我想要将 ssh 端口从 ubuntu-fw(防火墙)转发到 ubuntu-server1。
| 互联网 | --- | 路由器(硬件) | --- | ubuntu-fw | ---- | ubuntu-server1 |
路由器(硬件):Fritz-Box
ubuntu-fw:ubuntu 16 作为防火墙
ubuntu-server1:ubuntu 16 作为 ssh 服务器
路由器(硬件)将端口转发到 ubuntu-fw。但是,为了测试目的,我在两者之间放置了一台计算机:
| 测试电脑 | --- | ubuntu-fw | ---- | ubuntu-server1 |
现在我想通过 ubuntu-fw 从测试电脑访问我的 ubuntu-server1:
ssh myuser@ubuntu-server1
网络拓扑结构如下:
测试电脑:192.168.183.253/24
ubuntu-fw:eth0:192.168.0.254/24 和 eth2:192.168.183.254/24
ubuntu 服务器:192.168.0.16/24
我的问题是我应该如何在 ubuntu-fw 中转发端口 22?
我启用了路由:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
我还创建了一条规则,允许 ubuntu-server1 使用 ubuntu-fw 作为 NAT 连接到互联网。这很好用。但是当我想将端口 22 转发到 ubuntu-server1 时失败了。
为了生成 iptables 脚本,我使用了 fwbuilder。
我创建了一个 nat 规则,结果(编译后): fwbuilder NAT 规则图片
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.183.254 --dport 22 -j DNAT --to-destination 192.168.0.16
我创建了一项策略,其结果是(编译后): fwbuilder 策略的图片
$IPTABLES -A FORWARD -i eth2 -p tcp -m tcp -d 192.168.0.16 --dport 22 -m state --state NEW -j ACCEPT
当我尝试从 test-pc 建立连接时,我看到:
ssh: connect to host 192.168.183.254 port 22: Connection timed out
有人知道我做错了什么吗?
以下是 iptables -v -x -n -L 的输出
Chain INPUT (policy DROP 417 packets, 49211 bytes)
pkts bytes target prot opt in out source destination
28201 2294981 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 In_RULE_1 tcp -- eth0 * 192.168.0.0/24 192.168.0.254 tcp dpt:22 state NEW
0 0 In_RULE_2 tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp multiport dports 21,80,443 state NEW
0 0 In_RULE_5 all -- eth2 * 0.0.0.0/0 192.168.183.254
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3071 2805588 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 104 In_RULE_2 tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp multiport dports 21,80,443 state NEW
7 420 ACCEPT tcp -- eth2 * 0.0.0.0/0 192.168.0.16 tcp dpt:22 state NEW
Chain OUTPUT (policy DROP 8 packets, 480 bytes)
pkts bytes target prot opt in out source destination
15619 310844265 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Out_RULE_0 tcp -- * eth2 192.168.183.254 0.0.0.0/0 tcp multiport dports 80,443 state NEW
Chain In_RULE_1 (1 references)
pkts bytes target prot opt in out source destination
1 60 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 1 -- ACCEPT "
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain In_RULE_2 (2 references)
pkts bytes target prot opt in out source destination
2 104 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 2 -- ACCEPT "
2 104 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain In_RULE_5 (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 5 -- DENY "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Out_RULE_0 (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 0 -- ACCEPT "
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
sudo iptables -t nat -v -x -n -L 的输出如下:
Chain PREROUTING (policy ACCEPT 1049 packets, 207739 bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- * * 0.0.0.0/0 192.168.183.254 tcp dpt:22 to:192.168.0.16
Chain INPUT (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 22 packets, 1308 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
2 104 SNAT all -- * eth2 192.168.0.0/24 0.0.0.0/0 to:192.168.183.254
由于我还有许多其他策略要添加,因此我想使用 fwbuilder- 也用于 NAT 规则。
以下是 tcpdump 的输出sudo tcpdump -n -tttt -i eth2 port 22:
2017-04-21 20:07:01.745154 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84033839 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:02.745098 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84034089 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:04.747111 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84034590 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:08.756022 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84035592 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:16.767457 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84037596 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:32.778145 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84041600 ecr 0,nop,wscale 6], length 0
2017-04-21 20:08:04.829078 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84049616 ecr 0,nop,wscale 6], length 0
并从sudo tcpdump -n -tttt -i eth0 port 22 | grep -v 192.168.0.47(实际上 192.168.0.47 是我的计算机使用 ssh 到 192.168.183.254 和 192.168.183.253 使用另一个路由器到这个网络)
2017-04-21 20:07:01.745195 IP 192.168.183.253.33774 > 192.168.0.16.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84033839 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:02.745136 IP 192.168.183.253.33774 > 192.168.0.16.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84034089 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:04.747139 IP 192.168.183.253.33774 > 192.168.0.16.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84034590 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:08.756068 IP 192.168.183.253.33774 > 192.168.0.16.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84035592 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:16.767486 IP 192.168.183.253.33774 > 192.168.0.16.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84037596 ecr 0,nop,wscale 6], length 0
答案1
我可以解决这个问题。我在目标 (192.168.0.16) 的路由表中犯了一个错误。更改此机器上的网关使端口转发正常工作。