Iptables
我有正確的 iptables 配置
當我刷新所有 iptables 時,我已經能夠設置 tinc,但是在啟用 iptables 和延遲之後,我得到一個“目標網路未知”。我有三台主機(HOME10.0.3.2,MASTER 10.0.3.1,WEB 10.0.3.3)MASTER和WEB在同一個數據中心的數字海洋中。
首頁 <—> 大師 <—> 網路
我嘗試了多個轉發/偽裝/等規則,但不明白我錯過了什麼。
啟用 iptables 後(MASTER 和 WEB 上的規則相同)我得到以下結果:
家 $ ping 10.0.3.1 ==> Success HOME $ ping 10.0.3.3 ==> 目標網路未知
掌握 $ ping 10.0.3.2 ==> Success MASTER $ ping 10.0.3.3 ==> 目標網路未知
網路 $ ping 10.0.3.1 ==> Destination Net Unknown WEB $ ping 10.0.3.2 ==> 目標網路未知
不只是 ICMP,我對“nc -vz xxxx 22”得到了相同的結果
我會很感激任何幫助。
iptables -L -n -v Chain INPUT (policy DROP 8 packets, 1120 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 0 0 ACCEPT udp -- lo * 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 0 0 NRPE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5666 0 0 ACCEPT icmp -- * * x.x.x.x 0.0.0.0/0 icmptype 8 0 0 ACCEPT icmp -- * * 127.0.0.1 0.0.0.0/0 icmptype 8 0 0 ACCEPT icmp -- * * 10.0.3.0/24 0.0.0.0/0 icmptype 8 0 0 ACCEPT tcp -- * * 10.0.3.0/24 0.0.0.0/0 0 0 ACCEPT udp -- * * 10.0.3.0/24 0.0.0.0/0 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT icmp -- * * x.x.x.x 0.0.0.0/0 icmptype 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:5666 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED 192 13741 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 limit: avg 25/min burst 100 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:123 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:2222 state ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:655 state NEW,ESTABLISHED 6 8976 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:655 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state ESTABLISHED Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * docker0 0.0.0.0/0 172.17.0.0/16 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 * 172.17.0.0/16 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 NRPE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:5666 0 0 ACCEPT tcp -- * * 10.0.3.0/24 0.0.0.0/0 0 0 ACCEPT udp -- * * 10.0.3.0/24 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:5666 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED 140 44173 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:2222 state ESTABLISHED 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state ESTABLISHED 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:655 state NEW,ESTABLISHED 6 8976 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:655 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED Chain NRPE (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 x.x.x.x 0 0 ACCEPT all -- * * x.x.x.x 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 6 packets, 1831 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 4 packets, 1348 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 14 packets, 856 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 136 bytes) pkts bytes target prot opt in out source destination
問題是我只有單向接受沒有雙向:
失敗:
# Allow Tinc VPN connections iptables -A INPUT -p tcp --sport 655 -j ACCEPT iptables -A OUTPUT -p tcp --dport 655 -j ACCEPT iptables -A INPUT -p udp --sport 655 -j ACCEPT iptables -A OUTPUT -p udp --dport 655 -j ACCEPT在職的:
# Allow Tinc VPN connections iptables -A INPUT -p tcp --sport 655 -j ACCEPT iptables -A INPUT -p tcp --dport 655 -j ACCEPT iptables -A OUTPUT -p tcp --sport 655 -j ACCEPT iptables -A OUTPUT -p tcp --dport 655 -j ACCEPT iptables -A INPUT -p udp --sport 655 -j ACCEPT iptables -A INPUT -p udp --dport 655 -j ACCEPT iptables -A OUTPUT -p udp --sport 655 -j ACCEPT iptables -A OUTPUT -p udp --dport 655 -j ACCEPT