从 stackoverflow 移出...
我的新 Internet 防火墙基于 Linux iptables,大多数情况下运行良好,但端口转发不起作用:
$ ssh -p 7022 [ppp0-ip-address]
ssh: connect to host [ppp0-ip-address] port 7022: Connection refused
当我执行此操作时,没有任何内容添加到调试系统日志中。
[ppp0-ip-address] 的 nmap 仅显示端口 22 开放,而没有显示端口 7022。
我知道我错过了一些简单的东西......
规则如下。如能得到任何帮助我将不胜感激。
谢谢,
菲尔
nat 表:
$ iptables -n -v -L -t nat
Chain PREROUTING (policy ACCEPT 86 packets, 12277 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7022 to:192.168.1.24:22
Chain INPUT (policy ACCEPT 56 packets, 9997 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 100 packets, 7316 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 38 packets, 2760 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ppp0 192.168.1.0/24 0.0.0.0/0
以及过滤表:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
798 314K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 1312 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
7975 1455K ACCEPT all -- eth0 * 192.168.1.0/24 0.0.0.0/0
0 0 accept-established all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT-external all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG-and-drop-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38 2821 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 TRACE-ssh-fwd tcp -- ppp0 eth0 0.0.0.0/0 192.168.1.24 tcp dpt:22 state NEW
9 468 LOG-and-drop-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
798 314K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
2046 492K OUTPUT-internal all -- * eth0 0.0.0.0/0 192.168.1.0/24
92 6836 accept-established all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 OUTPUT-external all -- * ppp0 0.0.0.0/0 0.0.0.0/0
92 6836 LOG-and-drop-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT-external (1 references)
pkts bytes target prot opt in out source destination
0 0 remote-tcp-client tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535
0 0 INPUT-icmp-external icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT-icmp-external (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG-and-drop-icmp-inex all -f * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
Chain INPUT-internal (0 references)
pkts bytes target prot opt in out source destination
Chain LOG-and-drop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG-and-drop-forward (1 references)
pkts bytes target prot opt in out source destination
9 468 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7 prefix "<FORWARD> "
9 468 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG-and-drop-icmp-inex (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7 prefix "<ICMP-INEX> "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG-and-drop-icmp-outex (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7 prefix "<ICMP-OUTEX> "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG-and-drop-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7 prefix "<INPUT> "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG-and-drop-invalid (1 references)
pkts bytes target prot opt in out source destination
5 400 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7 prefix "<INVALID> "
5 400 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG-and-drop-out-int (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7 prefix "<OUT-INT> "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG-and-drop-output (1 references)
pkts bytes target prot opt in out source destination
92 6836 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7 prefix "<OUTPUT> "
92 6836 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT-external (1 references)
pkts bytes target prot opt in out source destination
0 0 local-tcp-client tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
0 0 OUTPUT-icmp-external icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT-icmp-external (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG-and-drop-icmp-outex all -f * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
Chain OUTPUT-internal (1 references)
pkts bytes target prot opt in out source destination
2046 492K accept-established all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG-and-drop-out-int all -- * * 0.0.0.0/0 0.0.0.0/0
Chain TRACE-ssh-fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7 prefix "<SSH-FWD> "
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain accept-established (3 references)
pkts bytes target prot opt in out source destination
2041 491K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 400 LOG-and-drop-invalid all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain local-tcp-client (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,80 tcpflags: 0x17/0x02 state NEW
Chain remote-tcp-client (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 22
答案1
我已经成功诊断出我自己的问题。
IPtables 没问题。问题在于,据我了解,我无法(按照配置)从内部网络测试外部 IP 上的端口 7022 的端口转发。
该问题在“发夹式 NAT”的规范答案中得到了很好的解释,它解释了如何通过防火墙的 FORWARD 链将内部客户端路由回内部服务器(并通过相同路由获取响应):
从本地网络环回到转发的公共 IP 地址 - Hairpin NAT
http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html
感谢所有回复的人。
答案2
您需要在输入链上允许目标端口 22,它仅在前向链上。