由于 iptables/filter,无法连接到接入点

由于 iptables/filter,无法连接到接入点

设置

Raspberry Pi 使用子网 192.168.0.0/24 上的以太网连接到路由器

子网 192.168.43.0/24 上的 Raspberry pi 接入点

我正在使用 nordvpn 应用程序,当我连接到 vpn 时,它会在我的网络上应用过滤器:

问题

应用此过滤器后无法连接到我的接入点。无法获取 IP。我尝试将端口 68 和 69 列入白名单,但没有成功。过滤器中究竟是什么原因导致此问题?

我也试过

sudo iptables -A INPUT -s 192.168.43.0/24 -j ACCEPT

筛选:

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 165.231.253.11/32 -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 66:68 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 66:68 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 74 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 74 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 5400 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i lo -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 74 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 74 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -m udp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 66:68 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 74 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 74 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 5400 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i wlan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -d 103.86.99.99/32 -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 103.86.96.96/32 -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 103.86.99.99/32 -o tun0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 103.86.96.96/32 -o tun0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o lo -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 -o lo -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o eth0 -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o wlan0 -j ACCEPT
-A OUTPUT -d 192.168.43.0/24 -o wlan0 -j ACCEPT
-A OUTPUT -d 165.231.253.11/32 -o tun0 -j ACCEPT
-A OUTPUT -d 10.8.0.0/24 -o tun0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o lo -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o eth0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o wlan0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT

无法连接时的 Tshark 输出:

Capturing on 'wlan0'
1 0.000000000 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
2 6.347075913 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 113 Key (Message 1 of 4)
3 6.405992489 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 135 Key (Message 2 of 4)
4 6.407274309 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 169 Key (Message 3 of 4)
5 6.419174541 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 113 Key (Message 4 of 4)
6 6.664258217           :: → ff02::1:ffd6:ea23 ICMPv6 78 Neighbor Solicitation for fe80::8109:8fd:40d6:ea23
7 6.664945194           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
8 6.829452451      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
9 7.477149785           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
10 7.550230284 fe80::8109:8fd:40d6:ea23 → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
11 7.550522158 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
12 7.600963546 fe80::8109:8fd:40d6:ea23 → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
13 7.828222369      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
14 10.038442823      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
15 10.834140206      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
16 11.647401711 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 188 Standard query 0x0004 PTR _%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local, "QM" question PTR _674A0243._sub._googlecast._tcp.local, "QM" question PTR _8E6C866D._sub._googlecast._tcp.local, "QM" question PTR _googlecast._tcp.local, "QM" question
17 11.678040125 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
18 11.925494678      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
19 13.987335051      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
20 18.262242160      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
21 20.190157358 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25
22 26.466357444      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e
23 31.555321065 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 188 Standard query 0x0005 PTR _%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local, "QM" question PTR _674A0243._sub._googlecast._tcp.local, "QM" question PTR _8E6C866D._sub._googlecast._tcp.local, "QM" question PTR _googlecast._tcp.local, "QM" question
24 37.119574254 fe80::8109:8fd:40d6:ea23 → ff02::2      ICMPv6 70 Router Solicitation from 30:07:4d:6f:a4:25

当我使用 sudo iptables -P INPUT ACCEPT 允许所有流量时,我可以连接输出:

