过去几天我一直在尝试解决这个问题,但没有成功。这不是我的脚本,这是我在 GITHUB 上找到的其他人的脚本,并做了一些轻微的修改(https://github.com/ianlee/standalone-fw)。我的脚本不起作用,所以我想我可以尝试一下其他人的脚本,看看是否可行,但事实并非如此,我不想要地雷的解决方案,但我完全陷入困境,所以我在这里。这些都是 bash 脚本。
我当前的设置是 2 个虚拟机,都运行 Fedora 的最新版本。它们都有 NAT 网络和内部网络,以便它们能够相互通信。当我创建NAT网络时,我给它的网络CIDR为192.168.10.0/24。 Enp0s1 是 NAT 网络连接,Enp0s8 是内部网络。
我运行以下 2 个脚本,以便可以互相 ping 通“内部”机器
EXTERNAL_INTERFACE="enp0s1"
INTERNAL_GATEWAY_BINDING="1"
INTERNAL_INTERFACE="enp0s8"
INTERNAL_SUBNET="192.168.10"
INTERNAL_BINDING="2"
DNS_IP1="8.8.8.8"
DNS_IP2="8.8.4.4"
ifconfig $EXTERNAL_INTERFACE down
ifconfig $INTERNAL_INTERFACE $INTERNAL_SUBNET.$INTERNAL_BINDING up
route add default gw $INTERNAL_SUBNET.$INTERNAL_GATEWAY_BINDING
echo -e "$DNS_IP1\nnameserver $DNS_IP2\n" >/etc/resolv.conf
这是在外部机器上,即要运行脚本的机器上,
FIREWALL_IP="192.168.10.5"
EXTERNAL_SUBNET="192.168.0.0"
INTERNAL_INTERFACE="enp0s8"
INTERNAL_SUBNET="192.168.10"
INTERNAL_BINDING="1"
DNS_IP1="8.8.8.8"
DNS_IP2="8.8.4.4"
ifconfig $INTERNAL_INTERFACE $INTERNAL_SUBNET.$INTERNAL_BINDING up
route add -net $INTERNAL_SUBNET.0 netmask 255.255.255.0 gw $INTERNAL_SUBNET.$INTERNAL_BINDING
echo "1" >/proc/sys/net/ipv4/ip_forward
route add -net $EXTERNAL_SUBNET netmask 255.255.255.0 gw $FIREWALL_IP
echo -e "$DNS_IP1\nnameserver $DNS_IP2\n" >/etc/resolv.conf
其中 192.168.10.5 是 Enp0s1 上具有互联网连接的地址。我能够从 192.168.10.1 和 192.168.10.2 相互之间执行 ping 操作,但是随后我尝试运行脚本,
#interface name
EXTERNAL="enp0s1"
INTERNAL="enp0s8"
INTERNAL_NETWORK="192.168.10.0/24"
#Allowing ports
TCP_ALLOW_PORTS_IN="22,80,443,8080,3131" #from these ports (acting as a client)
TCP_ALLOW_PORTS_OUT="22,80,443,8080,3131"
UDP_ALLOW_PORTS_IN="80"
UDP_ALLOW_PORTS_OUT="80"
#internal server ip
INTERNAL_SERVER_IP="192.168.10.2"
TCP_ALLOW_PORTS_IN_SERVER="80,22,443,8080,3131" #acting as server (allow connections to these ports)
TCP_ALLOW_PORTS_OUT_SERVER="80,22,443,8080,3131"
UDP_ALLOW_PORTS_IN_SERVER="80"
UDP_ALLOW_PORTS_OUT_SERVER="80"
ICMP_ALLOW_TYPES="0,8"
#block traffic to and from these IP addresses
IP_BLOCK=""
#block these ports regardless of IP or protocol.
