Debian 9 上的 IPTables 与 UFW - 端口转发不起作用

Debian 9 上的 IPTables 与 UFW - 端口转发不起作用

我从昨天开始尝试解决这个问题,但没有成功。我已经配置了pppoe、、、。端口dnsmasq转发不起作用。IPTables 规则如下所示。hostapdufw

我的iptables -vL输出:

root@media:/home/dost# iptables -vL
Chain INPUT (policy DROP 4 packets, 160 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2079  218K ufw-before-logging-input  all  --  any    any     anywhere             anywhere
 2079  218K ufw-before-input  all  --  any    any     anywhere             anywhere
  361  103K ufw-after-input  all  --  any    any     anywhere             anywhere
    5   224 ufw-after-logging-input  all  --  any    any     anywhere             anywhere
    5   224 ufw-reject-input  all  --  any    any     anywhere             anywhere
    5   224 ufw-track-input  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 14 packets, 560 bytes)
 pkts bytes target     prot opt in     out     source               destination
 8237 4939K ufw-before-logging-forward  all  --  any    any     anywhere             anywhere
 8237 4939K ufw-before-forward  all  --  any    any     anywhere             anywhere
  524 28096 ufw-after-forward  all  --  any    any     anywhere             anywhere
  524 28096 ufw-after-logging-forward  all  --  any    any     anywhere             anywhere
  524 28096 ufw-reject-forward  all  --  any    any     anywhere             anywhere
  524 28096 ufw-track-forward  all  --  any    any     anywhere             anywhere
  508 27432 ACCEPT     all  --  wlp2s0 ppp0    192.168.0.0/24       anywhere             ctstate NEW
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1606  649K ufw-before-logging-output  all  --  any    any     anywhere             anywhere
 1606  649K ufw-before-output  all  --  any    any     anywhere             anywhere
  226 15220 ufw-after-output  all  --  any    any     anywhere             anywhere
  226 15220 ufw-after-logging-output  all  --  any    any     anywhere             anywhere
  226 15220 ufw-reject-output  all  --  any    any     anywhere             anywhere
  226 15220 ufw-track-output  all  --  any    any     anywhere             anywhere

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    6   468 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-ns
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:netbios-dgm
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:netbios-ssn
    0     0 ufw-skip-to-policy-input  tcp  --  any    any     anywhere             anywhere             tcp dpt:microsoft-ds
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootps
    0     0 ufw-skip-to-policy-input  udp  --  any    any     anywhere             anywhere             udp dpt:bootpc
  350  102K ufw-skip-to-policy-input  all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
   27  1404 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    4   160 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
 7713 4911K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  ppp0   wlp2s0  anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  ppp0   wlp2s0  anywhere             anywhere             tcp dpt:http
    0     0 ACCEPT     tcp  --  ppp0   wlp2s0  anywhere             anywhere             tcp dpt:https
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
  522 27992 ufw-user-forward  all  --  any    any     anywhere             anywhere

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    29 ACCEPT     all  --  lo     any     anywhere             anywhere
 1564  104K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp source-quench
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp parameter-problem
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
  513  113K ufw-not-local  all  --  any    any     anywhere             anywhere
    4  1086 ACCEPT     udp  --  any    any     anywhere             224.0.0.251          udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             239.255.255.250      udp dpt:1900
  509  112K ufw-user-input  all  --  any    any     anywhere             anywhere

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    29 ACCEPT     all  --  any    lo      anywhere             anywhere
 1379  634K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
  226 15220 ufw-user-output  all  --  any    any     anywhere             anywhere

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  any    any     anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination
  153 10071 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
    4  1086 RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
  356  102K RETURN     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 10
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination
  356  102K DROP       all  --  any    any     anywhere             anywhere

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   224 ACCEPT     tcp  --  any    any     anywhere             anywhere             ctstate NEW
  224 14996 ACCEPT     udp  --  any    any     anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  wlp2s0 any     anywhere             anywhere             udp spt:bootpc dpt:bootps
    0     0 ACCEPT     tcp  --  wlp2s0 any     192.168.0.0/24       anywhere             tcp dpt:domain
  149  9911 ACCEPT     udp  --  wlp2s0 any     192.168.0.0/24       anywhere             udp dpt:domain
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:1111
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

我的before.rules台词:

root@media:/home/dost# cat /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-forward -i ppp0 -o wlp2s0 -p tcp --dport 22 -j ACCEPT
-A ufw-before-forward -i ppp0 -o wlp2s0 -p tcp --dport 80 -j ACCEPT
-A ufw-before-forward -i ppp0 -o wlp2s0 -p tcp --dport 443 -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

*nat
:PREROUTING ACCEPT [0:0]

-A PREROUTING -p tcp --dport 1111 -i ppp0 -j DNAT --to-destination 192.168.0.34:22
-A PREROUTING -p tcp --dport 80 -i ppp0 -j DNAT --to-destination 192.168.0.3:80
-A PREROUTING -p tcp --dport 443 -i ppp0 -j DNAT --to-destination 192.168.0.3:443

COMMIT

我的after.rules文件:

root@media:/home/dost# cat /etc/ufw/after.rules
#
# rules.input-after
#
# Rules that should be run after the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-after-input
#   ufw-after-output
#   ufw-after-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
# End required lines

# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input

# don't log noisy broadcast
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

-A FORWARD -o ppp0 -i wlp2s0 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

# Enable NAT
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE

COMMIT

ufw status输出:

root@media:/home/dost# ufw status
Status: active

To                         Action      From
--                         ------      ----
67/udp on wlp2s0           ALLOW       68/udp
53 on wlp2s0               ALLOW       192.168.0.0/24
1111/tcp                   ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
67/udp (v6) on wlp2s0      ALLOW       68/udp (v6)
1111/tcp (v6)              ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

ip a输出:

root@media:/home/dost# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether d0:50:99:94:0a:ed brd ff:ff:ff:ff:ff:ff
    inet6 fe80::d250:99ff:fe94:aed/64 scope link
       valid_lft forever preferred_lft forever
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether ac:fd:ce:32:b2:5c brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 brd 192.168.0.255 scope global wlp2s0
       valid_lft forever preferred_lft forever
    inet6 fe80::aefd:ceff:fe32:b25c/64 scope link
       valid_lft forever preferred_lft forever
4: enp3s0.35@enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d0:50:99:94:0a:ed brd ff:ff:ff:ff:ff:ff
    inet6 fe80::d250:99ff:fe94:aed/64 scope link
       valid_lft forever preferred_lft forever
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN group default qlen 3
    link/ppp
    inet 176.40.2.185 peer 92.45.0.162/32 scope global ppp0
       valid_lft forever preferred_lft forever

我是 IPTables 新手。您能帮我找出问题所在吗?提前致谢。

答案1

找到问题了。我不知道这是否是一个错误,但是当你使用-i选项时PREROUTING它不起作用。

相关内容