我有一个隐藏在防火墙后面的networking服务器。 我的防火墙上的DNAT规则使得来自互联网的访问者可访问。 该规则适用于来自互联网的stream量。 不幸的是,它不能工作(或只是部分)来自同一个子网的stream量与真正的目的地。 出于某种原因,netfilter不会恢复原始目标地址,因此客户端/发送者不理会应答数据包。
我究竟做错了什么?
192.168.101.0/24 # LOCAL Lan 192.168.101.16 # Client 192.168.101.18 # Server 192.168.101.254 # firewall 144.256.256.1 # firewall (Not the real IP) (Internet) | 144.256.256.1 | | | | Firewall | | | | 192.168.101.254 | | | ---------------------- | | 192.168.101.16 192.168.101.18 (Client) (Server) -t nat -A PREROUTING -d 144.256.256.1 --dport 81 -j DNAT destination 192.168.0.2 -t nat -A POSTROUTING -s 192.168.0.0/16 ! -d 192.168.0.0/16 -j MASQUERADE (Should be irrelevant)
(Client) 192.168.101.16 trying to reach (Server) 144.256.256.1/81
192.168.101.16.57631 > 144.256.256.1.81: Flags [S], seq 1884612678 192.168.101.16.57631 > 192.168.101.18.81: Flags [S], seq 1884612678 192.168.101.16.57631 > 144.256.256.1.81: Flags [S], seq 1884612678 192.168.101.16.57631 > 192.168.101.18.81: Flags [S], seq 1884612678 (Seems okay. tcpdump was on -i any. Incoming packet to orginal destination 144.xx Outgoing packet to new destination. But for some reason we're not seeing the responses)
IP 192.168.101.16.57874 > 192.168.101.18.81: Flags [S], seq 4243879528, IP 192.168.101.18.81 > 192.168.101.16.57874: Flags [S.], seq 595099059, ack 4243879529, IP 192.168.101.16.57874 > 192.168.101.18.81: Flags [R], seq 4243879529, win 0, length 0 (Seems good)
IP 192.168.101.16.57874 > 144.256.256.1.81: Flags [S], seq 4243879528 IP 192.168.101.18.81 > 192.168.101.16.57874: Flags [S.], seq 595099059, ack 4243879529, (WTF packet. The source should be 144.x again. For some reason netfilter didn't restore the orignal destination address for the response packet.) IP 192.168.101.16.57874 > 192.168.101.18.81: Flags [R], seq 4243879529
您在防火墙上看不到任何响应数据包,因为没有响应数据包。 服务器不会将响应发送到防火墙,因为客户端在同一个子网中。
请求:客户端 – >防火墙 – >服务器
回复:服务器 – >客户端
因此,客户端放弃了响应,因为它不期望来自服务器的任何响应,而是来自防火墙。
尝试一些疯狂的路由魔术,或者在客户端的主机文件中为你的URL设置内部IP。 或者摆脱NAT …