o eth0 -j MASQUERADE
我看不到允許轉發返回流量的規則 - 類似於
-A FORWARD -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
.嘗試在第一個實例中減少限制,然後在可行後限制訪問。這樣的事情對你有用嗎:
-P FORWARD ALLOW -t nat -I POSTROUTING -o eth0 -j MASQUERADE
一旦你讓它以最簡單的方式工作,然後嘗試逐行按源、目標和協議限制流量,看看哪些有效,哪些無效。
該連接在客戶端使用隨機/動態放置編號,因此您不能以相同的方式處理返回流量。只需依賴已建立的相關 - 這將有效地阻止任何其他流量。