BLOCK_PORTS_IN="0,23"
BLOCK_PORTS_OUT="0,23"
MAXIMIZE_THROUGHPUT="20"
MINIMIZE_DELAY="21,22"
DNS_PORT_IN="53"
DNS_PORT_OUT="53"
DHCP_PORT_IN="67"
DHCP_PORT_OUT="68"
#empty all existing chains
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -F
#set policies to drop
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -P INPUT DROP
#SNAT
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
#DNAT
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_IN_SERVER -j DNAT --to $INTERNAL_SERVER_IP
iptables -t nat -A PREROUTING -i $EXTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_IN_SERVER -j DNAT --to $INTERNAL_SERVER_IP
arr=$(echo $ICMP_ALLOW_TYPES | tr "," "\n")
for x in $arr
do
iptables -t nat -A PREROUTING -i $EXTERNAL -p icmp --icmp-type $x -m state --state NEW,ESTABLISHED -j DNAT --to $INTERNAL_SERVER_IP
done
#MANGLE
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $MINIMIZE_DELAY -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $MAXIMIZE_THROUGHPUT -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports $MINIMIZE_DELAY -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports $MAXIMIZE_THROUGHPUT -j TOS --set-tos Maximize-Throughput
iptables -N dhcpin
iptables -N dhcpout
iptables -N dhcpforward
iptables -N blockin
iptables -N blockout
iptables -N necessitiesin
iptables -N necessitiesout
iptables -N necessitiesforward
iptables -N icmpin
iptables -N udpin
iptables -N tcpin
iptables -N udpout
iptables -N tcpout
#chain for blocking Inbound traffic
#block inbound traffic from specific IPs
if [[ -n $IP_BLOCK ]]; then
iptables -A blockin -i $EXTERNAL -s $IP_BLOCK -j DROP
fi
#block inbound traffic from a source address from the outside matching your internal network.
iptables -A blockin -i $EXTERNAL -s $INTERNAL_NETWORK -j DROP
#block syn and fin bits.
iptables -A blockin -i $EXTERNAL -p tcp ! --syn -m state --state NEW -j DROP
iptables -A blockin -i $EXTERNAL -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A blockout -i $INTERNAL -p tcp ! --syn -m state --state NEW -j DROP
iptables -A blockout -i $INTERNAL -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#block inbound traffic to and from specified ports
iptables -A blockin -i $EXTERNAL -p udp -m multiport --sports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --dports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --sports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --dports $BLOCK_PORTS_IN -j DROP
#drop SYN packets from ports less than 1024
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --sports 0:1023 -m state --state NEW -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --sports 0:1023 -m state --state NEW -j DROP
#drop SYN packets to high ports
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --dports 32768:32775,137:139,111,515 -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --dports 32768:32775,137:139 -j DROP
#block outbound traffic from specific IPs
if [[ -n $IP_BLOCK ]]; then
iptables -A blockout -i $INTERNAL -d $IP_BLOCK -j DROP
fi
iptables -A blockout -i $INTERNAL ! -s $INTERNAL_NETWORK -j DROP
#block out bound to and from specified ports
iptables -A blockout -i $INTERNAL -p udp -m multiport --sports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --dports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p tcp -m multiport --sports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p tcp -m multiport --dports $BLOCK_PORTS_OUT -j DROP
#drop SYN packets from ports less than 1024
iptables -A blockout -i $INTERNAL -p tcp -m multiport --sports 0:1023 -m state --state NEW -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --sports 0:1023 -m state --state NEW -j DROP
#Block all external traffic directed to ports 32768 – 32775, 137 – 139, TCP ports 111 and 515.
