Networking
由於 iptables/filter 無法連接到接入點
設置
Raspberry Pi 使用子網 192.168.0.0/24 上的乙太網連接到路由器
子網 192.168.43.0/24 上的樹莓派接入點
我正在使用 nordvpn 應用程序,當我連接到 vpn 時,它會在我的網路上應用一個過濾器:
問題
應用此過濾器後,我**無法連接到我的接入點。**獲取IP失敗。我試圖將埠 68 和 69 列入白名單,但這沒有用。究竟是什麼導致過濾器出現這種情況?
我也試過
sudo iptables -A INPUT -s 192.168.43.0/24 -j ACCEPT
篩選:
*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT DROP [0:0] -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 165.231.253.11/32 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 165.231.253.11/32 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 165.231.253.11/32 -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 165.231.253.11/32 -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 10.8.0.0/24 -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 22 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 66:68 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 66:68 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 74 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 74 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 80 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 5400 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 5400 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i lo -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 22 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 66:68 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 66:68 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 74 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 74 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 80 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 5400 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 5400 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 22 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 66:68 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 66:68 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 74 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 74 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 80 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 5400 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 5400 -j ACCEPT -A INPUT -s 192.168.0.0/24 -i wlan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A OUTPUT -d 103.86.99.99/32 -o lo -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 103.86.96.96/32 -o lo -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 103.86.99.99/32 -o tun0 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 103.86.96.96/32 -o tun0 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -d 165.231.253.11/32 -o lo -j ACCEPT -A OUTPUT -d 127.0.0.0/8 -o lo -j ACCEPT -A OUTPUT -d 165.231.253.11/32 -o eth0 -j ACCEPT -A OUTPUT -d 192.168.0.0/24 -o eth0 -j ACCEPT -A OUTPUT -d 165.231.253.11/32 -o wlan0 -j ACCEPT -A OUTPUT -d 192.168.43.0/24 -o wlan0 -j ACCEPT -A OUTPUT -d 165.231.253.11/32 -o tun0 -j ACCEPT -A OUTPUT -d 10.8.0.0/24 -o tun0 -j ACCEPT -A OUTPUT -d 192.168.0.0/24 -o lo -j ACCEPT -A OUTPUT -d 192.168.0.0/24 -o eth0 -j ACCEPT -A OUTPUT -d 192.168.0.0/24 -o wlan0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT COMMIT
無法連接時的 Tshark 輸出:
Capturing on 'wlan0' 1 0.000000000 fe80::8109:8fd:40d6:ea23 → ff02::2 ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25 2 6.347075913 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 113 Key (Message 1 of 4) 3 6.405992489 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 135 Key (Message 2 of 4) 4 6.407274309 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 169 Key (Message 3 of 4) 5 6.419174541 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 113 Key (Message 4 of 4) 6 6.664258217 :: → ff02::1:ffd6:ea23 ICMPv6 78 Neighbor Solicitation for fe80::8109:8fd:40d6:ea23 7 6.664945194 :: → ff02::16 ICMPv6 110 Multicast Listener Report Message v2 8 6.829452451 0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request - Transaction ID 0x745f4be 9 7.477149785 :: → ff02::16 ICMPv6 110 Multicast Listener