将流量传递到防火墙后面的服务

将流量传递到防火墙后面的服务

我在端口 8080 上运行 nginx,现在我想让它可以从互联网上访问,为此我在路由器上打开了一个端口,接下来我向 PF 添加了一些规则,但是从 wireshark 嗅探到端口无法访问:

2013-01-16 19:15:57.376545 IP 192.168.1.2.34891 > XXX.XXX.XXX.XXX.8080: Flags [S], seq 1885349577, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 10383901 ecr 0], length 0
2013-01-16 19:15:57.378853 IP XXX.XXX.XXX.XXX.8080 > 192.168.1.2.34891: Flags [FR.], seq 0, ack 1885349578, win 0, length 0
2013-01-16 19:15:57.378910 IP XXX.XXX.XXX.XXX > 192.168.1.2: ICMP XXX.XXX.XXX.XXX tcp port 8080 unreachable, length 36
2013-01-16 19:15:57.379250 IP 192.168.1.2.53838 > XXX.XXX.XXX.XXX.8080: Flags [S], seq 2116090664, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 10383904 ecr 0], length 0
2013-01-16 19:15:57.380858 IP XXX.XXX.XXX.XXX.8080 > 192.168.1.2.53838: Flags [FR.], seq 0, ack 2116090665, win 0, length 0
2013-01-16 19:15:57.380912 IP XXX.XXX.XXX.XXX > 192.168.1.2: ICMP XXX.XXX.XXX.XXX tcp port 8080 unreachable, length 36

XXX.XXX.XXX.XXX 是我的外部 IP,这是我的 PF 文件:

ext_if = "XXX"
tcp_services = "{80, 443, 22, 53, 8080}"
udp_services = "{53}"
int_ip = "{XX.XX.XX.XX}"
int_services = "{3306 ,8080}"
icmp_types = "{echoreq}"
icmp_dang = "{13, 14, 17, 18}"

#***************************************************** Options ***************************************************** 

set block-policy drop
set loginterface $ext_if
set skip on lo0
#set timeout 70000
#scrub in all on $ext_if all no-df min-ttl 50 fragment reassemble
scrub out on $ext_if random-id

#*****************************************************   NAT   *****************************************************

nat on egress from (self) to any -> ($ext_if)

rdr on $ext_if proto {udp, tcp} from any to 192.168.1.2 port 8080 -> 192.168.1.2 port 8080


#*****************************************************  Rules  ***************************************************** 

antispoof for $ext_if

# block in&out traffic
block drop in log(all) on $ext_if all
block drop out log(all ,user) on $ext_if all

# Allow ping and MTU path discovery
pass in on $ext_if inet proto icmp all icmp-type $icmp_types
pass out on $ext_if inet proto icmp all icmp-type $icmp_types
pass inet proto icmp all icmp-type unreach code needfrag 

# pass out tcp&udp traffic for some ports
pass out on $ext_if inet proto tcp from any to any port \
                                        $tcp_services keep state
pass out on $ext_if inet proto udp from any to any port \
                                        $udp_services keep state

pass out on $ext_if inet proto {tcp, udp} from $int_ip port $int_services \
                    to $int_ip port $int_services keep state

# pass in tcp&udp traffic for some ports
pass in on $ext_if inet proto tcp from any port $tcp_services \
                    to any keep state
pass in on $ext_if inet proto udp from any port $udp_services \
                    to any keep state

pass in on $ext_if inet proto {tcp, udp} from $int_ip port $int_services \
                    to $int_ip port $int_services keep state

# pass IGMP traffic
pass in on $ext_if proto igmp all allow-opts

# Allow some ICMP types to get in
pass in inet proto icmp all icmp-type $icmp_types

答案1

我认为问题在于您在重定向之前指定了目的地。

如果我没错的话,您使用的是较旧的语法(早于 4.7 版),但以下是使用实际语法的方法。

pass in on $ext_if proto tcp from any to $ext_if port 8080 rdr-to 192.168.1.2 port 8080

我很确定这可以像这样使用;

rdr on $ext_if proto tcp from any to any port 8080 -> 192.168.1.2 port 8080

此外,除非这是一个非常旧的安装,否则该keep state选项不是必需的,因为这是 PF 的默认行为,即保持连接状态。

相关内容