Capturing on 'wlan0'
1 0.000000000 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 113 Key (Message 1 of 4)
2 0.482149729 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 135 Key (Message 2 of 4)
3 0.483485507 Raspberr_55:bd:9f → SamsungE_6f:a4:25 EAPOL 169 Key (Message 3 of 4)
4 0.497073903 SamsungE_6f:a4:25 → Raspberr_55:bd:9f EAPOL 113 Key (Message 4 of 4)
5 0.571571905           :: → ff02::1:ffd6:ea23 ICMPv6 78 Neighbor Solicitation for fe80::8109:8fd:40d6:ea23
6 0.572910963           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
7 0.720530878      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0x1352b3f1
8 0.721546604 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP Offer    - Transaction ID 0x1352b3f1
9 0.733148079      0.0.0.0 → 255.255.255.255 DHCP 350 DHCP Request  - Transaction ID 0x1352b3f1
10 0.812064714 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP ACK      - Transaction ID 0x1352b3f1
11 0.843515868 192.168.43.206 → 224.0.0.251  MDNS 82 Standard query 0x0000 PTR _googlecast._tcp.local, "QU" question
12 0.843790867 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 102 Standard query 0x0000 PTR _googlecast._tcp.local, "QU" question
13 0.846673931           :: → ff02::16     ICMPv6 110 Multicast Listener Report Message v2
14 0.846747733 192.168.43.206 → 224.0.0.251  IGMPv2 46 Membership Report group 224.0.0.251
15 1.124610012 SamsungE_6f:a4:25 → Broadcast    ARP 42 Who has 192.168.43.1? Tell 192.168.43.206
16 1.124698866 Raspberr_55:bd:9f → SamsungE_6f:a4:25 ARP 42 192.168.43.1 is at b8:27:eb:55:bd:9f
17 1.229109485 192.168.43.206 → 192.168.43.1 DNS 89 Standard query 0xbaa1 A connectivitycheck.gstatic.com
18 1.235744361           :: → ff02::16     ICMPv6 90 Multicast Listener Report Message v2
19 1.236032745 192.168.43.206 → 192.168.43.1 DNS 76 Standard query 0xf06b A mtalk.google.com
20 1.244731521 192.168.43.206 → 192.168.43.1 DNS 82 Standard query 0xc1c5 A mqtt-mini.facebook.com
21 1.257354868 192.168.43.206 → 31.13.79.32  TCP 74 51440 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1 TSval=140302950 TSecr=0 WS=128
22 1.298846721 192.168.43.1 → 192.168.43.206 DNS 547 Standard query response 0xbaa1 A connectivitycheck.gstatic.com A 74.125.130.94 NS c.gtld-servers.net NS d.gtld-servers.net NS a.gtld-servers.net NS k.gtld-servers.net NS j.gtld-servers.net NS b.gtld-servers.net NS h.gtld-servers.net NS g.gtld-servers.net NS m.gtld-servers.net NS l.gtld-servers.net NS i.gtld-servers.net NS f.gtld-servers.net NS e.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30 A 192.12.94.30
23 1.304225715 192.168.43.1 → 192.168.43.206 DNS 545 Standard query response 0xf06b A mtalk.google.com CNAME mobile-gtalk.l.google.com A 74.125.24.188 NS b.gtld-servers.net NS m.gtld-servers.net NS g.gtld-servers.net NS k.gtld-servers.net NS f.gtld-servers.net NS e.gtld-servers.net NS i.gtld-servers.net NS j.gtld-servers.net NS a.gtld-servers.net NS c.gtld-servers.net NS l.gtld-servers.net NS h.gtld-servers.net NS d.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30
24 1.318067391 192.168.43.1 → 192.168.43.206 DNS 551 Standard query response 0xc1c5 A mqtt-mini.facebook.com CNAME mqtt-mini.c10r.facebook.com A 157.240.13.32 NS b.gtld-servers.net NS l.gtld-servers.net NS j.gtld-servers.net NS d.gtld-servers.net NS e.gtld-servers.net NS i.gtld-servers.net NS f.gtld-servers.net NS g.gtld-servers.net NS a.gtld-servers.net NS m.gtld-servers.net NS h.gtld-servers.net NS k.gtld-servers.net NS c.gtld-servers.net A 192.5.6.30 AAAA 2001:503:a83e::2:30 A 192.33.14.30 AAAA 2001:503:231d::2:30 A 192.26.92.30 AAAA 2001:503:83eb::30 A 192.31.80.30 AAAA 2001:500:856e::30
25 1.325372213  31.13.79.32 → 192.168.43.206 TCP 74 443 → 51440 [SYN, ACK] Seq=0 Ack=1 Win=27360 Len=0 MSS=1380 SACK_PERM=1 TSval=2348760415 TSecr=140302950 WS=128
26 1.415381418 192.168.43.206 → 224.0.0.251  MDNS 119 Standard query 0x0001 PTR _674A0243._sub._googlecast._tcp.local, "QU" question PTR _8E6C866D._sub._googlecast._tcp.local, "QU" question PTR _googlecast._tcp.local, "QU" question
27 1.415628604 192.168.43.206 → 224.0.0.251  MDNS 119 Standard query 0x0001 PTR _674A0243._sub._googlecast._tcp.local, "QU" question PTR _8E6C866D._sub._googlecast._tcp.local, "QU" question PTR _googlecast._tcp.local, "QU" question
28 1.419159739 192.168.43.206 → 31.13.79.32  TCP 66 51440 → 443 [ACK] Seq=1 Ack=1 Win=87680 Len=0 TSval=140302990 TSecr=2348760415
29 1.424759566 192.168.43.206 → 224.0.0.251  MDNS 125 Standard query 0x0000 ANY Android-2.local, "QU" question ANY Android-2.local, "QU" question A 192.168.43.206 AAAA fe80::8109:8fd:40d6:ea23
30 1.429030595 fe80::8109:8fd:40d6:ea23 → ff02::fb     MDNS 145 Standard query 0x0000 ANY Android-2.local, "QU" question ANY Android-2.local, "QU" question A 192.168.43.206 AAAA fe80::8109:8fd:40d6:ea23
 31 1.429408823 192.168.43.206 → 31.13.79.32  TLSv1 235 Client Hello
32 1.444965025 192.168.43.206 → 192.168.43.1 DNS 74 Standard query 0xa640 A www.google.com

