iptables 的端口转发不再工作

tag-icon tag-icon ssh iptables port-forwarding
iptables 的端口转发不再工作

我安装了 SSH 蜜罐 cowrie 并配置了真正的 ssh 以使用不同的端口。蜜罐应该使用端口n。 Iptables 配置为在端口22之间路由流量%PORT

iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port %PORT

Cowrie 运行良好,这有效:

ssh root@localhost -p %PORT

不起作用的是:

ssh root@localhost

远程连接也是如此(除了端口 %PORT 不起作用,因为它没有打开。

ssh: connect to host localhost port 22: Connection refused

真正的 SSH 本身在某个地方的秘密端口上工作得很好。

这些是来自 iptables 的 nat 规则:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:ssh redir ports %PORT

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

这些是 iptables 的全局规则:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    f2b-dovecot-pop3imap  tcp  --  anywhere             anywhere             multiport dports pop3,imap2
2    f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
3    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
4    ACCEPT     all  --  anywhere             anywhere
5    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
[... removed some mappings not related to this toppics (http-specific, some mail-ports)]
15   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:%REAL_SSH_PORT ctstate NEW,ESTABLISHED

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain f2b-dovecot-pop3imap (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

Chain f2b-sshd (1 references)
num  target     prot opt source               destination
1    REJECT     all  --  XXXXXXX  anywhere             reject-with icmp-port-unreachable
2    REJECT     all  --  XXXXXXX  anywhere             reject-with icmp-port-unreachable
3    REJECT     all  --  XXXXXXX  anywhere             reject-with icmp-port-unreachable
4    REJECT     all  --  XXXXXXX       anywhere             reject-with icmp-port-unreachable
5    RETURN     all  --  anywhere             anywhere

一些旁注:

  1. 选择不同的源端口(例如 99)也不起作用

  2. 从本地计算机连接时,使用这样的本地端口转发规则效果很好

    iptables -t nat -A OUTPUT -p tcp --dport 22 -j REDIRECT --to-port %PORT

我在这里没有看到什么?

答案1

感谢@wurtel - PREROUTING 确实不是意味着打开一个端口。我还必须像这样打开 SSH-honeypots 端口:

iptables -A INPUT -p tcp --dport %PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

相关内容