Report Message v2 10 7.550230284 fe80::8109:8fd:40d6:ea23 → ff02::16 ICMPv6 110 Multicast Listener Report Message v2 11 7.550522158 fe80::8109:8fd:40d6:ea23 → ff02::2 ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25 12 7.600963546 fe80::8109:8fd:40d6:ea23 → ff02::16 ICMPv6 110 Multicast Listener Report Message v2 13 7.828222369 0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request - Transaction ID 0x745f4be 14 10.038442823 0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request - Transaction ID 0x745f4be 15 10.834140206 0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e 16 11.647401711 fe80::8109:8fd:40d6:ea23 → ff02::fb MDNS 188 Standard query 0x0004 PTR _%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local, "QM" question PTR _674A0243._sub._googlecast._tcp.local, "QM" question PTR _8E6C866D._sub._googlecast._tcp.local, "QM" question PTR _googlecast._tcp.local, "QM" question 17 11.678040125 fe80::8109:8fd:40d6:ea23 → ff02::2 ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25 18 11.925494678 0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e 19 13.987335051 0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e 20 18.262242160 0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e 21 20.190157358 fe80::8109:8fd:40d6:ea23 → ff02::2 ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25 22 26.466357444 0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e 23 31.555321065 fe80::8109:8fd:40d6:ea23 → ff02::fb MDNS 188 Standard query 0x0005 PTR _%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local, "QM" question PTR _674A0243._sub._googlecast._tcp.local, "QM" question PTR _8E6C866D._sub._googlecast._tcp.local, "QM" question PTR _googlecast._tcp.local, "QM" question 24 37.119574254 fe80::8109:8fd:40d6:ea23 → ff02::2 ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
當我使用 sudo iptables -P INPUT ACCEPT 允許所有流量時,我可以連接輸出:
Capturing on 'wlan0' 1 0.000000000 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 113 Key (Message 1 of 4) 2 0.482149729 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 135 Key (Message 2 of 4) 3 0.483485507 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 169 Key (Message 3 of 4) 4 0.497073903 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 113 Key (Message 4 of 4) 5 0.571571905 :: → ff02::1:ffd6:ea23 ICMPv6 78 Neighbor Solicitation for fe80::8109:8fd:40d6:ea23 6 0.572910963 :: → ff02::16 ICMPv6 110 Multicast Listener Report Message v2 7 0.720530878 0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0x1352b3f1 8 0.721546604 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP Offer - Transaction ID 0x1352b3f1 9 0.733148079 0.0.0.0 → 255.255.255.255 DHCP 350 DHCP Request - Transaction ID 0x1352b3f1 10 0.812064714 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP ACK - Transaction ID 0x1352b3f1 11 0.843515868 192.168.43.206 → 224.0.0.251 MDNS 82 Standard query 0x0000 PTR _googlecast._tcp.local, "QU" question 12 0.843790867 fe80::8109:8fd:40d6:ea23 → ff02::fb MDNS 102 Standard query 0x0000 PTR _googlecast._tcp.local, "QU" question 13 0.846673931 :: → ff02::16 ICMPv6 110 Multicast Listener Report Message v2 14 0.846747733 192.168.43.206 → 224.0.0.251 IGMPv2 46 Membership Report group 224.0.0.251 15 1.124610012 SamsungE_6f:a4:25 → Broadcast ARP 42 Who has 192.168.43.1? Tell 192.168.43.206 16 1.124698866 Raspberr_55:bd:9f → SamsungE_6f:a4:25 ARP 42 192.168.43.1 is at b8:27:eb:55:bd:9f 17 1.229109485 192.168.43.206 → 192.168.43.1 DNS 89 Standard query 0xbaa1 A connectivitycheck.gstatic.com 18 1.235744361 :: → ff02::16 ICMPv6 90 Multicast Listener Report Message v2 19 1.236032745 192.168.43.206 → 192.168.43.1 DNS 76 Standard query 0xf06b A mtalk.google.com 20 1.244731521 192.168.43.206 → 192.168.43.1 DNS 82 Standard query 0xc1c5 A mqtt-mini.facebook.com 21 1.257354868 192.168.43.206 → 31.13.79.32 TCP 74 51440 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=140302950 TSecr=0 WS=128 22 1.298846721 192.168.43.1 → 192.168.43.206 DNS 547 Standard query response 0xbaa1 A connectivitycheck.gstatic.com A 74.125.130.94 NS c.gtld-servers.net NS d.gtld-servers.net NS a.gtld-servers.net NS k.gtld-servers.net NS j.gtld-servers.net NS b.gtld-servers.net NS h.gtld-servers.net NS g.gtld-servers.net NS m.gtld-servers.net NS l.gtld-servers.net NS i.gtld-servers.net NS f.gtld-servers.net NS e.