ip 端口转发 iptables

tag-icon tag-icon iptables routing port-forwarding
ip 端口转发 iptables

我建立了一个计算机集群,它们位于 LAN 网络上,位于另一台充当路由器的计算机后面。我想从路由器上的外部端口转发到 LAN 网络上提交节点上的端口 22。

我提供一个简化的方案:

            MACHINE 1                        MACHINE 2
            --------------------     LAN     -------------------
WAN ------ [EXTERNAL PORT       ] --------- [INTERNAL PORT       ]
            --------------------             -------------------

我之前已经做过几次这个程序了,所以我所做的如下:

sysctl -w net.ipv4.ip_forward=1

# For security precautions I do not provide the actual addresses and ports
export EXTERNAL_PORT=...
export INTERNAL_PORT=...
export INTERNAL_IP=...
export EXTERNAL_IP=...
export EXTERNAL_DEV=enp1s0f1
export INTERANL_DEV=enp1s0f0

export OPERATION=A

iptables -t nat -$OPERATION PREROUTING   -p tcp -m tcp   -d $EXTERNAL_IP   --dport $EXTERNAL_PORT                                 -j DNAT   --to-destination $INTERNAL_IP:$INTERNAL_PORT
iptables        -$OPERATION FORWARD      -p tcp -m state -d $INTERNAL_IP   --dport $INTERNAL_PORT --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -$OPERATION POSTROUTING  -p tcp -m tcp   -s $INTERNAL_IP   --sport $INTERNAL_PORT                                 -j SNAT   --to-source $EXTERNAL_IP

没有生成错误代码。命令iptables -L (-t nat)提供了合理的路由表。但由于某些原因,每当我尝试通过路由器外部端口连接到提交节点时连接被拒绝发生这种情况。我错过了什么?防火墙已关闭。

两台机器都装有 Debian 10。如有必要,我会提供任何其他信息。

编辑1

当我尝试通过 forward 访问内部机器时,tcpdump命令如下:

tcpdump -lnnienp1s0f0 host $INTERNAL_IP and port $INTERNAL_PORT

但是,当我查看外部接口时,没有显示任何流量:

tcpdump -lnnienp1s0f1 host $EXTERNAL_IP and port $EXTERNAL_PORT

我的登录尝试被发现:

11:15:55.776025 IP <REMOTEIPANDPORT> > <LOCAL_IPANDPORT>: Flags [S], seq 2884744900, win 29200, options [mss 1380,sackOK,TS val 3014466815 ecr 0,nop,wscale 7], length 0
11:15:55.776218 IP <LOCAL_IPANDPORT> > <REMOTEIPANDPORT>: Flags [S.], seq 1614741316, ack 2884744901, win 28960, options [mss 1460,sackOK,TS val 1837145780 ecr 3014466815,nop,wscale 7], length 0
11:15:56.081390 IP <REMOTEIPANDPORT> > <LOCAL_IPANDPORT>: Flags [.], ack 1, win 229, options [nop,nop,TS val 3014467119 ecr 1837145780], length 0
11:15:56.088596 IP <LOCAL_IPANDPORT> > <REMOTEIPANDPORT>: Flags [P.], seq 1:42, ack 1, win 227, options [nop,nop,TS val 1837146093 ecr 3014467119], length 41: HTTP
11:15:56.088777 IP <REMOTEIPANDPORT> > <LOCAL_IPANDPORT>: Flags [R.], seq 1, ack 42, win 227, length 0

我认为这很重要,因为运行计算机的大学有时会阻止某些地址和端口。

更准确的说,防火墙没有关闭,甚至没有安装。

自从机器 1也可以作为 NAT 工作,我提供了我的 NAT 配置(但这可以正常工作):

INTERNAL=enp1s0f0
EXTERNAL=enp1s0f1

iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT

编辑2

命令iptables-save| sed "s/$EXTERNAL_IP/EXTIP/g"返回:

# Generated by xtables-save v1.8.2 on Fri Nov 29 04:50:00 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -d EXTIP/32 -p tcp -m tcp --dport 27182 -j DNAT --to-destination 192.168.20.101:22
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o enp1s0f1 -j MASQUERADE
-A POSTROUTING -o enp1s0f1 -j MASQUERADE
-A POSTROUTING -s 192.168.20.101/32 -p tcp -m tcp --sport 22 -j SNAT --to-source EXTIP
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Nov 29 04:50:00 2019
# Generated by xtables-save v1.8.2 on Fri Nov 29 04:50:00 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i enp1s0f1 -o enp1s0f0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp1s0f0 -o enp1s0f1 -j ACCEPT
-A FORWARD -i enp1s0f1 -o enp1s0f0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp1s0f0 -o enp1s0f1 -j ACCEPT
-A FORWARD -d 192.168.20.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.20.101/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Nov 29 04:50:00 2019

相关内容