当接口设置为接受时,iptables 会阻止流量

tag-icon tag-icon linux iptables
当接口设置为接受时,iptables 会阻止流量

我正在设置虚拟机以使用 tor 网络。我为其配置了 2 个网卡:

# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.8.92  netmask 255.255.254.0  broadcast 192.168.9.255
        ether 32:e7:82:9e:31:07  txqueuelen 1000  (Ethernet)
        RX packets 16080  bytes 609272 (594.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 256  bytes 63970 (62.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.8.69  netmask 255.255.254.0  broadcast 192.168.9.255
        ether 9e:cb:47:6a:c8:be  txqueuelen 1000  (Ethernet)
        RX packets 15815  bytes 540457 (527.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 28  bytes 1776 (1.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 60  bytes 4640 (4.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60  bytes 4640 (4.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

我的 iptables 规则如下:

*nat

:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53

-A OUTPUT -o lo -j RETURN
-A OUTPUT -m owner --uid-owner 107 -j RETURN
-A OUTPUT -p udp -m udp --dport 123 -j REDIRECT --to-ports 123
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A OUTPUT -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050

COMMIT

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Accept connections from local LAN on eth1
-A INPUT -i eth1 -j ACCEPT

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m owner --uid-owner 107 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9050 -j ACCEPT

# Allow access to apt-proxy
-A OUTPUT -d 192.168.8.250 -p tcp -m tcp --dport 3142 -j ACCEPT

COMMIT

在 VM 上一切正常,但由于某种原因,我无法通过 192.168.8.69(eth1 的 IP 地址) ssh 到 VM,尽管过滤器链中的第一个规则设置为接受 eth1 上的所有内容。

使用 :

-A INPUT -s 192.168.8.0/23 -p tcp -m tcp --dport 22 -j ACCEPT # Works
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT #Doesn't work
-A INPUT -i eth1 -j ACCEPT #Doesn't work

谁能告诉我这里缺少什么?

感谢使用 Debian Stretch,无 GUI,XEN-ng 虚拟机管理程序

答案1

您的防火墙规则是混合的,您使用无状态规则和有状态规则,您正在使用它来跟踪连接状态:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

您需要如下新规则来允许新连接:

iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -j ACCEPT

相关内容