iptables 以不同方式处理 ssh 和 http 请求

iptables 以不同方式处理 ssh 和 http 请求

事实如下:

  • 服务器(IP 192.168.1.140)在端口 22 上运行 openssh,在端口 80 上运行 nginx
  • 服务器位于防火墙/路由器(IP 192.168.1.1)后面,该防火墙/路由器具有与 openssh 和 nginx 相同的 iptables 规则
  • 来自局域网:
    • 可以访问 ssh
    • 可以访问 nginx
  • 来自 wan:
    • 可以访问 ssh
    • 无法访问 nginx(操作超时:“无法连接到 0.0.0.80:没有到主机的路由”)
    • 使用apache代替nginx没有问题

我猜想 http 数据包被丢弃是因为我的规则仅限于 RELATED 和 ESTABLISHED 连接,但我尝试创建新连接状态规则却没有成功。我还猜测 apache 和 nginx 处理传入连接的方式不同,例如,apache 在生成新工作程序时会创建新连接,而 nginx 则不会。

防火墙上的 iptables -nvL 输出:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   254 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
   78  6555 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    2    80 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
  102 23292 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  102 23292 input      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
  569  202K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   12   804 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   12   804 forward    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
   55  6523 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
  399  142K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  399  142K output     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
   12   804 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain forwarding_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
   12   804 nat_reflection_fwd  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain forwarding_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   10   674 zone_lan   all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
   92 22618 zone_wan   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain input_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain nat_reflection_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       192.168.1.140       tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       192.168.1.140       tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       192.168.1.0/24       192.168.1.140       tcp dpt:443

Chain output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  399  142K zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   17  1164 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source               destination
    2    80 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
   90 22538 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2    80 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 25/sec burst 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination
   10   674 input_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   10   674 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
  382  141K ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
   10   674 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  br-lan *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
    0     0 reject     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
   12   804 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 forwarding_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_lan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination
   92 22618 input_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   92 22618 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
   28  1878 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
   92 22618 reject     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MINIUPNPD  all  --  eth1   !eth1   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.140       tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.140       tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.140       tcp dpt:443
    0     0 forwarding_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

更新:tcpdump 确认防火墙/路由器正在过滤发送到端口 80 的数据包,以便它们无法到达服务器。

防火墙/路由器 tcpdump -i any -vv 端口 80 的输出:

0 packets captured
10 packets received by filter
0 packets dropped by kernel

服务器 tcpdump -i any -vv 端口 80 的输出:

0 packets captured
0 packets received by filter
0 packets dropped by kernel

我觉得我的规则只是稍微偏离了一点,并且想避免启用 TRACE 目标,因为它对 openwrt(防火墙/路由器)来说很麻烦。

答案1

这条信息

操作超时:“无法连接到 0.0.0.80:没有到主机的路由”

由 NginX 或其他软件在尝试连接此 IP(0.0.0.80)时生成,与端口 80 过滤无关。

您可以尝试通过以下方式调试过滤:

从 wan 端 telnet 192.168.1.140 80 和/或在内部和外部两个接口上监听来自/到端口 80 的数据包,以查看两侧是否出现相同的数据包。

比较两个的输出:

tcpdump -ni ${wan_interface} 端口 80 和主机 192.168.1.140

tcpdump -ni ${lan_interface} 端口 80 和主机 192.168.1.140

答案2

我的 ISP 开始阻止端口 80。规则本身没有问题,apache 和 nginx 也是如此。

相关内容