事实如下:
- 服务器(IP 192.168.1.140)在端口 22 上运行 openssh,在端口 80 上运行 nginx
- 服务器位于防火墙/路由器(IP 192.168.1.1)后面,该防火墙/路由器具有与 openssh 和 nginx 相同的 iptables 规则
- 来自局域网:
- 可以访问 ssh
- 可以访问 nginx
- 来自 wan:
- 可以访问 ssh
- 无法访问 nginx(操作超时:“无法连接到 0.0.0.80:没有到主机的路由”)
- 使用apache代替nginx没有问题
我猜想 http 数据包被丢弃是因为我的规则仅限于 RELATED 和 ESTABLISHED 连接,但我尝试创建新连接状态规则却没有成功。我还猜测 apache 和 nginx 处理传入连接的方式不同,例如,apache 在生成新工作程序时会创建新连接,而 nginx 则不会。
防火墙上的 iptables -nvL 输出:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 254 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
78 6555 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 80 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
102 23292 input_rule all -- * * 0.0.0.0/0 0.0.0.0/0
102 23292 input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
569 202K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
12 804 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0
12 804 forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
55 6523 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
399 142K output_rule all -- * * 0.0.0.0/0 0.0.0.0/0
399 142K output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
Chain forward (1 references)
pkts bytes target prot opt in out source destination
12 804 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_forward all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain forwarding_lan (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
12 804 nat_reflection_fwd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source destination
Chain input (1 references)
pkts bytes target prot opt in out source destination
10 674 zone_lan all -- br-lan * 0.0.0.0/0 0.0.0.0/0
92 22618 zone_wan all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain input_lan (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan (1 references)
pkts bytes target prot opt in out source destination
Chain nat_reflection_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.1.140 tcp dpt:22
0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.1.140 tcp dpt:80
0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.1.140 tcp dpt:443
Chain output (1 references)
pkts bytes target prot opt in out source destination
399 142K zone_lan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
17 1164 zone_wan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
2 80 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
90 22538 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
2 80 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan (1 references)
pkts bytes target prot opt in out source destination
10 674 input_lan all -- * * 0.0.0.0/0 0.0.0.0/0
10 674 zone_lan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
382 141K ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0
10 674 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-lan 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * br-lan 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
12 804 zone_wan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 forwarding_lan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 zone_lan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan (1 references)
pkts bytes target prot opt in out source destination
92 22618 input_wan all -- * * 0.0.0.0/0 0.0.0.0/0
92 22618 zone_wan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
28 1878 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_REJECT (2 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth1 0.0.0.0/0 0.0.0.0/0
92 22618 reject all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 MINIUPNPD all -- eth1 !eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:443
0 0 forwarding_wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
更新:tcpdump 确认防火墙/路由器正在过滤发送到端口 80 的数据包,以便它们无法到达服务器。
防火墙/路由器 tcpdump -i any -vv 端口 80 的输出:
0 packets captured
10 packets received by filter
0 packets dropped by kernel
服务器 tcpdump -i any -vv 端口 80 的输出:
0 packets captured
0 packets received by filter
0 packets dropped by kernel
我觉得我的规则只是稍微偏离了一点,并且想避免启用 TRACE 目标,因为它对 openwrt(防火墙/路由器)来说很麻烦。
答案1
这条信息
操作超时:“无法连接到 0.0.0.80:没有到主机的路由”
由 NginX 或其他软件在尝试连接此 IP(0.0.0.80)时生成,与端口 80 过滤无关。
您可以尝试通过以下方式调试过滤:
从 wan 端 telnet 192.168.1.140 80 和/或在内部和外部两个接口上监听来自/到端口 80 的数据包,以查看两侧是否出现相同的数据包。
比较两个的输出:
tcpdump -ni ${wan_interface} 端口 80 和主机 192.168.1.140
tcpdump -ni ${lan_interface} 端口 80 和主机 192.168.1.140
答案2
我的 ISP 开始阻止端口 80。规则本身没有问题,apache 和 nginx 也是如此。