Networking

由於 iptables/filter 無法連接到接入點

  • October 31, 2019

設置

Raspberry Pi 使用子網 192.168.0.0/24 上的乙太網連接到路由器

子網 192.168.43.0/24 上的樹莓派接入點

我正在使用 nordvpn 應用程序,當我連接到 vpn 時,它會在我的網路上應用一個過濾器:

問題

應用此過濾器後,我**無法連接到我的接入點。**獲取IP失敗。我試圖將埠 68 和 69 列入白名單,但這沒有用。究竟是什麼導致過濾器出現這種情況?

我也試過

sudo iptables -A INPUT -s 192.168.43.0/24 -j ACCEPT

篩選:

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 66:68 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 66:68 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 74 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 74 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 5400 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i lo -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 74 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 74 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 74 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 74 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i wlan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -d 103.86.99.99/32 -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 103.86.96.96/32 -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 103.86.99.99/32 -o tun0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 103.86.96.96/32 -o tun0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o lo -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 -o lo -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o eth0 -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o wlan0 -j ACCEPT
-A OUTPUT -d 192.168.43.0/24 -o wlan0 -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o tun0 -j ACCEPT
-A OUTPUT -d 10.8.0.0/24 -o tun0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o lo -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o wlan0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT

無法連接時的 Tshark 輸出:

Capturing on 'wlan0'
1 0.000000000 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
2 6.347075913 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 113 Key (Message 1 of 4)
3 6.405992489 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 135 Key (Message 2 of 4)
4 6.407274309 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 169 Key (Message 3 of 4)
5 6.419174541 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 113 Key (Message 4 of 4)
6 6.664258217           :: → ff02::1:ffd6:ea23 ICMPv6 78 Neighbor Solicitation for fe80::8109:8fd:40d6:ea23
7 6.664945194           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
8 6.829452451      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
9 7.477149785           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
10 7.550230284 fe80::8109:8fd:40d6:ea23 → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
11 7.550522158 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
12 7.600963546 fe80::8109:8fd:40d6:ea23 → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
13 7.828222369      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
14 10.038442823      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
15 10.834140206      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
16 11.647401711 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 188 Standard query 0x0004 PTR _%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local, "QM" question PTR _674A0243._sub._googlecast._tcp.local, "QM" question PTR _8E6C866D._sub._googlecast._tcp.local, "QM" question PTR _googlecast._tcp.local, "QM" question
17 11.678040125 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
18 11.925494678      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
19 13.987335051      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
20 18.262242160      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
21 20.190157358 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
22 26.466357444      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
23 31.555321065 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 188 Standard query 0x0005 PTR _%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local, "QM" question PTR _674A0243._sub._googlecast._tcp.local, "QM" question PTR _8E6C866D._sub._googlecast._tcp.local, "QM" question PTR _googlecast._tcp.local, "QM" question
24 37.119574254 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25

當我使用 sudo iptables -P INPUT ACCEPT 允許所有流量時,我可以連接輸出:

