我有一个网络路由器,它将三个网络与外界连接起来。其中一个内部网络面向公众,另外两个不面向公众,并通过 NAT 连接。我属于一个更大的网络,路由器拥有1.2.3.1
该更大网络中的 IP,但这个 IP 无法连接到外部,只external_net
允许来自外部的流量。
我现在想在路由器 ip 上进行端口转发,以便将 ssh 连接到 nat 中的机器。我在 freebsd 上使用 pf。
我的pf.conf
是:
#define network macros
uplink_iface = "igb4"
external_iface = "igb3"
l_iface = "igb5"
i_iface = "igb2"
d_iface = "igb1"
external_host = "1.2.3.1/32"
external_net = "1.2.4.0/25"
l_net = $l_iface:network
i_net = $i_iface:network
d_net = $d_iface:network
set skip on lo0
# tell the sender that they are running into pf
set block-policy return
# do not keep states unnecessarily long
set optimization aggressive
#Nat config
nat on $uplink_iface from $l_net to any -> $external_host
nat on $uplink_iface from $i_net to any -> $external_host
nat on $uplink_iface from $d_net to any -> $external_host
rdr pass log (all) on { $uplink_iface, $i_iface, $e_iface } proto tcp from any to $external_host port 6987 -> 192.168.2.2 port 22
#do not allow anything but the below rules
block all
# allow incoming traffic only to our external IP range/server
pass from any to $external_net keep state
# allow any outgoing traffic from server and employee machines (tbd)
pass from { $d_net, $i_net, $l_net, $external_net } to any keep state
我知道的:
- 不知何故,这在外部不起作用,因为它超时了
- 从内部(即任何定义的网络)端口上的 ssh 有效 * pflog 的 tcpdump 显示在两种情况下都会触发端口转发。
- 相应接口上的 tpcdump 确认,当请求来自内部接口之一时,它会被转发,当请求来自外部接口时,则不会转发。
- 删除所有内容时
block all
有效。但是,我不想放弃这条规则
为什么我从外部无法通过 ssh 连接,但从内部可以?
答案1
仅仅重定向流量是不够的,您还必须允许它。我猜是因为规则block all
在之后rdr pass
,块优先。
pass proto tcp from any to 192.168.2.2 port 22 keep state