我附上了一张带有我的网络逻辑方案的图片,以便更好地理解我想要表达的意思。我有 2 个路由器,一个来自我的 ISP,假设为 R1,第二个是装有 ubuntu 的笔记本电脑,假设为 R2(它有两个网卡)。两个路由器之间的网络是 192.168.1.0/29,R1 的 IP 为 192.168.1.1,R2 的 IP 为 192.168.1.2(接口 eth0)。第二个接口(eth 1)的 IP 为 192.168.0.1(网络 192.168.0.0/24)。其他计算机的 dhcp 范围是 192.168.0.100-110。我的 ssh 服务器在笔记本电脑上,它正在监听 ip 192.168.0.1、端口 1234。我的 iptable 配置如下:
*mangle
:PREROUTING ACCEPT [16767:7976143]
:INPUT ACCEPT [8821:5501124]
:FORWARD ACCEPT [7946:2475019]
:OUTPUT ACCEPT [7365:959690]
:POSTROUTING ACCEPT [14882:3396630]
COMMIT
*nat
:PREROUTING ACCEPT [267:20644]
:INPUT ACCEPT [5:808]
:OUTPUT ACCEPT [205:14321]
:POSTROUTING ACCEPT [94:5989]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.0.1:1234
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1651:250417]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 192.168.0.1/32 -p tcp -m tcp --dport 1234 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.1/32 -p tcp -m tcp --dport 1234-j ACCEPT
COMMIT
如果我尝试从外部(公共 IP)访问我的服务器,一切正常。如果我尝试从我的 LAN 192.168.0.0/24 访问我的服务器,一切正常,但如果我尝试从我的 LAN 192.168.1.0/29 访问我的服务器,则无法正常工作,我不知道我错过了什么。
我的 sysctl.conf 文件
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv4/conf/all/forwarding=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1
# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
# Don't log Martian Packets (impossible addresses)
# packets
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0
ip route 命令:
default via 192.168.1.1 dev eth0 proto static
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
192.168.1.0/29 dev eth0 proto kernel scope link src 192.168.1.2
sudo lsof -i :1234 -sTCP:监听
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 870 root 3u IPv4 26434 0t0 TCP router:1234 (LISTEN)
我是网络和 Linux 的新手,这只是一个爱好:)
iptables 的新输出
# Generated by iptables-save v1.8.4 on Sun May 3 12:14:53 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [71:7480]
:logdrop - [0:0]
-A logdrop -j LOG
-A logdrop -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun May 3 12:14:53 2020
# Generated by iptables-save v1.8.4 on Sun May 3 12:14:53 2020
*nat
:PREROUTING ACCEPT [1086:123572]
:INPUT ACCEPT [3:313]
:OUTPUT ACCEPT [103:7764]
:POSTROUTING ACCEPT [45:3406]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun May 3 12:14:53 2020
# Generated by iptables-save v1.8.4 on Sun May 3 12:14:53 2020
*mangle
:PREROUTING ACCEPT [8337:3369260]
:INPUT ACCEPT [1900:1013491]
:FORWARD ACCEPT [6432:2355533]
:OUTPUT ACCEPT [1667:164865]
:POSTROUTING ACCEPT [8160:2526231]
COMMIT
# Completed on Sun May 3 12:14:53 2020