我有一个隐藏在防火墙后面的 Web 服务器。防火墙上的 DNAT 规则使互联网访问者可以访问它。该规则适用于来自互联网的流量。不幸的是,它对来自与实际目的地相同的子网的流量不起作用(或仅部分起作用)。由于某种原因,netfilter 不会恢复原始目标地址,因此客户端/发送者会忽略应答数据包。
我究竟做错了什么?
网络布局
192.168.101.0/24 # LOCAL Lan
192.168.101.16 # Client
192.168.101.18 # Server
192.168.101.254 # firewall
144.256.256.1 # firewall (Not the real IP)
(Internet)
| 144.256.256.1 |
| |
| Firewall |
| |
| 192.168.101.254 |
|
|
----------------------
| |
192.168.101.16 192.168.101.18
(Client) (Server)
iptables 规则
-t nat -A PREROUTING -d 144.256.256.1 --dport 81 -j DNAT destination 192.168.0.2
-t nat -A POSTROUTING -s 192.168.0.0/16 ! -d 192.168.0.0/16 -j MASQUERADE (Should be irrelevant)
场景不起作用
(Client) 192.168.101.16 trying to reach (Server) 144.256.256.1/81
防火墙上的 tcpdump
192.168.101.16.57631 > 144.256.256.1.81: Flags [S], seq 1884612678
192.168.101.16.57631 > 192.168.101.18.81: Flags [S], seq 1884612678
192.168.101.16.57631 > 144.256.256.1.81: Flags [S], seq 1884612678
192.168.101.16.57631 > 192.168.101.18.81: Flags [S], seq 1884612678
(Seems okay. tcpdump was on -i any. Incoming packet to orginal destination 144.xx Outgoing packet to new destination. But for some reason we're not seeing the responses)
目标(服务器)上的 tcpdump
IP 192.168.101.16.57874 > 192.168.101.18.81: Flags [S], seq 4243879528,
IP 192.168.101.18.81 > 192.168.101.16.57874: Flags [S.], seq 595099059, ack 4243879529,
IP 192.168.101.16.57874 > 192.168.101.18.81: Flags [R], seq 4243879529, win 0, length 0
(Seems good)
源(客户端)上的 tcpdump
IP 192.168.101.16.57874 > 144.256.256.1.81: Flags [S], seq 4243879528
IP 192.168.101.18.81 > 192.168.101.16.57874: Flags [S.], seq 595099059, ack 4243879529, (WTF packet. The source should be 144.x again. For some reason netfilter didn't restore the orignal destination address for the response packet.)
IP 192.168.101.16.57874 > 192.168.101.18.81: Flags [R], seq 4243879529
答案1
防火墙上没有响应数据包,因为没有响应数据包。服务器不会向防火墙发送响应,因为客户端位于同一子网中。
请求:客户端 -> 防火墙 -> 服务器
回复:服务器->客户端
因此,客户端会丢弃响应,因为它不期望来自服务器的任何响应,而是来自防火墙的响应。
要么尝试一些疯狂的路由魔法,要么在客户端的 hosts 文件中为您的 URL 设置内部 IP。或者完全摆脱 NAT……