能够 ping 两台机器,但运行脚本后无法执行

tag-icon tag-icon bash fedora iptables routing firewall
能够 ping 两台机器,但运行脚本后无法执行

过去几天我一直在尝试解决这个问题,但没有成功。这不是我的脚本,这是我在 GITHUB 上找到的其他人的脚本,并做了一些轻微的修改(https://github.com/ianlee/standalone-fw)。我的脚本不起作用,所以我想我可以尝试一下其他人的脚本,看看是否可行,但事实并非如此,我不想要地雷的解决方案,但我完全陷入困境,所以我在这里。这些都是 bash 脚本。

我当前的设置是 2 个虚拟机,都运行 Fedora 的最新版本。它们都有 NAT 网络和内部网络,以便它们能够相互通信。当我创建NAT网络时,我给它的网络CIDR为192.168.10.0/24。 Enp0s1 是 NAT 网络连接,Enp0s8 是内部网络。

我运行以下 2 个脚本,以便可以互相 ping 通“内部”机器

EXTERNAL_INTERFACE="enp0s1"
INTERNAL_GATEWAY_BINDING="1"
INTERNAL_INTERFACE="enp0s8"
INTERNAL_SUBNET="192.168.10"
INTERNAL_BINDING="2"

DNS_IP1="8.8.8.8"
DNS_IP2="8.8.4.4"

ifconfig $EXTERNAL_INTERFACE down 
ifconfig $INTERNAL_INTERFACE $INTERNAL_SUBNET.$INTERNAL_BINDING up 
route add default gw $INTERNAL_SUBNET.$INTERNAL_GATEWAY_BINDING

echo -e "$DNS_IP1\nnameserver $DNS_IP2\n" >/etc/resolv.conf

这是在外部机器上,即要运行脚本的机器上,

FIREWALL_IP="192.168.10.5"
EXTERNAL_SUBNET="192.168.0.0"
INTERNAL_INTERFACE="enp0s8"
INTERNAL_SUBNET="192.168.10"
INTERNAL_BINDING="1"
DNS_IP1="8.8.8.8"
DNS_IP2="8.8.4.4"

ifconfig $INTERNAL_INTERFACE $INTERNAL_SUBNET.$INTERNAL_BINDING up

route add -net $INTERNAL_SUBNET.0 netmask 255.255.255.0 gw $INTERNAL_SUBNET.$INTERNAL_BINDING

echo "1" >/proc/sys/net/ipv4/ip_forward

route add -net $EXTERNAL_SUBNET netmask 255.255.255.0 gw $FIREWALL_IP
echo -e "$DNS_IP1\nnameserver $DNS_IP2\n" >/etc/resolv.conf

其中 192.168.10.5 是 Enp0s1 上具有互联网连接的地址。我能够从 192.168.10.1 和 192.168.10.2 相互之间执行 ping 操作,但是随后我尝试运行脚本,

#interface name
EXTERNAL="enp0s1"
INTERNAL="enp0s8"
INTERNAL_NETWORK="192.168.10.0/24"

#Allowing ports
TCP_ALLOW_PORTS_IN="22,80,443,8080,3131" #from these ports (acting as a client)
TCP_ALLOW_PORTS_OUT="22,80,443,8080,3131"
UDP_ALLOW_PORTS_IN="80"
UDP_ALLOW_PORTS_OUT="80"

#internal server ip
INTERNAL_SERVER_IP="192.168.10.2"
TCP_ALLOW_PORTS_IN_SERVER="80,22,443,8080,3131" #acting as server (allow connections to these ports)
TCP_ALLOW_PORTS_OUT_SERVER="80,22,443,8080,3131"
UDP_ALLOW_PORTS_IN_SERVER="80"
UDP_ALLOW_PORTS_OUT_SERVER="80"
ICMP_ALLOW_TYPES="0,8"


#block traffic to and from these IP addresses
IP_BLOCK=""

#block these ports regardless of IP or protocol.  
BLOCK_PORTS_IN="0,23"
BLOCK_PORTS_OUT="0,23"

MAXIMIZE_THROUGHPUT="20"
MINIMIZE_DELAY="21,22"

DNS_PORT_IN="53"
DNS_PORT_OUT="53"
DHCP_PORT_IN="67"
DHCP_PORT_OUT="68"

#empty all existing chains
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -F

#set policies to drop
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -P INPUT DROP

