Iptables

數據包沒有到達 iptables 的 FILTER 鏈

  • April 28, 2013

我有一個我無法弄清楚的問題,我正在嘗試訪問網路伺服器[RPI],但數據包永遠不會到達iptables FILTER

我會試著解釋一下:

GW1有公共地址,從埠8080到做 DNAT 是一個用於 LAN192.168.69.14:80

S1的 openVPN 伺服器,並且VPN 是橋接的 在埠上執行的網路伺服器是預設網關,沒有公共地址eth0``tap0

[RPI]``80

GW2``[RPI]

    GW1 <-----------------> S1 <-----Open VPN tunnel------> [RPI] <--Default route--> GW2
(192.168.69.1)        (192.168.69.22)                 (192.168.69.14 - tap0)       (192.168.30.1)
                                                     (192.168.30.2 - wlan0)

現在,一切正常如果我從 到達[RPI]的網路伺服器S1GW2或者從 pingGW1

通但是如果我嘗試通過GW1埠上的公共 IP訪問網路伺服器8080,數據包確實到達[RPI],但消失在iptables.,正如您在此處看到的,還有iptables規則列印如下:

Apr 27 18:13:51 WeatherStorm kernel: [11383.698445] TRACE: raw:PREROUTING:rule:3 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=275 DF PROTO=TCP SPT=33136 DPT=80 SEQ=3502183596 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B215BF0000000001030307)
Apr 27 18:13:51 WeatherStorm kernel: [11383.874415] TRACE: raw:PREROUTING:policy:4 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=275 DF PROTO=TCP SPT=33136 DPT=80 SEQ=3502183596 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B215BF0000000001030307)
Apr 27 18:13:51 WeatherStorm kernel: [11384.051167] TRACE: mangle:PREROUTING:policy:1 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=275 DF PROTO=TCP SPT=33136 DPT=80 SEQ=3502183596 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B215BF0000000001030307)
Apr 27 18:13:51 WeatherStorm kernel: [11384.227423] TRACE: nat:PREROUTING:policy:1 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=275 DF PROTO=TCP SPT=33136 DPT=80 SEQ=3502183596 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B215BF0000000001030307)
Apr 27 18:13:52 WeatherStorm kernel: [11384.459821] TRACE: raw:PREROUTING:rule:3 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=22576 DF PROTO=TCP SPT=33137 DPT=80 SEQ=671043022 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B215FE0000000001030307)
Apr 27 18:13:52 WeatherStorm kernel: [11384.635037] TRACE: raw:PREROUTING:policy:4 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=22576 DF PROTO=TCP SPT=33137 DPT=80 SEQ=671043022 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B215FE0000000001030307)
Apr 27 18:13:52 WeatherStorm kernel: [11384.811610] TRACE: mangle:PREROUTING:policy:1 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=22576 DF PROTO=TCP SPT=33137 DPT=80 SEQ=671043022 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B215FE0000000001030307)
Apr 27 18:13:52 WeatherStorm kernel: [11384.988901] TRACE: nat:PREROUTING:policy:1 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=22576 DF PROTO=TCP SPT=33137 DPT=80 SEQ=671043022 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B215FE0000000001030307)
Apr 27 18:13:54 WeatherStorm kernel: [11386.698855] TRACE: raw:PREROUTING:rule:3 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=276 DF PROTO=TCP SPT=33136 DPT=80 SEQ=3502183596 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B218AD0000000001030307)
Apr 27 18:13:54 WeatherStorm kernel: [11386.874488] TRACE: raw:PREROUTING:policy:4 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=276 DF PROTO=TCP SPT=33136 DPT=80 SEQ=3502183596 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B218AD0000000001030307)
Apr 27 18:13:54 WeatherStorm kernel: [11387.050505] TRACE: mangle:PREROUTING:policy:1 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=276 DF PROTO=TCP SPT=33136 DPT=80 SEQ=3502183596 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B218AD0000000001030307)
Apr 27 18:13:54 WeatherStorm kernel: [11387.228835] TRACE: nat:PREROUTING:policy:1 IN=tap0 OUT= MAC=82:ed:f9:e6:c2:ea:00:0c:42:f5:XX:XX:XX:XX SRC=37.188.XXX.XXX DST=192.168.69.14 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=276 DF PROTO=TCP SPT=33136 DPT=80 SEQ=3502183596 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405360402080A01B218AD0000000001030307)

