我已经初步问了关于为我的家庭networking安放我的linux的盒子的问题,并在这里的线程给了build议。 不想混淆旧的问题,所以在这里开始一个新的问题。
根据以前的build议,我已经提出了以下规则…
:PREROUTING ACCEPT [1:48] :OUTPUT ACCEPT [12:860] :POSTROUTING ACCEPT [3:228] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT DROP [3:228] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p icmp -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -i eth1 -p icmp -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -j ACCEPT COMMIT 如果你注意到,我确实有适当的MASQURADING规则和正确的FORWARD过滤规则。 但是我面临着两个问题
现在我的问题是,当我从LAN客户端ping一些东西时,它是如何与input链相匹配的! 它应该在前进链?
Chain INPUT (policy DROP 20 packets, 2314 bytes) pkts bytes target prot opt in out source destination 99 9891 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT icmp -- eth0 any anywhere anywhere 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https 122 9092 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
感谢ankit
更新:
我已经设法解决了DNS问题。 唯一不能正常工作的是转发。
这些是我现在的规则
Chain INPUT (policy DROP 1158 packets, 89867 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 59 5448 ACCEPT icmp -- any any anywhere anywhere 643 47995 ACCEPT udp -- eth0 any anywhere anywhere udp spt:domain dpts:1024:65535 54 7811 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https 4168 273K ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere 1806 156K ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:http 91 19451 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:https 0 0 ACCEPT udp -- any any anywhere anywhere udp spts:1024:65535 dpt:domain 10973 638K LOG_DROP all -- any any anywhere anywhere Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 80 6734 ACCEPT icmp -- any any anywhere anywhere 6327 2445K ACCEPT all -- any any anywhere anywhere Chain LOG_DROP (1 references) pkts bytes target prot opt in out source destination 10973 638K LOG all -- any any anywhere anywhere LOG level warning tcp-options ip-options prefix `[IPTABLES DROP] :' 10973 638K DROP all -- any any anywhere anywhere
这是我在消息日志中看到的
Feb 12 17:15:15 LINUX-GATEWAY kernel: [206384.605899] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15546 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11288 Feb 12 17:15:20 LINUX-GATEWAY kernel: [206389.606038] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15560 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11289 Feb 12 17:15:25 LINUX-GATEWAY kernel: [206394.607171] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15573 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11290 Feb 12 17:15:30 LINUX-GATEWAY kernel: [206399.606336] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11291 Feb 12 17:15:35 LINUX-GATEWAY kernel: [206404.620397] [IPTABLES DROP] :IN=eth1 OUT=eth0 SRC=192.168.4.100 DST=74.125.226.80 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=15603 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11292
所以来自lan客户端的ping数据包被丢弃在正向链路中(只有链路上有log_drop)
我不知道为什么..任何想法?
既然你遇到了问题,我可以从简单的configuration开始。 摆脱所有无关的规则,直到你有一个基本的configuration工作。 也就是说,从以下开始:
*nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT
并确保你有必要的sysctl集:
# sysctl -w net.ipv4.ip_forward=1
现在看看是否有用。 如果他们工作,慢慢开始做出改变。 如果他们不工作,让我们知道,我们会从那里开始。
没关系。 我想到了。 对于任何人可能会偶然发现这一点,下面是我的iptables安装与LOG链故障排除的目的。
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 169 36504 ACCEPT all -- lo any anywhere anywhere 218 18804 ACCEPT icmp -- any any anywhere anywhere 4919 365K ACCEPT udp -- eth0 any anywhere anywhere udp spt:domain dpts:1024:65535 196 24001 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https 10698 696K ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh 53 3686 ACCEPT tcp -- any any anywhere anywhere tcp spt:telnet 77 7709 LOG_DROP_INPUT all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1258 75480 ACCEPT icmp -- eth1 eth0 anywhere anywhere 23927 31M ACCEPT all -- eth0 eth1 anywhere anywhere 195 12057 ACCEPT udp -- eth1 any anywhere anywhere udp dpt:domain 17512 1425K ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:http 211 40089 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:telnet 18 1860 LOG_DROP_FORWARD all -- any any anywhere anywhere Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 457 61686 ACCEPT icmp -- any any anywhere anywhere 19715 4141K ACCEPT all -- any any anywhere anywhere Chain LOG_DROP (0 references) pkts bytes target prot opt in out source destination 43246 2583K LOG all -- any any anywhere anywhere LOG level warning tcp-options ip-options prefix `[IPTABLES DROP] :' 43246 2583K DROP all -- any any anywhere anywhere Chain LOG_DROP_FORWARD (1 references) pkts bytes target prot opt in out source destination 18 1860 LOG all -- any any anywhere anywhere LOG level warning tcp-options ip-options prefix `[IPTABLES DROP FORWARD] : ' 18 1860 DROP all -- any any anywhere anywhere Chain LOG_DROP_INPUT (1 references) pkts bytes target prot opt in out source destination 77 7709 LOG all -- any any anywhere anywhere LOG level warning tcp-options ip-options prefix `[IPTABLES DROP INPUT] : ' 77 7709 DROP all -- any any anywhere anywhere