#SNAT
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
#DNAT
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_IN_SERVER -j DNAT --to $INTERNAL_SERVER_IP
iptables -t nat -A PREROUTING -i $EXTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_IN_SERVER -j DNAT --to $INTERNAL_SERVER_IP

arr=$(echo $ICMP_ALLOW_TYPES | tr "," "\n")
for x in $arr
do
    iptables -t nat -A PREROUTING -i $EXTERNAL -p icmp --icmp-type $x -m state --state NEW,ESTABLISHED -j DNAT --to $INTERNAL_SERVER_IP
done
#MANGLE
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $MINIMIZE_DELAY -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $MAXIMIZE_THROUGHPUT -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports $MINIMIZE_DELAY -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports $MAXIMIZE_THROUGHPUT -j TOS --set-tos Maximize-Throughput


iptables -N dhcpin
iptables -N dhcpout
iptables -N dhcpforward
iptables -N blockin
iptables -N blockout
iptables -N necessitiesin
iptables -N necessitiesout
iptables -N necessitiesforward
iptables -N icmpin
iptables -N udpin
iptables -N tcpin
iptables -N udpout
iptables -N tcpout


#chain for blocking Inbound traffic
#block inbound traffic from specific IPs 
if [[ -n $IP_BLOCK ]]; then
    iptables -A blockin -i $EXTERNAL  -s $IP_BLOCK -j DROP
fi
#block inbound traffic from a source address from the outside matching your internal network.
iptables -A blockin -i $EXTERNAL  -s $INTERNAL_NETWORK -j DROP

#block syn and fin bits.
iptables -A blockin -i $EXTERNAL  -p tcp ! --syn -m state --state NEW -j DROP
iptables -A blockin -i $EXTERNAL  -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A blockout  -i $INTERNAL -p tcp ! --syn -m state --state NEW -j DROP
iptables -A blockout  -i $INTERNAL -p tcp --tcp-flags SYN,FIN SYN,FIN  -j DROP

#block inbound traffic to and from specified ports
iptables -A blockin -i $EXTERNAL  -p udp -m multiport --sports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL  -p udp -m multiport --dports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL  -p tcp -m multiport --sports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL  -p tcp -m multiport --dports $BLOCK_PORTS_IN -j DROP

#drop SYN packets from ports less than 1024
iptables -A blockin -i $EXTERNAL  -p tcp -m multiport --sports 0:1023 -m state --state NEW -j DROP
iptables -A blockin -i $EXTERNAL  -p udp -m multiport --sports 0:1023 -m state --state NEW -j DROP

#drop SYN packets to high ports
iptables -A blockin -i $EXTERNAL  -p tcp -m multiport --dports 32768:32775,137:139,111,515 -j DROP
iptables -A blockin -i $EXTERNAL  -p udp -m multiport --dports 32768:32775,137:139 -j DROP

#block outbound traffic from specific IPs
if [[ -n $IP_BLOCK ]]; then
    iptables -A blockout  -i $INTERNAL -d $IP_BLOCK -j DROP
fi
iptables -A blockout  -i $INTERNAL ! -s $INTERNAL_NETWORK -j DROP

#block out bound to and from specified ports
iptables -A blockout  -i $INTERNAL -p udp -m multiport --sports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout  -i $INTERNAL -p udp -m multiport --dports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout  -i $INTERNAL -p tcp -m multiport --sports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout  -i $INTERNAL -p tcp -m multiport --dports $BLOCK_PORTS_OUT -j DROP

#drop SYN packets from ports less than 1024
iptables -A blockout  -i $INTERNAL -p tcp -m multiport --sports 0:1023 -m state --state NEW -j DROP
iptables -A blockout  -i $INTERNAL -p udp -m multiport --sports 0:1023 -m state --state NEW -j DROP

#Block all external traffic directed to ports 32768 – 32775, 137 – 139, TCP ports 111 and 515. 
iptables -A blockout  -i $INTERNAL -p tcp -m multiport --dports 32768:32775,137:139,111,515 -j DROP
iptables -A blockout  -i $INTERNAL -p udp -m multiport --dports 32768:32775,137:139 -j DROP

#allow inbound udp dns traffic
iptables -A necessitiesin -i $EXTERNAL -p udp -m multiport --sports $DNS_PORT_IN -j ACCEPT
iptables -A necessitiesforward -i $EXTERNAL -o $INTERNAL -p udp -m multiport --sports $DNS_PORT_IN -j ACCEPT

#allow inbound tcp dns  traffic
iptables -A necessitiesin -i $EXTERNAL -p tcp -m multiport --sports $DNS_PORT_IN -j ACCEPT
iptables -A necessitiesforward -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --sports $DNS_PORT_IN -j ACCEPT

#allow outbound udp dns traffic
iptables -A necessitiesout -o $EXTERNAL -p udp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
iptables -A necessitiesforward -o $EXTERNAL -i $INTERNAL -p udp -m multiport --dports $DNS_PORT_OUT -j ACCEPT

