编辑

2024-6-6 • tag-icon

我有一台正在运行 sshd 的 Box 'foo'。我希望通过 Box 'bar' ssh 到这台机器。Box 'foo' 的 IP 地址为 10.0.0.100，Box 'bar' 的 IP 地址为 10.0.0.109。这两台机器的网关都是 10.0.0.10。如果我在 LAN 之外，我可以顺利 ssh 到 Box 'foo'。

我担心这与网关上运行的 iptables 有关。有人可以帮我再检查一下我的工作吗？我搞不清楚。

似乎 LAN 上的机器之间没有路由。应该提到 Box 'foo' 通过 eth1（网关）连接到网关，Box 'bar' 通过 wlan0（网关）连接。这两个接口都桥接为 'br0'。

我在盒子‘foo’上有一个防火墙，然而，为了测试它被禁用了。

编辑

我发现，通过将网关上的 iptables 上的策略从 Drop 更改为 Forward，可以再次允许连接。现在我的问题是如何插入一条规则，允许进行 LAN 连接，同时保持 Forward 的策略为 Drop？

$ cat /etc/ssh/sshd_config ## ON BOX 'foo'

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# Subsystem sftp /usr/lib/openssh/sftp-server #out 2/20/16

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# Allow limited users access to server
AllowUsers foouser XXXXXXXXXX  # <--- Censored

# SFTP Subsystem  
Subsystem sftp internal-sftp
Match group XXXXXXXXXX  #  <--- Censored
ChrootDirectory /srv/sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

...

# iptables -nvL ## ON gateway

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  703 52346 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2022
    7   757 LOGNDROP   all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  110 21617 ACCEPT     all  --  eth0   br0     0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  126 16289 ACCEPT     all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.100            tcp dpt:22 state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
  590  173K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain LOGNDROP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    7   757 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "iptables: "
    7   757 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

答案1

解决了我自己的问题，即“编辑”后我遇到的问题。

将此规则添加到 iptables 中的转发链中解决了该问题

iptables -A FORWARD -i br0 -o br0 -j ACCEPT

编辑

答案1

相关内容