对不会发往特定服务器的 DNS 请求进行 DNATing。iptables：没有该名称的链/目标/匹配

Question

所有过滤都需要在 nat 表中完成，并在那里创建额外定义的链。

需要更多关于更大背景的信息，但这里是一次尝试，加载时没有错误，但我无法进一步测试它：

doug@s19:~/iptables/misc$ cat ask1433946
#!/bin/sh
FWVER=0.01
#
# ask1433946 Smythies 2022.10.05 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1433946
#
#       run as sudo on s19.
#
#       Note: These rules definately need to be merged with
#       some higher level rules that the OP did not post.

echo "Loading ask1433946 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)

EXTIF="br0"
EXTIP="192.168.111.136"
DESTU="208.67.220.220"
DESTT="208.67.222.222"
UNIVERSE="0.0.0.0/0"

#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="UNKNOWN"
#DESTU="208.67.220.220"
#DESTT="208.67.222.222"
#UNIVERSE="0.0.0.0/0"

#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about OP's computer.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Delete user defined chains
$IPTABLES -t nat -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# Define tables in nat.
$IPTABLES -t nat -N wg0-filter
$IPTABLES -t nat -N dns-requests-u
$IPTABLES -t nat -N dns-requests-t

# wgo-filter rules
$IPTABLES -t nat -A wg0-filter -p tcp --dport 53 -j dns-requests-t
$IPTABLES -t nat -A wg0-filter -p udp --dport 53 -j dns-requests-u

# dns-requests rules
$IPTABLES -t nat -A dns-requests-t -d $DESTU -j ACCEPT
$IPTABLES -t nat -A dns-requests-t -d $DESTT -j ACCEPT
$IPTABLES -t nat -A dns-requests-t -j DNAT --to-destination $DESTT

$IPTABLES -t nat -A dns-requests-u -d $DESTU -j ACCEPT
$IPTABLES -t nat -A dns-requests-u -d $DESTT -j ACCEPT
$IPTABLES -t nat -A dns-requests-u -j DNAT --to-destination $DESTU

echo ask1433946 rule set version $FWVER done.

哪个加载良好：

$ doug@s19:~/iptables/misc$ sudo ./ask1433946
Loading ask1433946 rule set version 0.01..

Enabling forwarding...
  Clearing any existing rules and setting default policies..
ask1433946 rule set version 0.01 done.

给予：

doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 120 packets, 8220 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 36 packets, 5876 bytes)
    pkts      bytes target     prot opt in     out     source               destination
doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 236 packets, 46387 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 47 packets, 2995 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain wg0-filter (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 dns-requests-t  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
       0        0 dns-requests-u  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

Chain dns-requests-u (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.220.220
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.222.222
       0        0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:208.67.220.220

Chain dns-requests-t (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.220.220
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.222.222
       0        0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:208.67.222.222

Answer 1

所有过滤都需要在 nat 表中完成，并在那里创建额外定义的链。

需要更多关于更大背景的信息，但这里是一次尝试，加载时没有错误，但我无法进一步测试它：

doug@s19:~/iptables/misc$ cat ask1433946
#!/bin/sh
FWVER=0.01
#
# ask1433946 Smythies 2022.10.05 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1433946
#
#       run as sudo on s19.
#
#       Note: These rules definately need to be merged with
#       some higher level rules that the OP did not post.

echo "Loading ask1433946 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)

EXTIF="br0"
EXTIP="192.168.111.136"
DESTU="208.67.220.220"
DESTT="208.67.222.222"
UNIVERSE="0.0.0.0/0"

#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="UNKNOWN"
#DESTU="208.67.220.220"
#DESTT="208.67.222.222"
#UNIVERSE="0.0.0.0/0"

#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about OP's computer.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Delete user defined chains
$IPTABLES -t nat -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# Define tables in nat.
$IPTABLES -t nat -N wg0-filter
$IPTABLES -t nat -N dns-requests-u
$IPTABLES -t nat -N dns-requests-t

# wgo-filter rules
$IPTABLES -t nat -A wg0-filter -p tcp --dport 53 -j dns-requests-t
$IPTABLES -t nat -A wg0-filter -p udp --dport 53 -j dns-requests-u

# dns-requests rules
$IPTABLES -t nat -A dns-requests-t -d $DESTU -j ACCEPT
$IPTABLES -t nat -A dns-requests-t -d $DESTT -j ACCEPT
$IPTABLES -t nat -A dns-requests-t -j DNAT --to-destination $DESTT

$IPTABLES -t nat -A dns-requests-u -d $DESTU -j ACCEPT
$IPTABLES -t nat -A dns-requests-u -d $DESTT -j ACCEPT
$IPTABLES -t nat -A dns-requests-u -j DNAT --to-destination $DESTU

echo ask1433946 rule set version $FWVER done.

哪个加载良好：

$ doug@s19:~/iptables/misc$ sudo ./ask1433946
Loading ask1433946 rule set version 0.01..

Enabling forwarding...
  Clearing any existing rules and setting default policies..
ask1433946 rule set version 0.01 done.

给予：

doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 120 packets, 8220 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 36 packets, 5876 bytes)
    pkts      bytes target     prot opt in     out     source               destination
doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 236 packets, 46387 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 47 packets, 2995 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain wg0-filter (0 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 dns-requests-t  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
       0        0 dns-requests-u  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

Chain dns-requests-u (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.220.220
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.222.222
       0        0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:208.67.220.220

Chain dns-requests-t (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.220.220
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            208.67.222.222
       0        0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:208.67.222.222

对不会发往特定服务器的 DNS 请求进行 DNATing。iptables：没有该名称的链/目标/匹配

答案1

相关内容