Mam problemy z przekierowaniem portu. Wygląda na to, że NAT działa poprawnie, a jeden z portów przekazywania dalej działa (udp port 7887 na maszynę 192.168.1.100). Ale nie inni.
Wątpię, czy to ma znaczenie, ale eth1 i eth2 znajdują się na podwójnej karcie sieciowej.
Dostęp do Internetu WAN jest zapewniany przez dhcp, więc rozwiązanie powinno być niezależne od WAN_IP, jeśli to możliwe.
/opt/firewall.sh
#!/bin/sh
WAN="eth1"
LAN="eth2"
#ifconfig $LAN up
#ifconfig $LAN 192.168.1.1 netmask 255.255.255.0
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $WAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# Allow ICMP echo reply/destination unreachable/time exceeded.
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# SSH
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT
# WWW
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT
# TOR
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT
# I2P
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1047K packets, 80M bytes)
pkts bytes target prot opt in out source destination
5 232 DNAT tcp -- eth1 any anywhere anywhere multiport dports ssh to:192.168.1.250
1 60 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:www to:192.168.1.99:80
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 9001,9030 to:192.168.1.250
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 7887 to:192.168.1.100
12166 4042K DNAT udp -- eth1 any anywhere anywhere multiport dports 7887 to:192.168.1.100
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 8887 to:192.168.1.250
0 0 DNAT udp -- eth1 any anywhere anywhere multiport dports 8887 to:192.168.1.250
Chain POSTROUTING (policy ACCEPT 12313 packets, 4085K bytes)
pkts bytes target prot opt in out source destination
637K 46M MASQUERADE all -- any eth1 anywhere anywhere
Chain OUTPUT (policy ACCEPT 395 packets, 62752 bytes)
pkts bytes target prot opt in out source destination
iptables -L -v
Chain INPUT (policy DROP 9336 packets, 846K bytes)
pkts bytes target prot opt in out source destination
1 76 ACCEPT all -- lo any anywhere anywhere
467 55711 ACCEPT all -- eth2 any anywhere anywhere
64 5598 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
18 1796 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
60586 29M ACCEPT all -- any eth2 anywhere anywhere state RELATED,ESTABLISHED
70888 126M ACCEPT all -- eth2 eth1 anywhere anywhere
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports ssh
0 0 ACCEPT tcp -- any any anywhere 192.168.1.99 tcp dpt:www state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 9001,9030
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.100 multiport dports 7887
646 310K ACCEPT udp -- eth1 eth2 anywhere 192.168.1.100 multiport dports 7887
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 8887
0 0 ACCEPT udp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 8887
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
157 13421 ACCEPT all -- any lo anywhere anywhere
76 9678 ACCEPT all -- any eth1 anywhere anywhere
159 26706 ACCEPT all -- any eth2 anywhere anywhere
Testowanie dostępu:
me@external-host $ ssh WAN_IP
ssh: connect to host WAN_IP port 22: Connection timed out
me@external-host $ wget WAN_IP
--2012-05-06 15:46:50-- http://WAN_IP/
Connecting to |WAN_IP|:80... failed: Connection timed out.
Uzyskaj dostęp do dzienników testowania:
May 8 21:04:18 router kernel: [11692.837693] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=35931 DF PROTO=TCP SPT=52319 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:19 router kernel: [11693.837174] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24784 DF PROTO=TCP SPT=52320 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:20 router kernel: [11694.835943] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=57280 DF PROTO=TCP SPT=52321 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:21 router kernel: [11695.835159] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=10721 DF PROTO=TCP SPT=52322 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:22 router kernel: [11696.833763] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19002 DF PROTO=TCP SPT=52323 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:23 router kernel: [11697.832960] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=17468 DF PROTO=TCP SPT=52324 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:24 router kernel: [11698.831733] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=32834 DF PROTO=TCP SPT=52325 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:25 router kernel: [11699.830620] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=28252 DF PROTO=TCP SPT=52326 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:26 router kernel: [11700.829493] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=43537 DF PROTO=TCP SPT=52327 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:27 router kernel: [11701.829118] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=55720 DF PROTO=TCP SPT=52328 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
FORWARD
łańcucha ( iptables -A FORWARD -j LOG
), aby sprawdzić, czy jest on upuszczany, czy nie.
iptables -I INPUT 1 -i $LAN -j LOG
debugowanie problemu