生的:

[root@WeatherStorm tmp]# iptables -L -nv -t raw
Chain PREROUTING (policy ACCEPT 5750 packets, 748K bytes)
pkts bytes target     prot opt in     out     source               destination         
  27  1620 TRACE      tcp  --  *      *       37.188.XXX.XXX       0.0.0.0/0           
 270 15120 TRACE      icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
  51  3958 TRACE      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

   Chain OUTPUT (policy ACCEPT 4768 packets, 911K bytes)
    pkts bytes target     prot opt in     out     source               destination         
       8   448 TRACE      icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
       0     0 TRACE      tcp  --  *      *       0.0.0.0/0            37.188.XXX.XXX

混亂:

[root@WeatherStorm tmp]# iptables -L -nv -t mangle
Chain PREROUTING (policy ACCEPT 4177 packets, 544K bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 3661 packets, 374K bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3498 packets, 674K bytes)
pkts bytes target     prot opt in     out     source               destination  

Chain POSTROUTING (policy ACCEPT 3498 packets, 674K bytes)
pkts bytes target     prot opt in     out     source               destination

NAT:

[root@WeatherStorm tmp]# iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 596 packets, 180K bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 80 packets, 9600 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 59 packets, 4443 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 59 packets, 4443 bytes)
pkts bytes target     prot opt in     out     source               destination

篩選:

[root@WeatherStorm tmp]# iptables -L -nv -t filter
   Chain INPUT (policy ACCEPT 23788 packets, 2365K bytes)
    pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 23777 packets, 5142K bytes)
pkts bytes target     prot opt in     out     source               destination

知道什麼/哪裡可能是問題嗎?如果我嘗試訪問GW2它看起來像

Apr 27 18:22:02 WeatherStorm kernel: [11873.756818] TRACE: raw:PREROUTING:policy:4 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34259 DF PROTO=TCP SPT=38739 DPT=80 SEQ=3482087833 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F44A0000000001030307)
Apr 27 18:22:02 WeatherStorm kernel: [11873.850894] TRACE: mangle:PREROUTING:policy:1 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34259 DF PROTO=TCP SPT=38739 DPT=80 SEQ=3482087833 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F44A0000000001030307)
Apr 27 18:22:02 WeatherStorm kernel: [11873.945646] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34259 DF PROTO=TCP SPT=38739 DPT=80 SEQ=3482087833 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F44A0000000001030307)
Apr 27 18:22:02 WeatherStorm kernel: [11874.039622] TRACE: mangle:INPUT:policy:1 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34259 DF PROTO=TCP SPT=38739 DPT=80 SEQ=3482087833 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F44A0000000001030307)
Apr 27 18:22:02 WeatherStorm kernel: [11874.133002] TRACE: filter:INPUT:policy:1 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34259 DF PROTO=TCP SPT=38739 DPT=80 SEQ=3482087833 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F44A0000000001030307)
Apr 27 18:22:02 WeatherStorm kernel: [11874.226404] TRACE: nat:INPUT:policy:1 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34259 DF PROTO=TCP SPT=38739 DPT=80 SEQ=3482087833 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F44A0000000001030307)
Apr 27 18:22:02 WeatherStorm kernel: [11874.319744] TRACE: raw:PREROUTING:policy:4 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22857 DF PROTO=TCP SPT=38740 DPT=80 SEQ=3524767168 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F4890000000001030307)
Apr 27 18:22:02 WeatherStorm kernel: [11874.413794] TRACE: mangle:PREROUTING:policy:1 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22857 DF PROTO=TCP SPT=38740 DPT=80 SEQ=3524767168 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F4890000000001030307)
Apr 27 18:22:02 WeatherStorm kernel: [11874.508565] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22857 DF PROTO=TCP SPT=38740 DPT=80 SEQ=3524767168 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F4890000000001030307)
Apr 27 18:22:02 WeatherStorm kernel: [11874.602511] TRACE: mangle:INPUT:policy:1 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22857 DF PROTO=TCP SPT=38740 DPT=80 SEQ=3524767168 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F4890000000001030307)
Apr 27 18:22:04 WeatherStorm kernel: [11874.695929] TRACE: filter:INPUT:policy:1 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22857 DF PROTO=TCP SPT=38740 DPT=80 SEQ=3524767168 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F4890000000001030307)
Apr 27 18:22:04 WeatherStorm kernel: [11874.789331] TRACE: nat:INPUT:policy:1 IN=wlan0 OUT= MAC=a0:f3:c1:2f:86:6a:00:1c:bf:8e:XX:XX:XX:XX SRC=192.168.30.1 DST=192.168.30.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22857 DF PROTO=TCP SPT=38740 DPT=80 SEQ=3524767168 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A01B3F4890000000001030307)

