将 ftp 数据包路由到一个网络接口,其余的路由到另一个网络接口

将 ftp 数据包路由到一个网络接口,其余的路由到另一个网络接口

我有一台带有两个 NIC 的 ubuntu 14.04 服务器,每个 NIC 都连接到很少的路由器,每个路由器都有独立的互联网访问。

我们希望通过第二个接口重定向 ftp 端口流量,em1并通过默认接口重定向其余所有流量p4p1

我已打开两个接口。我已按照第一个选项的说明进行操作这个问题

总而言之,我创建了一个表,标记了数据包并添加了 IP 路由。

但是 ftp 到 的公共地址em1超时了。(路由器将 ftp 端口上的 tcp/udp 流量转发到服务器的em1)此外, 的公共地址p4p1仍然正常响应 ftp 请求。

实现这一目标的正确方法是什么?

p4p1奖励:如果第一个接口也能够处理 ftp 请求,那就太好了,但优先考虑的是大部分流量都通过 em1。

编辑:

在我弄清楚 ftp 端口之前,我正在尝试使用高端口 30000 和netcat。我有一个nc -l 30000,我正在尝试使用 连接另一台计算机nc <em1 public> 30000。我尝试过许多 mangle 标记

~# iptables -vL -t mangle
Chain PREROUTING (policy ACCEPT 70M packets, 21G bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       tcp  --  em1    any     anywhere             anywhere             tcp spt:30000 MARK set 0x1

Chain INPUT (policy ACCEPT 70M packets, 21G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 44M packets, 244G bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       tcp  --  any    any     anywhere             anywhere             tcp spt:30000 MARK set 0x1
    0     0 MARK       tcp  --  any    any     anywhere             anywhere             tcp dpt:30000 MARK set 0x1

Chain POSTROUTING (policy ACCEPT 44M packets, 244G bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CHECKSUM   udp  --  any    virbr0  anywhere             anywhere             udp dpt:bootpc CHECKSUM fill

$# ip rule list
0:  from all lookup local 
32764:  from all fwmark 0x1 lookup ftptable 
32765:  from all fwmark 0x1 lookup ftptable 
32766:  from all lookup main 
32767:  from all lookup default

$# ip route show table ftptable
default via 192.168.0.1 dev em1 
192.168.0.0/24 dev em1  proto kernel  scope link  src 192.168.0.2 
192.168.30.0/24 dev p4p1  proto kernel  scope link  src 192.168.30.240 
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1 

netcat当我使用私有地址时, 和 都可以连接p4p1em1可能是因为它们位于该路由表上。但如果我使用路由器公共地址,它就不会连接(netcat什么也没说)。

另外,如果我将路由器转发到另一台只有一个接口连接到网络的计算机em1,它就可以工作,因此路由器可以正确地重定向数据包。

一些数据包是匹配的,我遗漏了什么?

$# iptables -vL
Chain INPUT (policy ACCEPT 110K packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6665  350K fail2ban-proftpd  tcp  --  any    any     anywhere             anywhere             multiport dports ftp,ftp-data,ftps,ftps-data
32902 3536K fail2ban-ssh  tcp  --  any    any     anywhere             anywhere             multiport dports ssh
    0     0 ACCEPT     udp  --  virbr0 any     anywhere             anywhere             udp dpt:domain
    0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere             tcp dpt:domain
    0     0 ACCEPT     udp  --  virbr0 any     anywhere             anywhere             udp dpt:bootps
    0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere             tcp dpt:bootps
    2   120 LOG        tcp  --  any    any     anywhere             anywhere             tcp dpt:30000 flags:FIN,SYN,RST,ACK/SYN LOG level warning prefix "EM1 PACKET: "

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    virbr0  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 any     192.168.122.0/24     anywhere            
    0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere            
    0     0 REJECT     all  --  any    virbr0  anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 51159 packets, 415M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  any    virbr0  anywhere             anywhere             udp dpt:bootpc

Chain fail2ban-proftpd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 6065  320K RETURN     all  --  any    any     anywhere             anywhere            

