服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 将ftp数据包路由到一个networking接口,其余的路由到另一个networking接口
Intereting Posts
可以使用双DNS? CentOS与Ubuntu 真的很迷惑SharePoint网站的结构 使用nginx提供文件时,在下载之前开始延迟 .htaccess RewriteRule不能使用root'/' ELB_5xx错误,但没有应用程序错误 咨询MAN页面的特定标志 Server 2008 R2的远程Web界面在哪里? 为启动应用程序 将rsyslog消息拆分成基于源码的文件(heroku drain) 无法从Windows XP连接到vsftpd(FTPS) 运行或build立docker导致net.ipv4.ip_forward被重置 利用nginx VPS负载testing识别瓶颈 附加似乎已被操作系统截断的MDF文件 IIS不设置X-FORWARDED-HOST SQL Server 2008备份的基础知识

将ftp数据包路由到一个networking接口,其余的路由到另一个networking接口

我有一个Ubuntu 14.04服务器有两个网卡,每个连接到很less路由器,每个分离的互联网接入。

我们希望通过第二个接口em1来redirectftp端口stream量,其余所有通过默认接口p4p1

我有两个接口。 我已经按照这个问题的第一个选项的说明

总之,我已经创build了一个表,标记了数据包并添加了ip路由。

但ftp到em1的公共地址超时。 (路由器将ftp端口上的tcp / udpstream量转发到服务器的em1 )另外, p4p1的公共地址仍然正常响应ftp请求。

这是实现这一目标的正确方法?

奖金:如果第一个接口p4p1也能够处理ftp请求,我会很高兴,但优先级是大部分stream量都通过em1。

编辑:

直到我找出了这个ftp端口,我试着用一个高端口,30000和netcat 。 我有一个nc -l 30000 ,我试图用nc <em1 public> 30000连接另一台计算机。 我已经尝试了许多破损标记 

 ~# iptables -vL -t mangle Chain PREROUTING (policy ACCEPT 70M packets, 21G bytes) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- em1 any anywhere anywhere tcp spt:30000 MARK set 0x1 Chain INPUT (policy ACCEPT 70M packets, 21G bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 44M packets, 244G bytes) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- any any anywhere anywhere tcp spt:30000 MARK set 0x1 0 0 MARK tcp -- any any anywhere anywhere tcp dpt:30000 MARK set 0x1 Chain POSTROUTING (policy ACCEPT 44M packets, 244G bytes) pkts bytes target prot opt in out source destination 0 0 CHECKSUM udp -- any virbr0 anywhere anywhere udp dpt:bootpc CHECKSUM fill 

 $# ip rule list 0: from all lookup local 32764: from all fwmark 0x1 lookup ftptable 32765: from all fwmark 0x1 lookup ftptable 32766: from all lookup main 32767: from all lookup default 

 $# ip route show table ftptable default via 192.168.0.1 dev em1 192.168.0.0/24 dev em1 proto kernel scope link src 192.168.0.2 192.168.30.0/24 dev p4p1 proto kernel scope link src 192.168.30.240 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

当我使用p4p1em1的私有地址时, netcat连接,可能是因为它们在那个路由表上。 但是,如果我使用路由器的公共地址,它不会连接( netcat不说什么)。

此外,如果我将路由器转发到另一台只有一个连接到em1networking的接口的计算机,则它可以正常工作,因此路由器正确地redirect数据包。

有些数据包是匹配的,我错过了什么? 

 $# iptables -vL Chain INPUT (policy ACCEPT 110K packets, 18M bytes) pkts bytes target prot opt in out source destination 6665 350K fail2ban-proftpd tcp -- any any anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data 32902 3536K fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh 0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:domain 0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:domain 0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:bootps 0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:bootps 2 120 LOG tcp -- any any anywhere anywhere tcp dpt:30000 flags:FIN,SYN,RST,ACK/SYN LOG level warning prefix "EM1 PACKET: " Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere 0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere 0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 51159 packets, 415M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- any virbr0 anywhere anywhere udp dpt:bootpc Chain fail2ban-proftpd (1 references) pkts bytes target prot opt in out source destination 6065 320K RETURN all -- any any anywhere anywhere Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any 52.166.112.31 anywhere reject-with icmp-port-unreachable 3 180 REJECT all -- any any 77.72.85.100 anywhere reject-with icmp-port-unreachable 31246 3423K RETURN all -- any any anywhere anywhere 

