我最初询问了关于如何为我的家庭网络设置 Linux 机器进行 natting 的问题,并在帖子中得到了一些建议这里。不想让旧问题变得杂乱,所以在这里开始一个新问题。
根据之前的建议,我制定了以下规则......
:PREROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [12:860]
:POSTROUTING ACCEPT [3:228]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [3:228]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
如果你注意到,我确实有正确的 MASQURADING 规则和正确的 FORWARD 过滤规则。然而我面临 2 个问题
- 在 Linux 机器上,DNS 解析不起作用
- 连接到 Linux 机器的 LAN 客户端仍然无法访问互联网。当我从它们那里 ping 某些东西时,我看到 iptables INPUT 规则中的 DROP 计数在增加。
现在我的问题是,当我从 LAN 客户端 ping 某些东西时,它怎么会与输入链匹配?!它应该在前向链中吗?
Chain INPUT (policy DROP 20 packets, 2314 bytes)
pkts bytes target prot opt in out source destination
99 9891 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- eth0 any anywhere anywhere
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https
122 9092 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
谢谢 ankit
更新:
我已经设法解决了 DNS 问题。现在唯一不起作用的就是转发。
这些是我现在的规则
Chain INPUT (policy DROP 1158 packets, 89867 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
59 5448 ACCEPT icmp -- any any anywhere anywhere
643 47995 ACCEPT udp -- eth0 any anywhere anywhere udp spt:domain dpts:1024:65535
54 7811 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https
4168 273K ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere
1806 156K ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:http
91 19451 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:https
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:65535 dpt:domain
10973 638K LOG_DROP all -- any any anywhere anywhere
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
80 6734 ACCEPT icmp -- any any anywhere anywhere
6327 2445K ACCEPT all -- any any anywhere anywhere
Chain LOG_DROP (1 references)
pkts bytes target prot opt in out source destination
10973 638K LOG all -- any any anywhere anywhere LOG level warning tcp-options ip-options prefix `[IPTABLES DROP] :'
10973 638K DROP all -- any any anywhere anywhere
- 如你所见,我创建了一个 LOG_DROP 规则来记录所有丢弃的数据包
- 在我的一个 LAN 客户端上,我正在 ping google,但没有得到回复
这是我在消息日志中看到的内容
Feb 12 17:15:15 LINUX-GATEWAY kernel: [206384.605899] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15546 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11288
Feb 12 17:15:20 LINUX-GATEWAY kernel: [206389.606038] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15560 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11289
Feb 12 17:15:25 LINUX-GATEWAY kernel: [206394.607171] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15573 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11290
Feb 12 17:15:30 LINUX-GATEWAY kernel: [206399.606336] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11291
Feb 12 17:15:35 LINUX-GATEWAY kernel: [206404.620397] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15603 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11292
因此,来自局域网客户端的 ping 数据包在前向链中被丢弃(仅带有 log_drop 的链)
我不知道为什么......有什么想法吗?
答案1
由于您遇到了问题,我建议您先简单地配置一下您的配置。删除所有无关规则,直到基本配置正常工作。也就是说,从以下开始:
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
并确保您拥有必要的sysctl设置:
# sysctl -w net.ipv4.ip_forward=1
现在看看事情是否有效。如果他们做工作,慢慢开始做出改变。如果他们不工作,请让我们知道,我们将从那里继续。
答案2
没关系。我已经找到了。对于任何可能偶然发现这个问题的人,下面是我为了排除故障而设置的带有 LOG 链的 iptables。
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
169 36504 ACCEPT all -- lo any anywhere anywhere
218 18804 ACCEPT icmp -- any any anywhere anywhere
4919 365K ACCEPT udp -- eth0 any anywhere anywhere udp spt:domain dpts:1024:65535
196 24001 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https
10698 696K ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
53 3686 ACCEPT tcp -- any any anywhere anywhere tcp spt:telnet
77 7709 LOG_DROP_INPUT all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1258 75480 ACCEPT icmp -- eth1 eth0 anywhere anywhere
23927 31M ACCEPT all -- eth0 eth1 anywhere anywhere
195 12057 ACCEPT udp -- eth1 any anywhere anywhere udp dpt:domain
17512 1425K ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:http
211 40089 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:telnet
18 1860 LOG_DROP_FORWARD all -- any any anywhere anywhere
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
457 61686 ACCEPT icmp -- any any anywhere anywhere
19715 4141K ACCEPT all -- any any anywhere anywhere
Chain LOG_DROP (0 references)
pkts bytes target prot opt in out source destination
43246 2583K LOG all -- any any anywhere anywhere LOG level warning tcp-options ip-options prefix `[IPTABLES DROP] :'
43246 2583K DROP all -- any any anywhere anywhere
Chain LOG_DROP_FORWARD (1 references)
pkts bytes target prot opt in out source destination
18 1860 LOG all -- any any anywhere anywhere LOG level warning tcp-options ip-options prefix `[IPTABLES DROP FORWARD] : '
18 1860 DROP all -- any any anywhere anywhere
Chain LOG_DROP_INPUT (1 references)
pkts bytes target prot opt in out source destination
77 7709 LOG all -- any any anywhere anywhere LOG level warning tcp-options ip-options prefix `[IPTABLES DROP INPUT] : '
77 7709 DROP all -- any any anywhere anywhere