我正在尝试在我的 Linux 路由器上创建端口转发规则,我正在尝试以下规则:
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 4242 -j DNAT --to-destination 192.168.2.1:22
iptables -A FORWARD -i $WAN -p tcp --dport 22 -d 192.168.2.1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
问题是,当我尝试从远程机器连接时,根据日志,数据包会被 INPUT 规则丢弃:
DROPIN>IN=ppp0 OUT= MAC= SRC=$source_ip DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=61883 DF PROTO=TCP SPT=57684 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
DROPIN>IN=ppp0 OUT= MAC= SRC=$source_ip DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=61884 DF PROTO=TCP SPT=57684 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
这意味着我缺少 INPUT 规则?如果我使用 INPUT 规则,我是否会向互联网全局开放端口?
为了以防万一,这是我的整个 iptables.sh:
#!/usr/bin/env bash
PATH='/sbin'
WAN=ppp0
LAN=enp1s0
VLAN10=enp1s0.10
VLAN20=enp1s0.20
VLAN30=enp1s0.30
LAN_NET=192.168.2.0/24
VLAN10_NET=192.168.10.0/24
VLAN20_NET=192.168.20.0/24
VLAN30_NET=192.168.30.0/24
echo "Flushing rules"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo "Allow loopback"
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo "Drop invalid states"
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
echo "Allow established and related connections"
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo "Rate limit ICMP traffic per source"
iptables -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
echo "Allow DHCP"
iptables -I INPUT -i $LAN -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
iptables -I INPUT -i $VLAN10 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
iptables -I INPUT -i $VLAN20 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
iptables -I INPUT -i $VLAN30 -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT
echo "Allow SSH from LAN"
iptables -A INPUT -i $LAN -s $LAN_NET -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
echo "Allow SSH from VLAN10"
iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
echo "Port forward SSH external 4242 to local 22"
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 4242 -j DNAT --to-destination 192.168.2.1:22
iptables -A FORWARD -i $WAN -p tcp --dport 22 -d 192.168.2.1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
echo "Allow DNS (UDP and TCP for large replies)"
iptables -A INPUT -i $LAN -s $LAN_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $LAN -s $LAN_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $VLAN10 -s $VLAN10_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $VLAN20 -s $VLAN20_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $VLAN20 -s $VLAN20_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $VLAN30 -s $VLAN30_NET -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i $VLAN30 -s $VLAN30_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
echo "Drop external DNS"
iptables -A FORWARD -o $WAN -i $LAN -s $LAN_NET -p udp --dport 53 -m conntrack --ctstate NEW -j DROP
iptables -A FORWARD -o $WAN -i $LAN -s $LAN_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j DROP
iptables -A FORWARD -o $WAN -i $VLAN10 -s $VLAN10_NET -p udp --dport 53 -m conntrack --ctstate NEW -j DROP
iptables -A FORWARD -o $WAN -i $VLAN10 -s $VLAN10_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j DROP
iptables -A FORWARD -o $WAN -i $VLAN20 -s $VLAN20_NET -p udp --dport 53 -m conntrack --ctstate NEW -j DROP
iptables -A FORWARD -o $WAN -i $VLAN20 -s $VLAN20_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j DROP
iptables -A FORWARD -o $WAN -i $VLAN30 -s $VLAN30_NET -p udp --dport 53 -m conntrack --ctstate NEW -j DROP
iptables -A FORWARD -o $WAN -i $VLAN30 -s $VLAN30_NET -p tcp --dport 53 -m conntrack --ctstate NEW -j DROP
echo "Drop external DoT"
iptables -A FORWARD -o $WAN -i $LAN -s $LAN_NET -p tcp --dport 853 -m conntrack --ctstate NEW -j DROP
iptables -A FORWARD -o $WAN -i $VLAN10 -s $VLAN10_NET -p tcp --dport 853 -m conntrack --ctstate NEW -j DROP
iptables -A FORWARD -o $WAN -i $VLAN20 -s $VLAN20_NET -p tcp --dport 853 -m conntrack --ctstate NEW -j DROP
iptables -A FORWARD -o $WAN -i $VLAN30 -s $VLAN30_NET -p tcp --dport 853 -m conntrack --ctstate NEW -j DROP
echo "Enable network address translation"
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -A FORWARD -o $WAN -i $LAN -s $LAN_NET -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -o $WAN -i $VLAN10 -s $VLAN10_NET -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -o $WAN -i $VLAN20 -s $VLAN20_NET -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -o $WAN -i $VLAN30 -s $VLAN30_NET -m conntrack --ctstate NEW -j ACCEPT
echo "Enable TCP MSS clamping"
iptables -t mangle -A FORWARD -o $WAN -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
echo "Do not reply with Destination Unreachable messages"
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
echo "Log all dropped packets"
iptables -A INPUT -m limit --limit 1/sec -j LOG --log-level debug --log-prefix 'DROPIN>'
iptables -A OUTPUT -m limit --limit 1/sec -j LOG --log-level debug --log-prefix 'DROPOUT>'
iptables -A FORWARD -m limit --limit 1/sec -j LOG --log-level debug --log-prefix 'DROPFWD>'
提前感谢你的帮助!
答案1
我认为您不需要 INPUT 规则,因为流量应该流向另一个框。
只是为了调试,您是否尝试过用 -I 代替 -A 的相同规则?这样有效吗?如果是这样,您应该先有一些通用的 FORWARD 规则,而不允许特定的规则。