我的 iptables 规则阻止 DHCP 服务器访问虚拟机。我该如何允许 DHCP
这是我的 iptables 规则
# Generated by iptables-save v1.4.19.1 on Wed Sep 11 03:02:42 2013
*nat
:PREROUTING ACCEPT [70:4483]
:INPUT ACCEPT [6:400]
:OUTPUT ACCEPT [23:2070]
:POSTROUTING ACCEPT [27:3033]
-A PREROUTING -i tun0 -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.1.2
-A PREROUTING -i tun0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.1.2
-A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.1.2
-A PREROUTING -i tun0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.1.2
-A PREROUTING -i tun0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.1.2
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Sep 11 03:02:42 2013
# Generated by iptables-save v1.4.19.1 on Wed Sep 11 03:02:42 2013
*mangle
:PREROUTING ACCEPT [19983:3461520]
:INPUT ACCEPT [18606:2786464]
:FORWARD ACCEPT [1395:678611]
:OUTPUT ACCEPT [18932:10655717]
:POSTROUTING ACCEPT [20327:11334328]
-A OUTPUT -o tun0 -j TTL --ttl-set 128
COMMIT
# Completed on Wed Sep 11 03:02:42 2013
# Generated by iptables-save v1.4.19.1 on Wed Sep 11 03:02:42 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:SSH_WhiteList - [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1/32 -j ACCEPT
-A INPUT -s 10.0.1.0/24 -i eth0-gigabit -j ACCEPT
-A INPUT -d 10.0.1.255/32 -i eth0-gigabit -j ACCEPT
-A INPUT -s 10.0.1.0/24 -i eth1-gigabit -j ACCEPT
-A INPUT -d 10.0.1.255/32 -i eth1-gigabit -j ACCEPT
-A INPUT -s 10.0.1.0/24 -i eth2-gigabit -j ACCEPT
-A INPUT -d 10.0.1.255/32 -i eth2-gigabit -j ACCEPT
-A INPUT -s 10.0.1.0/24 -i eth3 -j ACCEPT
-A INPUT -d 10.0.1.255/32 -i eth3 -j ACCEPT
-A INPUT -s 10.0.3.0/24 -i virbr0 -j ACCEPT
-A INPUT -d 10.0.3.255/32 -i virbr0 -j ACCEPT
-A INPUT -i eth0-gigabit -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth1-gigabit -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth2-gigabit -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth3 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth0-gigabit -p udp -m udp --sport 1294 -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -p tcp -j tcp_inbound
-A INPUT -i tun0 -p udp -j udp_inbound
-A INPUT -i tun0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_WhiteList
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "Brute Force SSH Attacks " --log-level 6
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -j bad_packets
-A FORWARD -i eth0-gigabit -p tcp -j tcp_outbound
-A FORWARD -i eth1-gigabit -p tcp -j tcp_outbound
-A FORWARD -i eth2-gigabit -p tcp -j tcp_outbound
-A FORWARD -i eth3 -p tcp -j tcp_outbound
-A FORWARD -i virbr0 -p tcp -j tcp_outbound
-A FORWARD -i eth0-gigabit -p udp -j udp_outbound
-A FORWARD -i eth1-gigabit -p udp -j udp_outbound
-A FORWARD -i eth2-gigabit -p udp -j udp_outbound
-A FORWARD -i eth3 -p udp -j udp_outbound
-A FORWARD -i virbr0 -p udp -j udp_outbound
-A FORWARD -i eth0-gigabit -j ACCEPT
-A FORWARD -i eth1-gigabit -j ACCEPT
-A FORWARD -i eth2-gigabit -j ACCEPT
-A FORWARD -i eth3 -j ACCEPT
-A FORWARD -i virbr0 -j ACCEPT
-A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 10.0.1.2/32 -j ACCEPT
-A OUTPUT -o eth0-gigabit -j ACCEPT
-A OUTPUT -s 10.0.1.3/32 -j ACCEPT
-A OUTPUT -o eth1-gigabit -j ACCEPT
-A OUTPUT -s 10.0.1.4/32 -j ACCEPT
-A OUTPUT -o eth2-gigabit -j ACCEPT
-A OUTPUT -s 10.0.1.5/32 -j ACCEPT
-A OUTPUT -o eth3 -j ACCEPT
-A OUTPUT -s 10.0.3.1/32 -j ACCEPT
-A OUTPUT -o virbr0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
-A SSH_WhiteList -s 46.102.247.54/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 46.102.247.41/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 46.102.246.179/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 46.102.245.38/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 46.102.244.211/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 46.102.244.145/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 46.102.244.107/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 46.102.242.120/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 46.102.241.186/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 46.102.240.145/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 46.102.243.82/32 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 10.0.1.0/24 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A SSH_WhiteList -s 10.0.0.0/24 -m recent --remove --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A bad_packets -s 10.0.1.0/24 -i tun0 -j LOG --log-prefix "fp=bad_packets:2 a=DROP "
-A bad_packets -s 10.0.1.0/24 -i tun0 -j DROP
-A bad_packets -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth0-gigabit -p tcp -j RETURN
-A bad_tcp_packets -i eth1-gigabit -p tcp -j RETURN
-A bad_tcp_packets -i eth2-gigabit -p tcp -j RETURN
-A bad_tcp_packets -i eth3 -p tcp -j RETURN
-A bad_tcp_packets -i virbr0 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "fp=bad_tcp_packets:2 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "fp=bad_tcp_packets:3 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "fp=bad_tcp_packets:4 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "fp=bad_tcp_packets:5 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=bad_tcp_packets:6 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "fp=bad_tcp_packets:7 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 53 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -m tcp --dport 194 -j REJECT --reject-with icmp-port-unreachable
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 53 -j ACCEPT
-A udp_inbound -p udp -m udp --dport 1294 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Wed Sep 11 03:02:42 2013
更新:dhcp 数据包来自 eth2-gigabit 并发往 virbr0。虚拟机接口 virbr0 /proc/sys/net/ipv4/ip_forward 的内容为 1
任何帮助将非常感激。
答案1
您的规则集使得哪些接口可以做什么以及哪些接口相关变得不太明显。尝试将其缩减到可以正常工作的最小状态,然后再添加规则,直到找出阻碍它的原因。如果这不可能,请关闭其他接口(而不是绝对地(这是必要的,但可以减少噪音),将 iptables 计数器清零,然后尝试从适当的接口建立 DHCP 连接。然后检查计数器并查看匹配了哪些规则。
# zero all counters
iptables -Z
# view counters
iptables -nvL
如果您需要更多帮助,您应该发布一些有关网络拓扑的信息,例如 dhcp 数据包来自哪里以及去往哪里、您的虚拟机位于哪个接口上、它们桥接到哪个接口(如果有)以及 /proc/sys/net/ipv4/ip_forward 的内容
答案2
dhcp 数据包来自 eth2-gigabit 并到达 virbr0 ... /proc/sys/net/ipv4/ip_forward 的内容为 1
抱歉,但您的 DHCP 服务器是否位于不同的子网/广播域中?那是您的问题。如果您需要 DHCP 跨越路由器,则需要 DHCP 中继代理。