我正在尝试设置网关/路由器盒,但似乎无法正确设置 iptables。目标是拥有一个可以与 WAN 进行 HTTPS、HTTP 和 SSH 通信的 Windows 盒专用网络。我希望打开 RDP 以便从网关盒与 Windows 机器通信,但不想从 WAN 进行任何端口转发。
目前,我在网卡之间使用伪装进行 NAT,我的 WAN 接口是 eth0,我的 LAN 接口是 eth1。我可以顺利通过 ssh 进入盒子,但是我无法通过 RDP 连接到私有网络上的机器,也无法获取 HTTP/HTTPS。日志显示,当我尝试从路由器盒连接到 Google 时,我丢弃了目标端口为 80/443 的数据包。
目前我一直在尝试的是:
# Flushing all rules
iptables -F
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# set up nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# allow DNS lookup
for ip in $DNS
do
echo "Allowing DNS lookups to server '$ip'"
iptables -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
done
# allow http/https, ssh
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -m multiport --dports 80,443 -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow private RDP
iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 3389 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m multiport --sports 3389 -m state --state ESTABLISHED -j ACCEPT
# log for debugging
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
我唯一能想到的是,由于我正在做端口地址转换,因此在我的 WAN 接口上指定目标/源端口是行不通的。有没有 iptables 大佬愿意告诉我我错在哪里?
更新:阅读完我的日志并进行测试后,我发现一些规则似乎有效。
# Flushing all rules
iptables -F
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
#iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# set up nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# allow DNS lookup
for ip in $DNS
do
echo "Allowing DNS lookups to server '$ip'"
iptables -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
#DNS lookups for NAT
iptables -A FORWARD -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p udp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s $ip --sport 53 -m state --state ESTABLISHED -j ACCEPT
done
# allow service ports to be forwarded to local network
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dports 22,80,443,1727,8192,8194,36015 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp -m multiport --sports 22,80,443,1727,8192,8194,36015 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow service ports out/in from WAN
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# allow service ports in, only when outbound connection exists
# 80 - HTTP ( for yum )
# 443 - HTTPS ( for yum )
# 21 - FTP ( for yum )
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow local RDP
iptables -A INPUT -i eth1 -p tcp --sport 3389 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3389 -m state --state ESTABLISHED,RELATED -j ACCEPT
我认为 3389 的最后一条 FORWARD 规则是不必要的,但我还没有测试过。为了回应一些第一条评论:
[root@localhost ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
79 5224 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 state NEW,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp spt:3389 state ESTABLISHED
1 229 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 multiport dports 22,80,443,1727,8192,8194,36015
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 multiport sports 22,80,443,1727,8192,8194,36015 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 state RELATED,ESTABLISHED
0 0 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
68 7488 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,21 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389
0 0 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (3 references)
pkts bytes target prot opt in out source destination
1 229 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 6 prefix `IPTables-Dropped: '
1 229 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
我从此输出中删除了有关我的 DNS 服务器的块。我唯一想对此配置进行添加的是将 ssh 访问限制为 ip 子网,但我将最后执行此操作,因为这应该很简单。感谢到目前为止的评论,希望我所拥有的内容没有任何不妥之处!