Tengo una red pequeña.
Dispone de un firewall conectado a internet (WAN) con IP real y nombre DNS que también actúa como servidor DHCP para la red interna (LAN). En la máquina del firewall configuré el reenvío de puertos para el servidor del sitio ubicado en la LAN. Aquí está mi nftables.conf:
#!/usr/sbin/nft -f
flush ruleset
define lan = eth0
define wan = eth1
define lan_addresses = 192.168.100.0/24
define server_address = 192.168.100.2
define server_http_port = 80
define server_https_port = 443
table firewall {
map hosts {
type ipv4_addr . ether_addr : verdict
elements = {
192.168.100.2 . 30:01:ED:BD:6B:CB : accept , # SERVER
192.168.100.3 . 30:01:ED:BD:6B:C1 : accept , # CLIENT
}
}
set remote_allowed {
type ipv4_addr
elements = { 91.198.174.192 , 209.51.188.148 }
}
chain prerouting {
type nat hook prerouting priority 0; policy accept;
# server
iifname $wan ip protocol tcp tcp dport $server_http_port log prefix "Server HTTP Prerouted " dnat $server_address:$server_http_port
iifname $wan ip protocol tcp tcp dport $server_https_port log prefix "Server HTTPS Prerouted " dnat $server_address:$server_https_port
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
ip saddr $lan_addresses oifname $wan masquerade
# server
iifname $wan ip protocol tcp ip saddr $server_address tcp sport $server_http_port log prefix "Server HTTP Postrouted " masquerade
iifname $wan ip protocol tcp ip saddr $server_address tcp sport $server_https_port log prefix "Server HTTPS Postrouted " masquerade
}
chain input {
type filter hook input priority 0; policy drop;
# drop invalid, allow established
ct state vmap {invalid : drop, established : accept, related : accept}
# allow loopback
iifname "lo" accept
# allow ping from LAN
iifname $lan ip saddr $lan_addresses ip protocol icmp icmp type echo-request accept
# allow SSH from LAN
iifname != $wan ip protocol tcp tcp dport 22 accept
# allow SSH from allowed remotes
iifname $wan ip protocol tcp ip saddr @remote_allowed tcp dport 22 accept
# open SQUID, DHCP port for lan
iifname $lan ip protocol tcp ip saddr $lan_addresses tcp dport {3128, 67} accept
# LAN nice reject
iifname != $wan ip saddr $lan_addresses reject with icmp type host-prohibited
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state {established,related} accept
# server
iifname $wan ip protocol tcp ip daddr $server_address tcp dport $server_http_port log prefix "Server HTTP Forwarded To " accept
iifname $lan ip protocol tcp ip saddr $server_address tcp sport $server_http_port log prefix "Server HTTP Forwarded From " accept
iifname $wan ip protocol tcp ip daddr $server_address tcp dport $server_https_port log prefix "Server HTTPS Forwarded To " accept
iifname $lan ip protocol tcp ip saddr $server_address tcp sport $server_https_port log prefix "Server HTTPS Forwarded From " accept
# only allow selected machines to access internet
iifname $lan oifname $wan ip saddr . ether saddr vmap @hosts
iifname $lan oifname $wan reject
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Esta configuración funciona bien siempre y cuando no intente acceder a mi servidor desde LAN, en cuyo caso aparece
No route to hostel error:
> ping 192.168.100.1 # OK
> ping example.com # OK
> curl http://192.168.100.2 # OK
> curl http://192.168.100.1 # `No route to host`
> curl http://93.184.216.34 # `No route to host`
> curl http://example.com # `No route to host`
¿Cómo puedo modificar la configuración de Netfilter para poder acceder a mi servidor LAN utilizando la IP o el nombre DNS del firewall?
PD: necesito esto para poder configurar correctamenteconocer a jitsi grabación de conferencia a través dejigasi, que utiliza la URL del sitio para conectarse a la conferencia.
PPS Esta configuración permite acceso ilimitado a Internet solo para los clientes especificados.
Respuesta1
Pude superar este problema sin tocar la configuración del firewall. Agregué una entrada con la dirección del servidor local y el nombre DNS al /etc/hostsarchivo de clientes:
192.168.100.3 example.com
Creo que también podría transmitirse mediante el servidor DHCP.