我使用 Linux PC 作为我的互联网网关;它正在运行全新安装的 CentOS 7 x64。我有一个子网 (192.168.2.0/24),这是我的常规家庭网络,我还有第二个单独的子网 (192.168.3.0/24) 供客人使用。正如您所料,目的是允许我的客人访问互联网,但不能访问我常规家庭网络上的任何主机。
为此,网关 PC 安装了 3 个物理以太网接口:
- enp0s25(zone=external):伪装的互联网连接;
地址由我的 ISP 通过 DHCP 分配 - enp4s2(zone=internal):连接到我的家庭子网;静态地址 192.168.2.254(192.168.2.0/24)
- enp4s0(zone=guest):连接到我的 Guest 子网;静态地址 192.168.3.254(192.168.3.0/24)
连接到此访客子网的是一个单独的 WiFi AP,用于为访客 WiFi 提供互联网访问。访客 AP 的静态地址为 192.168.3.3。
网关 PC 为内部 (192.168.2.0/24) 和客户 (192.168.3.0/24) 子网提供 DHCP 服务器以及缓存 DNS 服务器。
我可以将 WiFi 客户端连接到此 AP,从 CentOS 框接收 DHCP 地址分配,并连接到 Internet 上的主机。我无法访问内部子网上的任何主机。从内部网络上的主机,我可以连接到网关 PC 并连接到 Internet。我可以 ping 网关上的 192.168.3.254 接口,但无法 ping 网关后面的访客网络上的任何内容。如果我通过 SSH 登录网关 PC,我可以连接到两个子网上的所有内容。
到目前为止,所有这些都是期望的行为。现在来谈谈问题:
有时,出于维护目的,我可能需要连接到 192.168.3.3 的访客 WiFi AP。目前,我可以使用 WiFi 连接到访客 AP 并以此方式登录管理页面,但如果能够从内部子网上的台式电脑访问管理页面,那就更方便了。显然,我更希望保持这种连接是单向的,即内部子网上的主机可以连接到访客子网上的主机,但反之则不行。有没有办法允许这样做?我尝试过将接口移动到不同的区域、添加丰富的规则、添加直接转发规则等,但这些尝试都没有奏效。我错过了什么?
这是我的防火墙区域和内核路由表:
# firewall-cmd --get-active-zones
internal
interfaces: enp4s2
external
interfaces: enp0s25
public
interfaces: enp4s0
# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp4s0
sources:
services: ssh dhcpv6-client dns dhcp mdns http https ntp smtp
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp4s2
sources:
services: ssh mdns samba-client dhcpv6-client dns http https mysql ntp pop3s smtp icecast pop3 samba dhcp
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: ssh openvpn
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# ip route show
default via 72.211.220.1 dev enp0s25 proto dhcp metric 102
72.211.220.0/22 dev enp0s25 proto kernel scope link src <redacted> metric 102
192.168.2.0/24 dev enp4s2 proto kernel scope link src 192.168.2.254 metric 101
192.168.3.0/24 dev enp4s0 proto kernel scope link src 192.168.3.254 metric 100
以下是 iptables -L 的输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_internal all -- anywhere anywhere [goto]
FWDI_external all -- anywhere anywhere [goto]
FWDI_guest all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_internal all -- anywhere anywhere [goto]
FWDO_external all -- anywhere anywhere [goto]
FWDO_guest all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FWDI_external (1 references)
target prot opt source destination
FWDI_external_log all -- anywhere anywhere
FWDI_external_deny all -- anywhere anywhere
FWDI_external_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_external_allow (1 references)
target prot opt source destination
Chain FWDI_external_deny (1 references)
target prot opt source destination
Chain FWDI_external_log (1 references)
target prot opt source destination
Chain FWDI_guest (1 references)
target prot opt source destination
FWDI_guest_log all -- anywhere anywhere
FWDI_guest_deny all -- anywhere anywhere
FWDI_guest_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_guest_allow (1 references)
target prot opt source destination
Chain FWDI_guest_deny (1 references)
target prot opt source destination
Chain FWDI_guest_log (1 references)
target prot opt source destination
Chain FWDI_internal (1 references)
target prot opt source destination
FWDI_internal_log all -- anywhere anywhere
FWDI_internal_deny all -- anywhere anywhere
FWDI_internal_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_internal_allow (1 references)
target prot opt source destination
Chain FWDI_internal_deny (1 references)
target prot opt source destination
Chain FWDI_internal_log (1 references)
target prot opt source destination
Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDI_trusted (0 references)
target prot opt source destination
FWDI_trusted_log all -- anywhere anywhere
FWDI_trusted_deny all -- anywhere anywhere
FWDI_trusted_allow all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FWDI_trusted_allow (1 references)
target prot opt source destination
Chain FWDI_trusted_deny (1 references)
target prot opt source destination
Chain FWDI_trusted_log (1 references)
target prot opt source destination
Chain FWDO_external (1 references)
