我有一台带有两个 NIC 的 ubuntu 14.04 服务器,每个 NIC 都连接到很少的路由器,每个路由器都有独立的互联网访问。
我们希望通过第二个接口重定向 ftp 端口流量,em1
并通过默认接口重定向其余所有流量p4p1
。
我已打开两个接口。我已按照第一个选项的说明进行操作这个问题
总而言之,我创建了一个表,标记了数据包并添加了 IP 路由。
但是 ftp 到 的公共地址em1
超时了。(路由器将 ftp 端口上的 tcp/udp 流量转发到服务器的em1
)此外, 的公共地址p4p1
仍然正常响应 ftp 请求。
实现这一目标的正确方法是什么?
p4p1
奖励:如果第一个接口也能够处理 ftp 请求,那就太好了,但优先考虑的是大部分流量都通过 em1。
编辑:
在我弄清楚 ftp 端口之前,我正在尝试使用高端口 30000 和netcat
。我有一个nc -l 30000
,我正在尝试使用 连接另一台计算机nc <em1 public> 30000
。我尝试过许多 mangle 标记
~# iptables -vL -t mangle
Chain PREROUTING (policy ACCEPT 70M packets, 21G bytes)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- em1 any anywhere anywhere tcp spt:30000 MARK set 0x1
Chain INPUT (policy ACCEPT 70M packets, 21G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 44M packets, 244G bytes)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- any any anywhere anywhere tcp spt:30000 MARK set 0x1
0 0 MARK tcp -- any any anywhere anywhere tcp dpt:30000 MARK set 0x1
Chain POSTROUTING (policy ACCEPT 44M packets, 244G bytes)
pkts bytes target prot opt in out source destination
0 0 CHECKSUM udp -- any virbr0 anywhere anywhere udp dpt:bootpc CHECKSUM fill
。
$# ip rule list
0: from all lookup local
32764: from all fwmark 0x1 lookup ftptable
32765: from all fwmark 0x1 lookup ftptable
32766: from all lookup main
32767: from all lookup default
。
$# ip route show table ftptable
default via 192.168.0.1 dev em1
192.168.0.0/24 dev em1 proto kernel scope link src 192.168.0.2
192.168.30.0/24 dev p4p1 proto kernel scope link src 192.168.30.240
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
netcat
当我使用私有地址时, 和 都可以连接p4p1
,em1
可能是因为它们位于该路由表上。但如果我使用路由器公共地址,它就不会连接(netcat
什么也没说)。
另外,如果我将路由器转发到另一台只有一个接口连接到网络的计算机em1
,它就可以工作,因此路由器可以正确地重定向数据包。
一些数据包是匹配的,我遗漏了什么?
$# iptables -vL
Chain INPUT (policy ACCEPT 110K packets, 18M bytes)
pkts bytes target prot opt in out source destination
6665 350K fail2ban-proftpd tcp -- any any anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
32902 3536K fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh
0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:bootps
2 120 LOG tcp -- any any anywhere anywhere tcp dpt:30000 flags:FIN,SYN,RST,ACK/SYN LOG level warning prefix "EM1 PACKET: "
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 51159 packets, 415M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any virbr0 anywhere anywhere udp dpt:bootpc
Chain fail2ban-proftpd (1 references)
pkts bytes target prot opt in out source destination
6065 320K RETURN all -- any any anywhere anywhere
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any 52.166.112.31 anywhere reject-with icmp-port-unreachable
3 180 REJECT all -- any any 77.72.85.100 anywhere reject-with icmp-port-unreachable
31246 3423K RETURN all -- any any anywhere anywhere
。
$# iptables -vL -t mangle
Chain PREROUTING (policy ACCEPT 84103 packets, 11M bytes)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- em1 any anywhere anywhere tcp spt:30000 MARK set 0x1
Chain INPUT (policy ACCEPT 82011 packets, 11M bytes)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- em1 any anywhere anywhere tcp spt:30000 MARK set 0x1
0 0 MARK tcp -- em1 any anywhere anywhere tcp dpt:30000 MARK set 0x1
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 29709 packets, 405M bytes)
pkts bytes target prot opt in out source destination
14 760 MARK tcp -- any any anywhere anywhere tcp spt:30000 MARK set 0x1
6 336 MARK tcp -- any any anywhere anywhere tcp dpt:30000 MARK set 0x1
Chain POSTROUTING (policy ACCEPT 29716 packets, 405M bytes)
pkts bytes target prot opt in out source destination
0 0 CHECKSUM udp -- any virbr0 anywhere anywhere udp dpt:bootpc CHECKSUM fill
编辑:添加答案中建议的规则后,iptables-save 的输出。我还添加了用于调试的日志记录规则。
# iptables-save
# Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017
*security
:INPUT ACCEPT [4040903:3466094909]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2985425:13178502885]
COMMIT
# Completed on Fri Sep 22 17:52:00 2017
# Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017
*raw
:PREROUTING ACCEPT [4235010:3593851556]
:OUTPUT ACCEPT [3083663:13237232624]
COMMIT
# Completed on Fri Sep 22 17:52:00 2017
# Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017
*nat
:PREROUTING ACCEPT [18035:2084634]
:INPUT ACCEPT [9322:747039]
:OUTPUT ACCEPT [7009:591525]
:POSTROUTING ACCEPT [7009:591525]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Sep 22 17:52:00 2017
# Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017
*mangle
:PREROUTING ACCEPT [7497:609073]
:INPUT ACCEPT [7342:587369]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17006:47385884]
:POSTROUTING ACCEPT [17006:47385884]
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -m mark ! --mark 0x0 -j ACCEPT
-A PREROUTING -p tcp -m mark --mark 0x0 -m tcp --dport 30000 -j MARK --set-xmark 0x1/0xffffffff
-A INPUT -p tcp -m tcp --dport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1: "
-A INPUT -p tcp -m tcp --sport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1: "
-A INPUT -i em1 -p tcp -m tcp --dport 30000 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -p tcp -m tcp --dport 30000 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -p tcp -m tcp --dport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1: "
-A POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Fri Sep 22 17:52:00 2017
# Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017
*filter
:INPUT ACCEPT [1173459:1591522133]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [599656:3734127129]
:fail2ban-proftpd - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 21,20,990,989 -j fail2ban-proftpd
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1 PACKET: "
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A fail2ban-proftpd -j RETURN
-A fail2ban-ssh -s 52.166.112.31/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 77.72.85.100/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Fri Sep 22 17:52:00 2017
我还改变了 sysctl 值,因为我看到其他帖子建议这样做:
net.ipv4.conf.default.rp_filter=2
net.ipv4.conf.all.rp_filter=2
net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.em1.rp_filter=2
答案1
更新路由表ftptable
并为您的默认路由添加网关。目前,一旦您的 ftp 数据包切换到使用 ftptable,它就不知道如何返回公共 IP 的网关。
对于政策路线,我通常使用以下组合:
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
然后具体针对 ftp:
iptables -t mangle -A PREROUTING -m mark --mark 0 -p tcp --dport 21 -j MARK --set-mark 1
如果捕获了太多 FTP 流量(而不仅仅是传入流量),则可能需要进行一些变化。相关连接会继承父标记,因此它们不需要特定规则。
如果仍然不起作用,iptables-save 的输出比 iptables -vL 更精确,可能有助于分析。
另一个有用的诊断工具是conntrack
。您可以使用conntrack -L
它来转储表和视图标记。