iptables -A blockout -i $INTERNAL -p tcp -m multiport --dports 32768:32775,137:139,111,515 -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --dports 32768:32775,137:139 -j DROP
#allow inbound udp dns traffic
iptables -A necessitiesin -i $EXTERNAL -p udp -m multiport --sports $DNS_PORT_IN -j ACCEPT
iptables -A necessitiesforward -i $EXTERNAL -o $INTERNAL -p udp -m multiport --sports $DNS_PORT_IN -j ACCEPT
#allow inbound tcp dns traffic
iptables -A necessitiesin -i $EXTERNAL -p tcp -m multiport --sports $DNS_PORT_IN -j ACCEPT
iptables -A necessitiesforward -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --sports $DNS_PORT_IN -j ACCEPT
#allow outbound udp dns traffic
iptables -A necessitiesout -o $EXTERNAL -p udp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
iptables -A necessitiesforward -o $EXTERNAL -i $INTERNAL -p udp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
#allow outbound tcp dns traffic
iptables -A necessitiesout -o $EXTERNAL -p tcp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
iptables -A necessitiesforward -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
#allow inbound udp dhcp traffic
iptables -A dhcpin -i $EXTERNAL -p udp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
iptables -A dhcpforward -i $EXTERNAL -o $INTERNAL -p udp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
#allow inbound tcp dhcp traffic
iptables -A dhcpin -i $EXTERNAL -p tcp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
iptables -A dhcpforward -i $EXTERNAL -o $INTERNAL -p tcp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
#allow outbound udp dhcp traffic
iptables -A dhcpout -o $EXTERNAL -p udp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
iptables -A dhcpforward -o $EXTERNAL -i $INTERNAL -p udp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
#allow outbound tcp dhcp traffic
iptables -A dhcpout -o $EXTERNAL -p tcp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
iptables -A dhcpforward -o $EXTERNAL -i $INTERNAL -p tcp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
#ICMP Chain
arr=$(echo $ICMP_ALLOW_TYPES | tr "," "\n")
for x in $arr
do
iptables -A icmpin -i $EXTERNAL -p icmp --icmp-type $x -m state --state NEW,ESTABLISHED -j ACCEPT
done
#allow inbound udp user defined traffic
iptables -A udpin -i $EXTERNAL -o $INTERNAL -p udp -m multiport --sports $UDP_ALLOW_PORTS_IN -m state --state ESTABLISHED -j ACCEPT # acting as a client
iptables -A udpin -i $EXTERNAL -o $INTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_IN_SERVER -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a server
#add inbound udp chain to default input chain
#allow inbound user defined traffic
iptables -A tcpin -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --sports $TCP_ALLOW_PORTS_IN -m state --state ESTABLISHED -j ACCEPT # acting as a client
iptables -A tcpin -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_IN_SERVER -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a server
#allow outbound udp user defined traffic
iptables -A udpout -o $EXTERNAL -i $INTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_OUT -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a client
iptables -A udpout -o $EXTERNAL -i $INTERNAL -p udp -m multiport --sports $UDP_ALLOW_PORTS_OUT_SERVER -m state --state ESTABLISHED -j ACCEPT # acting as a server
#allow outbound tcp user defined traffic
iptables -A tcpout -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_OUT -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a client
iptables -A tcpout -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --sports $TCP_ALLOW_PORTS_OUT_SERVER -m state --state ESTABLISHED -j ACCEPT # acting as a server
iptables -A INPUT -j dhcpin
iptables -A OUTPUT -j dhcpout
iptables -A FORWARD -j dhcpforward
iptables -A FORWARD -j blockin
iptables -A INPUT -j blockin
iptables -A FORWARD -j blockout
iptables -A INPUT -j blockout
iptables -A INPUT -j necessitiesin
iptables -A OUTPUT -j necessitiesout
iptables -A FORWARD -j necessitiesforward
iptables -A FORWARD -p icmp -j icmpin
iptables -A FORWARD -p udp -j udpin
iptables -A FORWARD -p tcp -j tcpin
iptables -A FORWARD -p udp -j udpout
iptables -A FORWARD -p tcp -j tcpout
我在外部计算机上运行该程序,当我尝试 ping 任何允许的 TCP 或 UDP 端口时,我没有得到任何响应。我可以看到它通过 Wireshark 通过,但 ping 命令本身不会产生任何响应。任何帮助将不胜感激,因为这真的很伤我的脑筋。
答案1
因此,您的外部网络地址(fw cpu)是 192.168.0.0/24 面向您的网关,这使得 192.168.0.1 - 192.168.0.254 作为连接到它的设备的可行主机地址,但您的主机位于 192.168.10.0/24 上与 192.168.0 不同的网络地址。您需要在其中添加一个路由器,以便允许 2 个不同的网络地址进行通信,否则流量将不会路由到 192.168.10.0/24。你用的是虚拟盒子吗?