target prot opt source destination
FWDO_external_log all -- anywhere anywhere
FWDO_external_deny all -- anywhere anywhere
FWDO_external_allow all -- anywhere anywhere
Chain FWDO_external_allow (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW
ACCEPT all -- anywhere anywhere ctstate NEW
Chain FWDO_external_deny (1 references)
target prot opt source destination
Chain FWDO_external_log (1 references)
target prot opt source destination
Chain FWDO_guest (1 references)
target prot opt source destination
FWDO_guest_log all -- anywhere anywhere
FWDO_guest_deny all -- anywhere anywhere
FWDO_guest_allow all -- anywhere anywhere
Chain FWDO_guest_allow (1 references)
target prot opt source destination
Chain FWDO_guest_deny (1 references)
target prot opt source destination
Chain FWDO_guest_log (1 references)
target prot opt source destination
Chain FWDO_internal (1 references)
target prot opt source destination
FWDO_internal_log all -- anywhere anywhere
FWDO_internal_deny all -- anywhere anywhere
FWDO_internal_allow all -- anywhere anywhere
Chain FWDO_internal_allow (1 references)
target prot opt source destination
Chain FWDO_internal_deny (1 references)
target prot opt source destination
Chain FWDO_internal_log (1 references)
target prot opt source destination
Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain FWDO_trusted (0 references)
target prot opt source destination
FWDO_trusted_log all -- anywhere anywhere
FWDO_trusted_deny all -- anywhere anywhere
FWDO_trusted_allow all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FWDO_trusted_allow (1 references)
target prot opt source destination
Chain FWDO_trusted_deny (1 references)
target prot opt source destination
Chain FWDO_trusted_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_internal all -- anywhere anywhere [goto]
IN_external all -- anywhere anywhere [goto]
IN_guest all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_external (1 references)
target prot opt source destination
IN_external_log all -- anywhere anywhere
IN_external_deny all -- anywhere anywhere
IN_external_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_external_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:openvpn ctstate NEW
Chain IN_external_deny (1 references)
target prot opt source destination
Chain IN_external_log (1 references)
target prot opt source destination
Chain IN_guest (1 references)
target prot opt source destination
IN_guest_log all -- anywhere anywhere
IN_guest_deny all -- anywhere anywhere
IN_guest_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_guest_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
Chain IN_guest_deny (1 references)
target prot opt source destination
Chain IN_guest_log (1 references)
target prot opt source destination
Chain IN_internal (1 references)
target prot opt source destination
IN_internal_log all -- anywhere anywhere
IN_internal_deny all -- anywhere anywhere
IN_internal_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_internal_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:ntp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:irdmi ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:vcom-tunnel ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:bootps ctstate NEW
Chain IN_internal_deny (1 references)
target prot opt source destination
Chain IN_internal_log (1 references)
target prot opt source destination
Chain IN_public (1 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:bootps ctstate NEW
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:ntp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain IN_trusted (0 references)
target prot opt source destination
IN_trusted_log all -- anywhere anywhere
IN_trusted_deny all -- anywhere anywhere
IN_trusted_allow all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain IN_trusted_allow (1 references)
target prot opt source destination
Chain IN_trusted_deny (1 references)
target prot opt source destination
Chain IN_trusted_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination