我有一台正在运行 sshd 的 Box 'foo'。我希望通过 Box 'bar' ssh 到这台机器。Box 'foo' 的 IP 地址为 10.0.0.100,Box 'bar' 的 IP 地址为 10.0.0.109。这两台机器的网关都是 10.0.0.10。如果我在 LAN 之外,我可以顺利 ssh 到 Box 'foo'。
我担心这与网关上运行的 iptables 有关。有人可以帮我再检查一下我的工作吗?我搞不清楚。
似乎 LAN 上的机器之间没有路由。应该提到 Box 'foo' 通过 eth1(网关)连接到网关,Box 'bar' 通过 wlan0(网关)连接。这两个接口都桥接为 'br0'。
我在盒子‘foo’上有一个防火墙,然而,为了测试它被禁用了。
编辑
我发现,通过将网关上的 iptables 上的策略从 Drop 更改为 Forward,可以再次允许连接。现在我的问题是如何插入一条规则,允许进行 LAN 连接,同时保持 Forward 的策略为 Drop?
$ cat /etc/ssh/sshd_config ## ON BOX 'foo'
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# Subsystem sftp /usr/lib/openssh/sftp-server #out 2/20/16
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# Allow limited users access to server
AllowUsers foouser XXXXXXXXXX # <--- Censored
# SFTP Subsystem
Subsystem sftp internal-sftp
Match group XXXXXXXXXX # <--- Censored
ChrootDirectory /srv/sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
...
# iptables -nvL ## ON gateway
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
703 52346 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2022
7 757 LOGNDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
110 21617 ACCEPT all -- eth0 br0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
126 16289 ACCEPT all -- br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.100 tcp dpt:22 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
590 173K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain LOGNDROP (1 references)
pkts bytes target prot opt in out source destination
7 757 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "iptables: "
7 757 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
答案1
解决了我自己的问题,即“编辑”后我遇到的问题。
将此规则添加到 iptables 中的转发链中解决了该问题
iptables -A FORWARD -i br0 -o br0 -j ACCEPT