在Ubuntu上使用DHCP（isc）和DNS（Bind9）问题的iptables设置2 nic

我的Linux作为网关设置有问题。 不知道我在这里做错了什么。

预期的是：

1. 计算机具有基于DHCP保留的IP地址转发的服务。
2. 我可以从互联网上的服务器（我有一个DDNS）

networking架构：

1. 互联网
2. 路由器（DDNS附加）
3. Linux Box – （有线计算机命名的网关） – IP 192.168.1.161（enp9s0的外部）192.168.99.1（enp7s5的内部）
4. 交换机 – IP 192.168.99.100
5. 多台计算机 – （有线） – IP 192.168.99.102,192.168.99.103,192.168.99.104,192.168.99.105

什么工作：

• OpenVPN无法ping通LAN设备
• 任何想法如何通过桥接networking连接设置pfsense广域网？
• 带有GRE隧道的Proxmox NAT作为外部接口
• IPTABLES DROP不能打到外部设备
• 公钥authentication在端口22上失败，但在备用端口上成功

1. DHCP提供保留的IP地址
2. 电脑内部有互联网
3. 我可以从同一个networking上的计算机ssh进入网关enp9s0（不从互联网）
4. DDNS将信息正确转发给路由器

问题：

1. 端口不会转发到内部计算机
2. 我无法从互联网上得到任何东西

额外信息：这是一个共享networking。 在同一个networking中将会有windows和linux机器。

的IPtables：

*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # enp9s0 is WAN interface, enp7s5 is LAN interface -A POSTROUTING -o enp9s0 -j MASQUERADE # NAT pinhole: HTTP from WAN to LAN -A PREROUTING -p tcp -m tcp -i enp9s0 --dport 80 -j DNAT --to-destination 192.168.99.100:80 -A PREROUTING -p tcp -m tcp -i enp9s0 --dport 8086 -j DNAT --to-destination 192.168.99.102:8$ -A PREROUTING -p tcp -m tcp -i enp9s0 --dport 7990 -j DNAT --to-destination 192.168.99.103:7$ -A PREROUTING -p tcp -m tcp -i enp9s0 --dport 8080 -j DNAT --to-destination 192.168.99.104:8$ -A PREROUTING -p tcp -m tcp -i enp9s0 --dport 8090 -j DNAT --to-destination 192.168.99.104:8$ -A PREROUTING -p tcp -m tcp -i enp9s0 --dport 8085 -j DNAT --to-destination 192.168.99.105:8$ -A PREROUTING -p tcp -m tcp -i enp9s0 --dport 9002 -j DNAT --to-destination 192.168.99.102:22 -A PREROUTING -p tcp -m tcp -i enp9s0 --dport 9003 -j DNAT --to-destination 192.168.99.103:22 -A PREROUTING -p tcp -m tcp -i enp9s0 --dport 9014 -j DNAT --to-destination 192.168.99.104:9$ -A PREROUTING -p tcp -m tcp -i enp9s0 --dport 9005 -j DNAT --to-destination 192.168.99.105:22 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Service rules # basic global accept rules - ICMP, loopback, traceroute, established all accepted -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT # enable traceroute rejections to get sent out #-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable # DNS - accept from LAN -A INPUT -i enp7s5 -p tcp --dport 53 -j ACCEPT -A INPUT -i enp7s5 -p udp --dport 53 -j ACCEPT # SSH - accept from LAN -A INPUT -i enp7s5 -p tcp --dport 9001 -j ACCEPT #SSH - accept from wan -A INPUT -i enp9s0 -p tcp --dport 9001 -j ACCEPT # DHCP client requests - accept from LAN -A INPUT -i enp7s5 -p udp --dport 67:68 -j ACCEPT # drop all other inbound traffic -A INPUT -j DROP # Forwarding rules # forward packets along established/related connections -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # forward from LAN (p1p1) to WAN (p4p1) -A FORWARD -i enp7s5 -o enp9s0 -j ACCEPT # allow traffic from our NAT pinhole -A FORWARD -p tcp -d 192.168.99.100 --dport 80 -j ACCEPT -A FORWARD -p tcp -d 192.168.99.102 --dport 7990 -j ACCEPT -A FORWARD -p tcp -d 192.168.99.103 --dport 8085 -j ACCEPT -A FORWARD -p tcp -d 192.168.99.104 --dport 8080 -j ACCEPT -A FORWARD -p tcp -d 192.168.99.104 --dport 8090 -j ACCEPT -A FORWARD -p tcp -d 192.168.99.105 --dport 8090 -j ACCEPT -A FORWARD -p tcp -d 192.168.99.102 --dport 22 -j ACCEPT -A FORWARD -p tcp -d 192.168.99.103 --dport 22 -j ACCEPT -A FORWARD -p tcp -d 192.168.99.104 --dport 9014 -j ACCEPT -A FORWARD -p tcp -d 192.168.99.105 --dport 22 -j ACCEPT # drop all other forwarded traffic -A FORWARD -j DROP COMMIT 

DHCP服务器：

 # # Sample configuration file for ISC dhcpd for Debian # # Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as # configuration file instead of this file. # # # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-update-style none; # option definitions common to all supported networks... option domain-name "example.org"; option domain-name-servers ns1.example.org, ns2.example.org; default-lease-time 600; max-lease-time 7200; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; subnet 192.168.99.0 netmask 255.255.255.0 { range 192.168.99.100 192.168.99.199; option routers 192.168.99.1; option domain-name-servers 192.168.99.1; option broadcast-address 192.168.99.255; host Bitbucket { hardware ethernet 00:0f:fe:f6:34:ea; fixed-address 192.168.99.103; } host LaptopMSI { hardware ethernet 44:8a:5b:ef:e9:0f; fixed-address 192.168.99.102; } host SkullCanyon { hardware ethernet 00:1f:c6:9b:e2:20; fixed-address 192.168.99.105; } host ConfluenceJira { hardware ethernet fc:aa:14:65:31:e2; fixed-address 192.168.99.104; } } 

接口：＃该文件描述了系统上可用的networking接口＃以及如何激活它们。 有关更多信息，请参阅接口（5）。

 source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto enp9s0 iface enp9s0 inet static address 192.168.1.161 netmask 255.255.255.0 # This is an autoconfigured IPv6 interface iface enp9s0 inet6 auto auto enp7s5 iface enp7s5 inet static address 192.168.99.1 netmask 255.255.255.0 

谢谢你们每一个人的帮助！