我身处迷宫之中,我徒劳地尝试设置规则以便能够从互联网访问我的内部网络服务器(192.168.12.10)。
在家里,我有一个带有两个接口的 Ubuntu 20.04 网关(192.168.12.1):
- eth1 :用于外部/互联网,具有公共 IP,例如 123.123.123.123
- br0 :用于内部私有 IP
我还有一些笔记本电脑。
使用以下 iptables 规则,一切似乎都运行良好。默认情况下,我无法从外部访问内部。
iptables -vnL --line-number
Chain INPUT (policy DROP 373 packets, 25051 bytes)
num pkts bytes target prot opt in out source destination
1 101 9891 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 16175 3203K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
3 2517 342K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo lo 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- lo eth1 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
4 58714 11M ACCEPT all -- br0 eth1 0.0.0.0/0 0.0.0.0/0
5 60179 155M ACCEPT all -- eth1 br0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
6 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "FW FW denied: "
Chain OUTPUT (policy ACCEPT 2098 packets, 234K bytes)
num pkts bytes target prot opt in out source destination
iptables -t nat -vnL --line-number
Chain PREROUTING (policy ACCEPT 2209 packets, 192K bytes)
num pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1215 packets, 89074 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 648 packets, 59463 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 3807 290K MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
我的问题是我无法设置正确的规则以便从外部访问我的网络服务器。
我在 FORWARD 链中制定了两条规则,在 PREROUTING 链中制定了两条规则。
iptables -vnL --line-number
Chain INPUT (policy ACCEPT 2 packets, 100 bytes)
num pkts bytes target prot opt in out source destination
1 155 14331 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 21779 4281K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
3 2953 401K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo lo 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- lo eth1 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
4 67303 12M ACCEPT all -- br0 eth1 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.12.10 ctstate NEW,RELATED,ESTABLISHED tcp dpt:80
6 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.12.10 ctstate NEW,RELATED,ESTABLISHED tcp dpt:443
7 69670 168M ACCEPT all -- eth1 br0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
8 1 60 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "FW FW denied: "
Chain OUTPUT (policy ACCEPT 8 packets, 1208 bytes)
num pkts bytes target prot opt in out source destination
iptables -t nat -vnL --line-number
Chain PREROUTING (policy ACCEPT 211 packets, 19200 bytes)
num pkts bytes target prot opt in out source destination
1 1 40 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.12.10:80
2 0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.12.10:443
Chain INPUT (policy ACCEPT 169 packets, 9937 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 21 packets, 1677 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 12 packets, 813 bytes)
num pkts bytes target prot opt in out source destination
1 4419 338K MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
结果总是一样的。
例如,当我尝试时,curl -I 123.123.123.123请求将发送到网关内的 Web 服务器。当启动时,我会收到答复,当关闭时curl: (7) Failed to connect to 123.123.123.123 port 80: Connection refused
我的请求从未到达内部 Web 服务器 192.168.12.10。
UFW 已关闭,我设置了 net.ipv4.ip_forward=1。
如果有人可以帮助我?
谢谢
答案1
我并不是专家,但你的防火墙是否阻止了对所需端口的访问?尝试运行
firewall-cmd --list-ports
看看你的端口 80 和 443 是否打开。