我创建了一些链iptables
iptables -N dns-requests
iptables -N wg0-filter
然后我创建一个过滤器,以传递端口 53 上的 DNS 流量。
iptables -A wg0-filter -p tcp --dport 53 -j dns-requests
iptables -A wg0-filter -p udp --dport 53 -j dns-requests
然后,我在链中制定了一些规则dns-requests
:
iptables -A dns-requests -d 208.67.220.220 -p tcp -j ACCEPT
iptables -A dns-requests -d 208.67.220.220 -p udp -j ACCEPT
iptables -A dns-requests -d 208.67.222.222 -p udp -j ACCEPT
iptables -A dns-requests -d 208.67.222.222 -p tcp -j ACCEPT
iptables -t nat -A dns-requests -p udp -j DNAT --to-destination 208.67.220.220:53
iptables -t nat -A dns-requests -p tcp -j DNAT --to-destination 208.67.222.222:53
基于上述内容,我想执行以下操作:
- 发送
208.67.220.220
或208.67.222.222
应通过的DNS 请求 - DNS 请求不是已发送
208.67.220.220
或208.67.222.222
应该DNAT
申请,以便DNS
请求到达208.67.220.220
我尝试了很多不同的命令,但都无法正常工作。我目前遇到的错误是:
iptables: No chain/target/match by that name.
当我跑步时:
iptables -t nat -A dns-requests -p udp -j DNAT --to-destination 208.67.220.220:53
iptables -t nat -A dns-requests -p tcp -j DNAT --to-destination 208.67.222.222:53
关于如何实现我的目标,有什么想法吗?
答案1
所有过滤都需要在 nat 表中完成,并在那里创建额外定义的链。
需要更多关于更大背景的信息,但这里是一次尝试,加载时没有错误,但我无法进一步测试它:
doug@s19:~/iptables/misc$ cat ask1433946
#!/bin/sh
FWVER=0.01
#
# ask1433946 Smythies 2022.10.05 Ver:0.01
# See here:
# https://askubuntu.com/questions/1433946
#
# run as sudo on s19.
#
# Note: These rules definately need to be merged with
# some higher level rules that the OP did not post.
echo "Loading ask1433946 rule set version $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)
EXTIF="br0"
EXTIP="192.168.111.136"
DESTU="208.67.220.220"
DESTT="208.67.222.222"
UNIVERSE="0.0.0.0/0"
#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="UNKNOWN"
#DESTU="208.67.220.220"
#DESTT="208.67.222.222"
#UNIVERSE="0.0.0.0/0"
#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward
# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about OP's computer.
#
echo " Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Delete user defined chains
$IPTABLES -t nat -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z
# Define tables in nat.
$IPTABLES -t nat -N wg0-filter
$IPTABLES -t nat -N dns-requests-u
$IPTABLES -t nat -N dns-requests-t
# wgo-filter rules
$IPTABLES -t nat -A wg0-filter -p tcp --dport 53 -j dns-requests-t
$IPTABLES -t nat -A wg0-filter -p udp --dport 53 -j dns-requests-u
# dns-requests rules
$IPTABLES -t nat -A dns-requests-t -d $DESTU -j ACCEPT
$IPTABLES -t nat -A dns-requests-t -d $DESTT -j ACCEPT
$IPTABLES -t nat -A dns-requests-t -j DNAT --to-destination $DESTT
$IPTABLES -t nat -A dns-requests-u -d $DESTU -j ACCEPT
$IPTABLES -t nat -A dns-requests-u -d $DESTT -j ACCEPT
$IPTABLES -t nat -A dns-requests-u -j DNAT --to-destination $DESTU
echo ask1433946 rule set version $FWVER done.
哪个加载良好:
$ doug@s19:~/iptables/misc$ sudo ./ask1433946
Loading ask1433946 rule set version 0.01..
Enabling forwarding...
Clearing any existing rules and setting default policies..
ask1433946 rule set version 0.01 done.
给予:
doug@s19:~/iptables/misc$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 120 packets, 8220 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 36 packets, 5876 bytes)
pkts bytes target prot opt in out source destination
doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 236 packets, 46387 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 47 packets, 2995 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain wg0-filter (0 references)
pkts bytes target prot opt in out source destination
0 0 dns-requests-t tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 dns-requests-u udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
Chain dns-requests-u (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 208.67.220.220
0 0 ACCEPT all -- * * 0.0.0.0/0 208.67.222.222
0 0 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:208.67.220.220
Chain dns-requests-t (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 208.67.220.220
0 0 ACCEPT all -- * * 0.0.0.0/0 208.67.222.222
0 0 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:208.67.222.222