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30 A 192.12.94.30 23 1.304225715 192.168.43.1 → 192.168.43.206 DNS 545 Standard query response 0xf06b A mtalk.google.com CNAME mobile-gtalk.l.google.com A 74.125.24.188 NS b.gtld-servers.net NS m.gtld-servers.net NS g.gtld-servers.net NS k.gtld-servers.net NS f.gtld-servers.net NS e.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS a.gtld-servers.net NS c.gtld-servers.net NS l.gtld-servers.net NS h.gtld-servers.net NS d.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30 24 1.318067391 192.168.43.1 → 192.168.43.206 DNS 551 Standard query response 0xc1c5 A mqtt-mini.facebook.com CNAME mqtt-mini.c10r.facebook.com A 157.240.13.32 NS b.gtld-servers.net NS l.gtld-servers.net NS j.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS i.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS a.gtld-servers.net NS m.gtld-servers.net NS h.gtld-servers.net NS k.gtld-servers.net NS c.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30 25 1.325372213 31.13.79.32 → 192.168.43.206 TCP 74 443 → 51440 [SYN, ACK] Seq=0 Ack=1 Win=27360 Len=0 MSS=1380 SACK_PERM=1 TSval=2348760415 TSecr=140302950 WS=128 26 1.415381418 192.168.43.206 → 224.0.0.251 MDNS 119 Standard query 0x0001 PTR _674A0243._sub._googlecast._tcp.local, "QU" question PTR _8E6C866D._sub._googlecast._tcp.local, "QU" question PTR _googlecast._tcp.local, "QU" question 27 1.415628604 192.168.43.206 → 224.0.0.251 MDNS 119 Standard query 0x0001 PTR _674A0243._sub._googlecast._tcp.local, "QU" question PTR _8E6C866D._sub._googlecast._tcp.local, "QU" question PTR _googlecast._tcp.local, "QU" question 28 1.419159739 192.168.43.206 → 31.13.79.32 TCP 66 51440 → 443 [ACK] Seq=1 Ack=1 Win=87680 Len=0 TSval=140302990 TSecr=2348760415 29 1.424759566 192.168.43.206 → 224.0.0.251 MDNS 125 Standard query 0x0000 ANY Android-2.local, "QU" question ANY Android-2.local, "QU" question A 192.168.43.206 AAAA fe80::8109:8fd:40d6:ea23 30 1.429030595 fe80::8109:8fd:40d6:ea23 → ff02::fb MDNS 145 Standard query 0x0000 ANY Android-2.local, "QU" question ANY Android-2.local, "QU" question A 192.168.43.206 AAAA fe80::8109:8fd:40d6:ea23 31 1.429408823 192.168.43.206 → 31.13.79.32 TLSv1 235 Client Hello 32 1.444965025 192.168.43.206 → 192.168.43.1 DNS 74 Standard query 0xa640 A www.google.com
為清楚起見,讓我指出您可以連接到您的接入點。您的問題似乎是一旦連接,您就無法從 DHCP 伺服器獲取 IP 地址。您可以在第一次擷取的以下部分中看到這一點,您的設備正在發送 DHCP 請求/發現並且沒有回复:
8 6.829452451 0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request - Transaction ID 0x745f4be 13 7.828222369 0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request - Transaction ID 0x745f4be 14 10.038442823 0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request - Transaction ID 0x745f4be 15 10.834140206 0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
當它工作時,您可以清楚地看到來自伺服器的回复:
7 0.720530878 0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0x1352b3f1 8 0.721546604 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP Offer - Transaction ID 0x1352b3f1 9 0.733148079 0.0.0.0 → 255.255.255.255 DHCP 350 DHCP Request - Transaction ID 0x1352b3f1 10 0.812064714 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP ACK - Transaction ID 0x1352b3f1
如果您記下擷取中的源地址,則您的 DHCP 客戶端沒有源 IP 地址。在您的客戶端完成 DHCP 過程之前,它沒有 IP 地址,並且 RFC 明確指出:
在客戶端獲得其 IP 地址之前,客戶端廣播的 DHCP 消息必須將 IP 標頭中的源地址欄位設置為 0。
這也包括一個介面最初出現的時間,即使它有一個有效的租約。在這種情況下,它應該發送源地址全為零的 DHCP 請求,以檢查伺服器是否仍然認為租約有效(這是為了避免 IP 衝突)。
因此,以下規則是您的問題:
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 66:68 -j ACCEPT -A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 66:68 -j ACCEPT
刪除它們並用以下內容替換它們,您應該設置:
-A INPUT -i wlan0 -p udp -m udp --dport 67:68 -j ACCEPT