Capturing on 'wlan0'
1 0.000000000 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 113 Key (Message 1 of 4)
2 0.482149729 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 135 Key (Message 2 of 4)
3 0.483485507 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 169 Key (Message 3 of 4)
4 0.497073903 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 113 Key (Message 4 of 4)
5 0.571571905           :: → ff02::1:ffd6:ea23 ICMPv6 78 Neighbor Solicitation for fe80::8109:8fd:40d6:ea23
6 0.572910963           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
7 0.720530878      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0x1352b3f1
8 0.721546604 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP Offer    - Transaction ID 0x1352b3f1
9 0.733148079      0.0.0.0 → 255.255.255.255 DHCP 350 DHCP Request  - Transaction ID 0x1352b3f1
10 0.812064714 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP ACK      - Transaction ID 0x1352b3f1
11 0.843515868 192.168.43.206 → 224.0.0.251  MDNS 82 Standard query 0x0000 PTR _googlecast._tcp.local, "QU" question
12 0.843790867 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 102 Standard query 0x0000 PTR _googlecast._tcp.local, "QU" question
13 0.846673931           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
14 0.846747733 192.168.43.206 → 224.0.0.251  IGMPv2 46 Membership Report group 224.0.0.251
15 1.124610012 SamsungE_6f:a4:25 → Broadcast    ARP 42 Who has 192.168.43.1? Tell 192.168.43.206
16 1.124698866 Raspberr_55:bd:9f → SamsungE_6f:a4:25 ARP 42 192.168.43.1 is at b8:27:eb:55:bd:9f
17 1.229109485 192.168.43.206 → 192.168.43.1 DNS 89 Standard query 0xbaa1 A connectivitycheck.gstatic.com
18 1.235744361           :: → ff02::16     ICMPv6 90 Multicast Listener Report Message v2
19 1.236032745 192.168.43.206 → 192.168.43.1 DNS 76 Standard query 0xf06b A mtalk.google.com
20 1.244731521 192.168.43.206 → 192.168.43.1 DNS 82 Standard query 0xc1c5 A mqtt-mini.facebook.com
21 1.257354868 192.168.43.206 → 31.13.79.32  TCP 74 51440 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=140302950 TSecr=0 WS=128
22 1.298846721 192.168.43.1 → 192.168.43.206 DNS 547 Standard query response 0xbaa1 A connectivitycheck.gstatic.com A 74.125.130.94 NS c.gtld-servers.net NS d.gtld-servers.net NS a.gtld-servers.net NS k.gtld-servers.net NS j.gtld-servers.net NS b.gtld-servers.net NS h.gtld-servers.net NS g.gtld-servers.net NS m.gtld-servers.net NS l.gtld-servers.net NS i.gtld-servers.net NS f.gtld-servers.net NS e.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30 A 192.12.94.30
23 1.304225715 192.168.43.1 → 192.168.43.206 DNS 545 Standard query response 0xf06b A mtalk.google.com CNAME mobile-gtalk.l.google.com A 74.125.24.188 NS b.gtld-servers.net NS m.gtld-servers.net NS g.gtld-servers.net NS k.gtld-servers.net NS f.gtld-servers.net NS e.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS a.gtld-servers.net NS c.gtld-servers.net NS l.gtld-servers.net NS h.gtld-servers.net NS d.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30
24 1.318067391 192.168.43.1 → 192.168.43.206 DNS 551 Standard query response 0xc1c5 A mqtt-mini.facebook.com CNAME mqtt-mini.c10r.facebook.com A 157.240.13.32 NS b.gtld-servers.net NS l.gtld-servers.net NS j.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS i.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS a.gtld-servers.net NS m.gtld-servers.net NS h.gtld-servers.net NS k.gtld-servers.net NS c.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30
25 1.325372213  31.13.79.32 → 192.168.43.206 TCP 74 443 → 51440 [SYN, ACK] Seq=0 Ack=1 Win=27360 Len=0 MSS=1380 SACK_PERM=1 TSval=2348760415 TSecr=140302950 WS=128
26 1.415381418 192.168.43.206 → 224.0.0.251  MDNS 119 Standard query 0x0001 PTR _674A0243._sub._googlecast._tcp.local, "QU" question PTR _8E6C866D._sub._googlecast._tcp.local, "QU" question PTR _googlecast._tcp.local, "QU" question
27 1.415628604 192.168.43.206 → 224.0.0.251  MDNS 119 Standard query 0x0001 PTR _674A0243._sub._googlecast._tcp.local, "QU" question PTR _8E6C866D._sub._googlecast._tcp.local, "QU" question PTR _googlecast._tcp.local, "QU" question
28 1.419159739 192.168.43.206 → 31.13.79.32  TCP 66 51440 → 443 [ACK] Seq=1 Ack=1 Win=87680 Len=0 TSval=140302990 TSecr=2348760415
29 1.424759566 192.168.43.206 → 224.0.0.251  MDNS 125 Standard query 0x0000 ANY Android-2.local, "QU" question ANY Android-2.local, "QU" question A 192.168.43.206 AAAA fe80::8109:8fd:40d6:ea23
30 1.429030595 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 145 Standard query 0x0000 ANY Android-2.local, "QU" question ANY Android-2.local, "QU" question A 192.168.43.206 AAAA fe80::8109:8fd:40d6:ea23
31 1.429408823 192.168.43.206 → 31.13.79.32  TLSv1 235 Client Hello
32 1.444965025 192.168.43.206 → 192.168.43.1 DNS 74 Standard query 0xa640 A www.google.com

為清楚起見,讓我指出您可以連接到您的接入點。您的問題似乎是一旦連接,您就無法從 DHCP 伺服器獲取 IP 地址。您可以在第一次擷取的以下部分中看到這一點,您的設備正在發送 DHCP 請求/發現並且沒有回复:

8 6.829452451      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
13 7.828222369      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
14 10.038442823      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
15 10.834140206      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e

當它工作時,您可以清楚地看到來自伺服器的回复:

7 0.720530878      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0x1352b3f1
8 0.721546604 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP Offer    - Transaction ID 0x1352b3f1
9 0.733148079      0.0.0.0 → 255.255.255.255 DHCP 350 DHCP Request  - Transaction ID 0x1352b3f1
10 0.812064714 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP ACK      - Transaction ID 0x1352b3f1

如果您記下擷取中的源地址,則您的 DHCP 客戶端沒有源 IP 地址。在您的客戶端完成 DHCP 過程之前,它沒有 IP 地址,並且 RFC 明確指出:

在客戶端獲得其 IP 地址之前,客戶端廣播的 DHCP 消息必須將 IP 標頭中的源地址欄位設置為 0。

這也包括一個介面最初出現的時間,即使它有一個有效的租約。在這種情況下,它應該發送源地址全為零的 DHCP 請求,以檢查伺服器是否仍然認為租約有效(這是為了避免 IP 衝突)。

因此,以下規則是您的問題:

-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 66:68 -j ACCEPT

刪除它們並用以下內容替換它們,您應該設置:

-A INPUT -i wlan0 -p udp -m udp --dport 67:68 -j ACCEPT

引用自:https://serverfault.com/questions/988450