当我刷新所有 iptables 时,我能够设置 tinc,但在启用 iptables 并延迟一段时间后,我收到“目标网络未知”信息。我有三个主机 (HOME10.0.3.2、MASTER 10.0.3.1、WEB 10.0.3.3),MASTER 和 WEB 位于同一数据中心的 Digital ocean 中。
主页 <---> 主页 <---> 网站
我尝试了多个转发/伪装/等规则,但不明白我遗漏了什么。
当启用 iptables 时(MASTER 和 WEB 上的规则相同),我得到以下结果:
HOME $ ping 10.0.3.1 ==> 成功 HOME $ ping 10.0.3.3 ==> 目标网络未知
MASTER $ ping 10.0.3.2 ==> 成功 MASTER $ ping 10.0.3.3 ==> 目标网络未知
WEB $ ping 10.0.3.1 ==> 目标网络未知 WEB $ ping 10.0.3.2 ==> 目标网络未知
但这不仅仅是 ICMP,对于“nc -vz xxxx 22”,我得到了相同的结果
我将非常感激您的帮助。
iptables -L -n -v
Chain INPUT (policy DROP 8 packets, 1120 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT udp -- lo * 0.0.0.0/0 0.0.0.0/0 udp dpt:3306
0 0 NRPE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5666
0 0 ACCEPT icmp -- * * x.x.x.x 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 127.0.0.1 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 10.0.3.0/24 0.0.0.0/0 icmptype 8
0 0 ACCEPT tcp -- * * 10.0.3.0/24 0.0.0.0/0
0 0 ACCEPT udp -- * * 10.0.3.0/24 0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * x.x.x.x 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:5666
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
192 13741 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 limit: avg 25/min burst 100
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:2222 state ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:655 state NEW,ESTABLISHED
6 8976 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:655 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * docker0 0.0.0.0/0 172.17.0.0/16 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 * 172.17.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 NRPE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:5666
0 0 ACCEPT tcp -- * * 10.0.3.0/24 0.0.0.0/0
0 0 ACCEPT udp -- * * 10.0.3.0/24 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:5666
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED
140 44173 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:2222 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state ESTABLISHED
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:655 state NEW,ESTABLISHED
6 8976 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:655 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
Chain NRPE (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 x.x.x.x
0 0 ACCEPT all -- * * x.x.x.x 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 6 packets, 1831 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4 packets, 1348 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 14 packets, 856 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source destination
答案1
问题是我只有单向的接受,没有双向的:
失败:
# Allow Tinc VPN connections
iptables -A INPUT -p tcp --sport 655 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 655 -j ACCEPT
iptables -A INPUT -p udp --sport 655 -j ACCEPT
iptables -A OUTPUT -p udp --dport 655 -j ACCEPT
在职的:
# Allow Tinc VPN connections
iptables -A INPUT -p tcp --sport 655 -j ACCEPT
iptables -A INPUT -p tcp --dport 655 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 655 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 655 -j ACCEPT
iptables -A INPUT -p udp --sport 655 -j ACCEPT
iptables -A INPUT -p udp --dport 655 -j ACCEPT
iptables -A OUTPUT -p udp --sport 655 -j ACCEPT
iptables -A OUTPUT -p udp --dport 655 -j ACCEPT