.

解決方案:

解決了以下iptables規則S1

iptables -A PREROUTING -t mangle -i br0 -p tcp --dport 80 -d 192.168.69.14 -j MARK --set-mark 1
iptables -A POSTROUTING -t nat --match mark --mark 1 -j SNAT --to-source 192.168.69.1

您的路由配置[RPI]不正確 - 如果您希望它可以從公共 Internet 地址通過 訪問GW1,則預設路由必須指向GW1,或者(如果從公共 Internet 地址的傳出連接[RPI]必須通過GW2)您需要在 上配置策略路由[RPI],以便屬於傳入連接的數據包通過GW1路由GW1

(第三個選項是將數據包GW1SNAT發送到192.168.69.1,以便它們[RPI]來自直接連接的 IP,但在這種情況下,您在處理這些數據包時將無法確定實際的客戶端地址[RPI]。對於 HTTP,您可以工作通過安裝反向 HTTP 代理GW1而不是使用 NAT 並在 HTTP 標頭中傳遞真實的客戶端 IP 來解決此問題。)

在您目前的配置中,來自tap0不來自直接連接主機的數據包可能會由於rp_filter在該介面上啟用而被丟棄(儘管根據ip-sysctl.txt,預設值為rp_filter0,許多發行版預設啟用它他們的網路配置)。如果您查看netfilter 數據包流程圖rp_filter則應用於“路由決策”節點,這與您的觀察結果一致(您看到的最後一個節點是nat:PREROUTING,就在“路由決策”節點之前)。

請注意,僅禁用rp_filter對您沒有幫助,因為來自的回複數據包[RPI]將僅通過 發送GW2,即使它們會以某種方式到達另一台主機,它也會拒絕它們,因為這些數據包不會通過 對它們進行適當的 NAT 處理GW1。您確實必須確保將通過GW1的 NAT 數據包的回復發送回GW1 - 沒有此 NAT 將無法正常工作。

引用自:https://serverfault.com/questions/503189

相關問答

Iptables

iptables - 只允許訪問不同子網上的單個埠

  • July 9, 2021
檢視問答
Iptables

OpenVPN 客戶端連接但無法訪問網際網路,即使我偽裝

  • December 13, 2019
檢視問答
Linux

使用 iptables 規則對 ssh 伺服器進行外部訪問

  • August 19, 2018
檢視問答
Iptables

埠轉發到 OpenVPN 連接一次然後停止連接

  • September 21, 2015
檢視問答
Linux

將埠和流量轉發到 VPN 隧道

  • April 24, 2015
檢視問答
Iptables

通過 OpenVPN 進行埠轉發

  • April 21, 2012
檢視問答