#allow outbound tcp dns  traffic
iptables -A necessitiesout -o $EXTERNAL -p tcp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
iptables -A necessitiesforward -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --dports $DNS_PORT_OUT -j ACCEPT

#allow inbound udp dhcp traffic
iptables -A dhcpin -i $EXTERNAL -p udp  --dport $DHCP_PORT_OUT  -m multiport --sports $DHCP_PORT_IN  -j ACCEPT
iptables -A dhcpforward -i $EXTERNAL -o $INTERNAL -p udp  --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN   -j ACCEPT

#allow inbound tcp dhcp traffic
iptables -A dhcpin -i $EXTERNAL -p tcp --dport $DHCP_PORT_OUT  -m multiport --sports $DHCP_PORT_IN  -j ACCEPT
iptables -A dhcpforward -i $EXTERNAL -o $INTERNAL -p tcp --dport $DHCP_PORT_OUT  -m multiport --sports $DHCP_PORT_IN   -j ACCEPT

#allow outbound udp dhcp traffic
iptables -A dhcpout -o $EXTERNAL -p udp  --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT  -j ACCEPT
iptables -A dhcpforward -o $EXTERNAL -i $INTERNAL -p udp  --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT   -j ACCEPT

#allow outbound tcp dhcp traffic
iptables -A dhcpout -o $EXTERNAL -p tcp --sport $DHCP_PORT_IN  -m multiport --dports $DHCP_PORT_OUT  -j ACCEPT
iptables -A dhcpforward -o $EXTERNAL -i $INTERNAL -p tcp  --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT

#ICMP Chain
arr=$(echo $ICMP_ALLOW_TYPES | tr "," "\n")
for x in $arr
do
  iptables -A icmpin -i $EXTERNAL -p icmp --icmp-type $x -m state --state NEW,ESTABLISHED -j ACCEPT
done

#allow inbound udp user defined traffic
iptables -A udpin -i $EXTERNAL -o $INTERNAL -p udp -m multiport --sports $UDP_ALLOW_PORTS_IN -m state --state ESTABLISHED -j ACCEPT # acting as a client
iptables -A udpin -i $EXTERNAL -o $INTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_IN_SERVER -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a server
#add inbound udp chain to default input chain

#allow inbound user defined traffic
iptables -A tcpin -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --sports $TCP_ALLOW_PORTS_IN -m state --state ESTABLISHED -j ACCEPT # acting as a client
iptables -A tcpin -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_IN_SERVER -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a server

#allow outbound udp user defined traffic
iptables -A udpout -o $EXTERNAL -i $INTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_OUT -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a client
iptables -A udpout -o $EXTERNAL -i $INTERNAL -p udp -m multiport --sports $UDP_ALLOW_PORTS_OUT_SERVER -m state --state ESTABLISHED -j ACCEPT # acting as a server

#allow outbound tcp user defined traffic
iptables -A tcpout -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_OUT -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a client
iptables -A tcpout -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --sports $TCP_ALLOW_PORTS_OUT_SERVER -m state --state ESTABLISHED -j ACCEPT # acting as a server


iptables -A INPUT -j dhcpin
iptables -A OUTPUT -j dhcpout
iptables -A FORWARD -j dhcpforward

iptables -A FORWARD -j blockin
iptables -A INPUT -j blockin
iptables -A FORWARD -j blockout
iptables -A INPUT -j blockout

iptables -A INPUT -j necessitiesin
iptables -A OUTPUT -j necessitiesout
iptables -A FORWARD -j necessitiesforward

iptables -A FORWARD -p icmp -j icmpin
iptables -A FORWARD -p udp -j udpin
iptables -A FORWARD -p tcp -j tcpin
iptables -A FORWARD -p udp -j udpout
iptables -A FORWARD -p tcp -j tcpout

我在外部计算机上运行该程序,当我尝试 ping 任何允许的 TCP 或 UDP 端口时,我没有得到任何响应。我可以看到它通过 Wireshark 通过,但 ping 命令本身不会产生任何响应。任何帮助将不胜感激,因为这真的很伤我的脑筋。

答案1

因此,您的外部网络地址(fw cpu)是 192.168.0.0/24 面向您的网关,这使得 192.168.0.1 - 192.168.0.254 作为连接到它的设备的可行主机地址,但您的主机位于 192.168.10.0/24 上与 192.168.0 不同的网络地址。您需要在其中添加一个路由器,以便允许 2 个不同的网络地址进行通信,否则流量将不会路由到 192.168.10.0/24。你用的是虚拟盒子吗?

相关内容