使用 iptables 进行 ssh 端口转发

tag-icon tag-icon iptables firewall port-forwarding
使用 iptables 进行 ssh 端口转发

从 stackoverflow 移出...

我的新 Internet 防火墙基于 Linux iptables,大多数情况下运行良好,但端口转发不起作用:

$ ssh -p 7022 [ppp0-ip-address]
ssh: connect to host [ppp0-ip-address] port 7022: Connection refused

当我执行此操作时,没有任何内容添加到调试系统日志中。

[ppp0-ip-address] 的 nmap 仅显示端口 22 开放,而没有显示端口 7022。

我知道我错过了一些简单的东西......

规则如下。如能得到任何帮助我将不胜感激。

谢谢,

菲尔

nat 表:

$ iptables -n -v -L -t nat
Chain PREROUTING (policy ACCEPT 86 packets, 12277 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7022 to:192.168.1.24:22

Chain INPUT (policy ACCEPT 56 packets, 9997 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 100 packets, 7316 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 38 packets, 2760 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      ppp0    192.168.1.0/24       0.0.0.0/0

以及过滤表:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  798  314K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    4  1312 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67
 7975 1455K ACCEPT     all  --  eth0   *       192.168.1.0/24       0.0.0.0/0           
    0     0 accept-established  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 INPUT-external  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG-and-drop-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   38  2821 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 TRACE-ssh-fwd  tcp  --  ppp0   eth0    0.0.0.0/0            192.168.1.24         tcp dpt:22 state NEW
    9   468 LOG-and-drop-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  798  314K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
 2046  492K OUTPUT-internal  all  --  *      eth0    0.0.0.0/0            192.168.1.0/24      
   92  6836 accept-established  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 OUTPUT-external  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
   92  6836 LOG-and-drop-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT-external (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 remote-tcp-client  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535
    0     0 INPUT-icmp-external  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT-icmp-external (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG-and-drop-icmp-inex  all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4

Chain INPUT-internal (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain LOG-and-drop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   468 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<FORWARD> "
    9   468 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-icmp-inex (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<ICMP-INEX> "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-icmp-outex (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<ICMP-OUTEX> "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<INPUT> "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-invalid (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   400 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<INVALID> "
    5   400 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-out-int (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<OUT-INT> "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG-and-drop-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   92  6836 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<OUTPUT> "
   92  6836 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT-external (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 local-tcp-client  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123 state NEW
    0     0 OUTPUT-icmp-external  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT-icmp-external (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG-and-drop-icmp-outex  all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 state NEW
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12

Chain OUTPUT-internal (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2046  492K accept-established  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG-and-drop-out-int  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain TRACE-ssh-fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 7 prefix "<SSH-FWD> "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain accept-established (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 2041  491K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    5   400 LOG-and-drop-invalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID

Chain local-tcp-client (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22,80 tcpflags: 0x17/0x02 state NEW

Chain remote-tcp-client (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW multiport dports 22

答案1

我已经成功诊断出我自己的问题。

IPtables 没问题。问题在于,据我了解,我无法(按照配置)从内部网络测试外部 IP 上的端口 7022 的端口转发。

该问题在“发夹式 NAT”的规范答案中得到了很好的解释,它解释了如何通过防火墙的 FORWARD 链将内部客户端路由回内部服务器(并通过相同路由获取响应):

从本地网络环回到转发的公共 IP 地址 - Hairpin NAT

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html

感谢所有回复的人。

答案2

您需要在输入链上允许目标端口 22,它仅在前向链上。

相关内容