答案1

为了清楚起见,我要指出您能够连接到您的接入点。您的问题似乎是,一旦连接,您就无法从 DHCP 服务器获取 IP 地址。您可以在第一个捕获的以下部分中看到这一点,其中您的设备正在发送 DHCP 请求/发现,但没有回复:

 8 6.829452451      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
13 7.828222369      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
14 10.038442823      0.0.0.0 → 255.255.255.255 DHCP 344 DHCP Request  - Transaction ID 0x745f4be
15 10.834140206      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0xe8c8ff2e

当它工作时,您可以清楚地看到来自服务器的回复:

7 0.720530878      0.0.0.0 → 255.255.255.255 DHCP 338 DHCP Discover - Transaction ID 0x1352b3f1
8 0.721546604 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP Offer    - Transaction ID 0x1352b3f1
9 0.733148079      0.0.0.0 → 255.255.255.255 DHCP 350 DHCP Request  - Transaction ID 0x1352b3f1
10 0.812064714 192.168.43.1 → 192.168.43.206 DHCP 342 DHCP ACK      - Transaction ID 0x1352b3f1

如果您在捕获中记下源地址,则您的 DHCP 客户端没有源 IP 地址。在您的客户端完成 DHCP 过程之前,它没有 IP 地址,并且 RFC 明确指出:

客户端在获取其 IP 地址之前广播的 DHCP 消息必须将 IP 标头中的源地址字段设置为 0。

这还包括接口首次启动时的情况,即使它具有有效租约。在这种情况下,它应该发送源地址为全零的 DHCP 请求,以检查服务器是否仍认为租约有效(这是为了避免 IP 冲突)。

因此,以下规则就是您的问题:

 -A INPUT -s 192.168.43.0/24 -i wlan0 -p udp -m udp --dport 66:68 -j ACCEPT
 -A INPUT -s 192.168.43.0/24 -i wlan0 -p tcp -m tcp --dport 66:68 -j ACCEPT

删除它们并用以下内容替换它们,然后您就应该设置好了:

 -A INPUT -i wlan0 -p udp -m udp --dport 67:68 -j ACCEPT

相关内容