 $# iptables -vL -t mangle Chain PREROUTING (policy ACCEPT 84103 packets, 11M bytes) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- em1 any anywhere anywhere tcp spt:30000 MARK set 0x1 Chain INPUT (policy ACCEPT 82011 packets, 11M bytes) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- em1 any anywhere anywhere tcp spt:30000 MARK set 0x1 0 0 MARK tcp -- em1 any anywhere anywhere tcp dpt:30000 MARK set 0x1 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 29709 packets, 405M bytes) pkts bytes target prot opt in out source destination 14 760 MARK tcp -- any any anywhere anywhere tcp spt:30000 MARK set 0x1 6 336 MARK tcp -- any any anywhere anywhere tcp dpt:30000 MARK set 0x1 Chain POSTROUTING (policy ACCEPT 29716 packets, 405M bytes) pkts bytes target prot opt in out source destination 0 0 CHECKSUM udp -- any virbr0 anywhere anywhere udp dpt:bootpc CHECKSUM fill

编辑:添加在答案中build议的规则后iptables保存的输出。 我还添加了debugging日志规则。 

 # iptables-save # Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017 *security :INPUT ACCEPT [4040903:3466094909] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2985425:13178502885] COMMIT # Completed on Fri Sep 22 17:52:00 2017 # Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017 *raw :PREROUTING ACCEPT [4235010:3593851556] :OUTPUT ACCEPT [3083663:13237232624] COMMIT # Completed on Fri Sep 22 17:52:00 2017 # Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017 *nat :PREROUTING ACCEPT [18035:2084634] :INPUT ACCEPT [9322:747039] :OUTPUT ACCEPT [7009:591525] :POSTROUTING ACCEPT [7009:591525] -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE COMMIT # Completed on Fri Sep 22 17:52:00 2017 # Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017 *mangle :PREROUTING ACCEPT [7497:609073] :INPUT ACCEPT [7342:587369] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17006:47385884] :POSTROUTING ACCEPT [17006:47385884] -A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff -A PREROUTING -m mark ! --mark 0x0 -j ACCEPT -A PREROUTING -p tcp -m mark --mark 0x0 -m tcp --dport 30000 -j MARK --set-xmark 0x1/0xffffffff -A INPUT -p tcp -m tcp --dport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1: " -A INPUT -p tcp -m tcp --sport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1: " -A INPUT -i em1 -p tcp -m tcp --dport 30000 -j MARK --set-xmark 0x1/0xffffffff -A OUTPUT -p tcp -m tcp --dport 30000 -j MARK --set-xmark 0x1/0xffffffff -A OUTPUT -p tcp -m tcp --dport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1: " -A POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff COMMIT # Completed on Fri Sep 22 17:52:00 2017 # Generated by iptables-save v1.4.21 on Fri Sep 22 17:52:00 2017 *filter :INPUT ACCEPT [1173459:1591522133] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [599656:3734127129] :fail2ban-proftpd - [0:0] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 21,20,990,989 -j fail2ban-proftpd -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -p tcp -m tcp --dport 30000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "EM1 PACKET: " -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A fail2ban-proftpd -j RETURN -A fail2ban-ssh -s 52.166.112.31/32 -j REJECT --reject-with icmp-port-unreachable -A fail2ban-ssh -s 77.72.85.100/32 -j REJECT --reject-with icmp-port-unreachable -A fail2ban-ssh -j RETURN COMMIT # Completed on Fri Sep 22 17:52:00 2017

我也改变了sysctl的值,正如我见过的其他post所示: 

 net.ipv4.conf.default.rp_filter=2 net.ipv4.conf.all.rp_filter=2 net.ipv4.ip_forward=1 sysctl -w net.ipv4.conf.em1.rp_filter=2

更新路由表ftptable并为您的默认路由添加一个网关。 目前,一旦你的ftp数据包被切换到使用ftptable,它不知道如何退出公共IP的网关。

对于政策路线,我通常使用以下组合: 

 iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

然后为了ftp专门: 

 iptables -t mangle -A PREROUTING -m mark --mark 0 -p tcp --dport 21 -j MARK --set-mark 1

如果这是捕获太多的FTPstream量,而不是只有传入,可能需要一些变化。 相关连接inheritance父标记,所以它们不需要特定的规则。

如果仍然不起作用,iptables-save的输出比iptables -vL更精确一些,可能有助于分析。

另一个有用的诊断工具是conntrack 。 您可以使用conntrack -L转储表和查看标记。