服务器 Gind.cn
  1. 服务器 Gind.cn
  3. iptables的FORWARD端口到内部服务器
Intereting Posts
如何在Exchange Server 2003上configuration大小限制? 如何在不使用“pipe理”权限的情况下通过kickstart注册RHEL6服务器? 如果rkhunter发现一个可能的rootkit,该怎么办? 在Windows Server 2008上使用域帐户进行基本身份validation 在.htaccess RewriteMap问题 automake错误:不推荐在正则expression式中使用左大括号 nginx作为龙卷风代理:301redirect 后缀:如何拒绝只存在于本地域的发件人地址 谷歌邮件的公司 我可以使用nmap来发现IP和MAC地址吗? NGINX反向代理,configurationvideo(MJPG)stream以使用单一连接到后端服务器 你有任何有用的awk和grep脚本parsingapache日志? 从内部服务器Ping弹性IP地址失败 LUKSencryption备份媒体上的信息有多安全? 如何在我的本地开发机器上重现与node_redis的读取ETIMEDOUT?

iptables的FORWARD端口到内部服务器

我一直在努力的FORWARD政策,是不是我想要的方式,我不知道是什么导致会话失败。 我希望有人能帮帮忙。

我的目标是转发从eth0的端口3000到一个内部的Windows机器端口3389出eth2,所以我可以RDP到Windows框。 下面的configuration脚本只适用于iptables -P FORWARD ACCEPT ,但是我不想那样做。 我感觉更好的iptables -P FORWARD DROP ,但这不适合我。

这是我一直在使用的脚本的最后一个版本。 请注意,这是包含我所有评论内容的整个脚本,因此您可以检查这里发生的所有事情,但请记住这是我需要帮助的FORWARD部分。 

 echo "Flush firewall and setting default chain policies..." iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP #iptables --append FORWARD -p tcp --dport 3000 -d 192.168.1.2 -j ACCEPT echo "Enabling firewall with new ruleset..." # allow ssh to eth0 iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # allow http-https traffic iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # allow ping iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -t raw -A OUTPUT -p icmp -j TRACE # full loopback access iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # minimize http-https DOS attack by limiting burst connections # may need to adjust this later once web traffic is coming in iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 20 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 20 -j ACCEPT # all rdp 3000 to jump box iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3000 -j LOG --log-prefix "iptables-prerouting: " --log-level 7 iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3000 -j DNAT --to 192.168.1.2:3389 #iptables -A FORWARD -i eth0 -p tcp --dport 3389 -d 192.168.1.2 -j ACCEPT #iptables -t raw -A PREROUTING -p tcp --dport 3389 -j TRACE #iptables -t raw -A OUTPUT -p tcp --dport 3389 -j TRACE iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED -d 192.168.1.2 -p tcp --dport 3389 -j LOG --log-prefix "iptables-forward: " --log-level 7 iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED -d 192.168.1.2 -p tcp --dport 3389 -j ACCEPT # nat internal network to public interface iptables -A POSTROUTING -o eth0 -t nat -j LOG --log-prefix "iptables-postrouting: " --log-level 7 iptables -A POSTROUTING -o eth0 -t nat -j MASQUERADE # logging #iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables-input: " --log-level 7 iptables -A FORWARD -j LOG --log-prefix "iptables-forward: " --log-level 7 #iptables -A OUTPUT -j LOG --log-prefix "iptables-output: " --log-level 7 # enable ipv4 forwardning for the system echo 1 > /proc/sys/net/ipv4/ip_forward # add route for private network internet access ip route add 192.168.1.0/24 proto kernel scope link dev eth2 #List iptables ruleset echo "-----------------------------------------------------------------------------" echo "Listing iptables..." iptables -L echo "-----------------------------------------------------------------------------" echo "Listing ip routes..." ip route
echo "Flush firewall and setting default chain policies..." iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP #iptables --append FORWARD -p tcp --dport 3000 -d 192.168.1.2 -j ACCEPT echo "Enabling firewall with new ruleset..." # allow ssh to eth0 iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # allow http-https traffic iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # allow ping iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -t raw -A OUTPUT -p icmp -j TRACE # full loopback access iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # minimize http-https DOS attack by limiting burst connections # may need to adjust this later once web traffic is coming in iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 20 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 20 -j ACCEPT # all rdp 3000 to jump box iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3000 -j LOG --log-prefix "iptables-prerouting: " --log-level 7 iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3000 -j DNAT --to 192.168.1.2:3389 #iptables -A FORWARD -i eth0 -p tcp --dport 3389 -d 192.168.1.2 -j ACCEPT #iptables -t raw -A PREROUTING -p tcp --dport 3389 -j TRACE #iptables -t raw -A OUTPUT -p tcp --dport 3389 -j TRACE iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED -d 192.168.1.2 -p tcp --dport 3389 -j LOG --log-prefix "iptables-forward: " --log-level 7 iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED -d 192.168.1.2 -p tcp --dport 3389 -j ACCEPT # nat internal network to public interface iptables -A POSTROUTING -o eth0 -t nat -j LOG --log-prefix "iptables-postrouting: " --log-level 7 iptables -A POSTROUTING -o eth0 -t nat -j MASQUERADE # logging #iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables-input: " --log-level 7 iptables -A FORWARD -j LOG --log-prefix "iptables-forward: " --log-level 7 #iptables -A OUTPUT -j LOG --log-prefix "iptables-output: " --log-level 7 # enable ipv4 forwardning for the system echo 1 > /proc/sys/net/ipv4/ip_forward # add route for private network internet access ip route add 192.168.1.0/24 proto kernel scope link dev eth2 #List iptables ruleset echo "-----------------------------------------------------------------------------" echo "Listing iptables..." iptables -L echo "-----------------------------------------------------------------------------" echo "Listing ip routes..." ip route

