我肯定漏掉了什么。
我有两个 VLAN,想允许某些 IP 和端口进行 VLAN 间通信,基本上我想让 192.168.16.2 连接到 192.168.15.4:80 并允许所有相关和已建立的流量。
我添加了日志记录规则,从我看到的情况来看,我不明白我做错了什么,因为它应该匹配。
其他一切都运行良好,因为 99 中的机器可以到达 3,但反之则不行,192.168.16.3 可以到达 eth2,即 wlan。但这条规则-A FORWARD -p tcp -i br-lan.3 -s 192.168.16.2 -d 192.168.5.4 -o br-lan.99 --dport 80不起作用。ICMP ping 也一样——被丢弃。
也许你能发现错误?
路由器ip addr
18: br-lan.99@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether XXXX brd ff:ff:ff:ff:ff:ff
inet 192.168.15.1/24 brd 192.168.15.255 scope global br-lan.99
valid_lft forever preferred_lft forever
inet6 fd71:adef:67d:10::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::da58:d7ff:fe00:3b25/64 scope link
valid_lft forever preferred_lft forever
19: br-lan.3@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether XXXX brd ff:ff:ff:ff:ff:ff
inet 192.168.16.1/24 brd 192.168.16.255 scope global br-lan.3
valid_lft forever preferred_lft forever
inet6 fd71:adef:67d::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::da58:d7ff:fe00:3b25/64 scope link
valid_lft forever preferred_lft forever
iptables -L -nv前进:
Chain FORWARD (policy DROP 60 packets, 4785 bytes)
pkts bytes target prot opt in out source destination
96 5004 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
457K 447M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
19 1012 ACCEPT all -- br-lan.99 br-lan.3 192.168.15.0/24 0.0.0.0/0
617 165K ACCEPT all -- br-lan.99 * 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT all -- br-lan.3 br-lan.3 192.168.16.2 0.0.0.0/0
0 0 ACCEPT all -- br-lan.3 * 192.168.16.1 0.0.0.0/0
10 760 ACCEPT all -- br-lan.3 eth2 192.168.16.3 0.0.0.0/0
0 0 ACCEPT icmp -- br-lan.3 br-lan.99 192.168.16.2 192.168.5.4
0 0 ACCEPT tcp -- br-lan.3 br-lan.99 192.168.16.2 192.168.5.4 tcp dpt:80
71 5409 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FORWARD-DROP:"
用于设置 iptables 的命令:
-P FORWARD DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i br-lan.99 -s 192.168.15.0/24 -o br-lan.3 -j ACCEPT
-A FORWARD -i br-lan.99 -s 192.168.15.0/24 -j ACCEPT
-A FORWARD -i br-lan.3 -s 192.168.16.2 -o br-lan.3 -j ACCEPT
-A FORWARD -i br-lan.3 -s 192.168.16.1 -j ACCEPT
-A FORWARD -i br-lan.3 -s 192.168.16.3 -o eth2 -j ACCEPT
-A FORWARD -p icmp -i br-lan.3 -s 192.168.16.2 -d 192.168.5.4 -o br-lan.99 -j ACCEPT
-A FORWARD -p tcp -i br-lan.3 -s 192.168.16.2 -d 192.168.5.4 -o br-lan.99 --dport 80 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD-DROP:"
以下是生成的日志tail -f /var/log/messages | grep "FORWARD-DROP":
Dec 21 18:50:29 XXXX kernel: [ 709.598723] FORWARD-DROP:IN=br-lan.3 OUT=br-lan.99 MAC=XXXX SRC=192.168.16.2 DST=192.168.15.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64367 DF PROTO=TCP SPT=34270 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 21 18:50:30 XXXX kernel: [ 710.599559] FORWARD-DROP:IN=br-lan.3 OUT=br-lan.99 MAC=XXXX SRC=192.168.16.2 DST=192.168.15.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64368 DF PROTO=TCP SPT=34270 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 21 18:50:32 XXXX kernel: [ 712.619432] FORWARD-DROP:IN=br-lan.3 OUT=br-lan.99 MAC=XXXX SRC=192.168.16.2 DST=192.168.15.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64369 DF PROTO=TCP SPT=34270 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 21 19:16:15 XXXX kernel: [ 2255.472602] FORWARD-DROP:IN=br-lan.3 OUT=br-lan.99 MAC=XXXX SRC=192.168.16.2 DST=192.168.15.4 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=16847 DF PROTO=ICMP TYPE=8 CODE=0 ID=6879 SEQ=0
Dec 21 19:16:25 XXXX kernel: [ 2265.383554] FORWARD-DROP:IN=br-lan.3 OUT=br-lan.99 MAC=XXXX SRC=192.168.16.2 DST=192.168.15.4 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=19255 DF PROTO=ICMP TYPE=8 CODE=0 ID=6886 SEQ=0
答案1
这是由于规则中的拼写错误而导致192.168.15.4的192.168.5.4。