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     52.166.112.31        anywhere             reject-with icmp-port-unreachable
    3   180 REJECT     all  --  any    any     77.72.85.100         anywhere             reject-with icmp-port-unreachable
31246 3423K RETURN     all  --  any    any     anywhere             anywhere            

$# iptables -vL -t mangle
Chain PREROUTING (policy ACCEPT 84103 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       tcp  --  em1    any     anywhere             anywhere             tcp spt:30000 MARK set 0x1

Chain INPUT (policy ACCEPT 82011 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       tcp  --  em1    any     anywhere             anywhere             tcp spt:30000 MARK set 0x1
    0     0 MARK       tcp  --  em1    any     anywhere             anywhere             tcp dpt:30000 MARK set 0x1

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 29709 packets, 405M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   14   760 MARK       tcp  --  any    any     anywhere             anywhere             tcp spt:30000 MARK set 0x1
    6   336 MARK       tcp  --  any    any     anywhere             anywhere             tcp dpt:30000 MARK set 0x1

Chain POSTROUTING (policy ACCEPT 29716 packets, 405M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CHECKSUM   udp  --  any    virbr0  anywhere             anywhere             udp dpt:bootpc CHECKSUM fill

编辑:添加答案中建议的规则后,iptables-save 的输出。我还添加了用于调试的日志记录规则。

# iptables-save
# Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017
*security
:INPUT ACCEPT [4040903:3466094909]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2985425:13178502885]
COMMIT
# Completed on Fri Sep 22 17:52:00 2017
# Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017
*raw
:PREROUTING ACCEPT [4235010:3593851556]
:OUTPUT ACCEPT [3083663:13237232624]
COMMIT
# Completed on Fri Sep 22 17:52:00 2017
# Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017
*nat
:PREROUTING ACCEPT [18035:2084634]
:INPUT ACCEPT [9322:747039]
:OUTPUT ACCEPT [7009:591525]
:POSTROUTING ACCEPT [7009:591525]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Sep 22 17:52:00 2017
# Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017
*mangle
:PREROUTING ACCEPT [7497:609073]
:INPUT ACCEPT [7342:587369]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17006:47385884]
:POSTROUTING ACCEPT [17006:47385884]
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -m mark ! --mark 0x0 -j ACCEPT
-A PREROUTING -p tcp -m mark --mark 0x0 -m tcp --dport 30000 -j MARK --set-xmark 0x1/0xffffffff
-A INPUT -p tcp -m tcp --dport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1: "
-A INPUT -p tcp -m tcp --sport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1: "
-A INPUT -i em1 -p tcp -m tcp --dport 30000 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -p tcp -m tcp --dport 30000 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -p tcp -m tcp --dport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1: "
-A POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Fri Sep 22 17:52:00 2017
# Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017
*filter
:INPUT ACCEPT [1173459:1591522133]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [599656:3734127129]
:fail2ban-proftpd - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 21,20,990,989 -j fail2ban-proftpd
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1 PACKET: "
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A fail2ban-proftpd -j RETURN
-A fail2ban-ssh -s 52.166.112.31/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 77.72.85.100/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Fri Sep 22 17:52:00 2017

我还改变了 sysctl 值,因为我看到其他帖子建议这样做:

net.ipv4.conf.default.rp_filter=2
net.ipv4.conf.all.rp_filter=2
net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.em1.rp_filter=2

答案1

更新路由表ftptable并为您的默认路由添加网关。目前,一旦您的 ftp 数据包切换到使用 ftptable,它就不知道如何返回公共 IP 的网关。

对于政策路线,我通常使用以下组合:

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

然后具体针对 ftp:

iptables -t mangle -A PREROUTING -m mark --mark 0 -p tcp --dport 21 -j MARK --set-mark 1

如果捕获了太多 FTP 流量(而不仅仅是传入流量),则可能需要进行一些变化。相关连接会继承父标记,因此它们不需要特定规则。

如果仍然不起作用,iptables-save 的输出比 iptables -vL 更精确,可能有助于分析。

另一个有用的诊断工具是conntrack。您可以使用conntrack -L它来转储表和视图标记。

相关内容