我跟踪了连接,启用了日志logging规则等,但无法根据所提供的信息来确定问题所在。 我可以发现iptables -P FORWARD默认操作之间的差异,但仍然没有在干草堆中find针。

我会很感激我能得到的任何指针。 谢谢!

感谢@HaukeLaging,我有这个工作正常。 这是最后的脚本。 

 echo "Flush firewall and setting default chain policies..." iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables --append INPUT -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables --append FORWARD -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables --append OUTPUT -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT echo "Enabling firewall with new ruleset..." # allow ssh to eth0 iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # allow http-https traffic iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # ----from private network iptables -A FORWARD -i eth2 -o eth0 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -p tcp --dport 443 -j ACCEPT # allow ping iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT # ----from private network iptables -A FORWARD -i eth2 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT # full loopback access iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # minimize http-https DOS attack by limiting burst connections # may need to adjust this later once web traffic is coming in iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 20 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 20 -j ACCEPT # rdp 3000 to jump box iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3000 -j DNAT --to 192.168.1.2:3389 iptables -A FORWARD -i eth0 -p tcp --dport 3389 -d 192.168.1.2 -j ACCEPT # nat on public interface iptables -A POSTROUTING -o eth0 -t nat -j MASQUERADE # logging #iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables-input: " --log-level 7 #iptables -A FORWARD -j LOG --log-prefix "iptables-forward: " --log-level 7 #iptables -A OUTPUT -j LOG --log-prefix "iptables-output: " --log-level 7 # enable ipv4 forwardning for the system echo 1 > /proc/sys/net/ipv4/ip_forward # add route for private > public access ip route add 192.168.1.0/24 proto kernel scope link dev eth2 #List iptables ruleset echo "-----------------------------------------------------------------------------" echo "Listing iptables..." iptables -L echo "-----------------------------------------------------------------------------" echo "Listing ip routes..." ip route

你必须激活你的注释规则 

 iptables -A FORWARD -i eth0 -p tcp --dport 3389 -d 192.168.1.2 -j ACCEPT

而且你必须纠正这个(当然还有上面的日志规则): 

 iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED -d 192.168.1.2 -p tcp --dport 3389 -j ACCEPT

那是错的。 如果eth0输出接口,则192.168.1.2是源而不是目的地。 但为什么要让状态为NEW ? 最简单的将是: 

 iptables -A FORWARD -t filter -m state --state ESTABLISHED,RELATED -j ACCEPT

这是一个常见的规则。 如果你想更接近你的连接定义: 

 iptables -A FORWARD -t filter -o eth0 -m state --state ESTABLISHED -s 192.168.1.2 -p tcp --sport 3389 -j ACCEPT

编辑1:

而且您可能需要一个允许来自其他系统的所有(?)连接的规则: 

 iptables -A FORWARD -t filter -o eth0 -m state --state NEW -s 192.168.1.2 -j ACCEPT

顺便说一句,引用手册页:

“状态”模块是“conntrack”的过时版本。

如果你不使用短规则来允许所有build立的stream量,那么你也需要这样的东西: 

 iptables -A FORWARD -t filter -i eth0 -m conntrack --ctstate ESTABLISHED -d 192.168.1.2 -j ACCEPT