我已經安裝並配置了 Shorewall 和兩個 ISP。我想為客戶端提供 Internet 訪問,並為伺服器連接和 NAT 提供其他連接。
我可以從客戶端區域和 DMZ 區域進行導航,但無法使用 LAN 以外的伺服器的服務。我嗅探了兩個網站(LAN 和 LAN 外)中的封包,我看到 DMZ 中的伺服器接收 NAT 封包並應答它們,但這些封包似乎沒有返回到外部用戶端。
誰能幫我?這些是我的安裝的設定檔:
> cat interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routeback,blacklist,tcpflags,nosmurfs,routefilter,logmartians
net eth1 detect dhcp,routeback,blacklist,tcpflags,nosmurfs,routefilter,logmartians
loc eth2 detect dhcp,routeback,blacklist,tcpflags,nosmurfs,routefilter,logmartians
dmz eth3 detect dhcp,routeback,blacklist,tcpflags,nosmurfs,routefilter,logmartians
> cat zones
#ZONE TYPE OPTIONS IN OUT OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
> cat providers
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
ADSL2 2 0x2 main eth1 8x.xx.1x7.1 track,balance eth2,eth3
ADSL1 1 0x1 main eth0 8y.yy.2y1.2 track,balance eth2,eth3
> cat mask
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 8y.yy.2y1.yy6 8x.xx.1x7.xx2
eth0 eth2 8y.yy.2y1.yy6
eth0 eth3 8y.yy.2y1.yy6
eth1 8x.xx.1x7.xx2 8y.yy.2y1.yy6
eth1 eth2 8x.xx.1x7.xx2
eth1 eth3 8x.xx.1x7.xx2
> cat rules
DROP:info net:192.168.0.0/24 all
DROP:info net:192.168.4.0/22 all
DNS(ACCEPT) $FW net:eth0
DNS(ACCEPT) dmz net:eth0
HTTP(ACCEPT) dmz net:eth0
HTTPS(ACCEPT) dmz net:eth0
ACCEPT net:eth0 dmz
DNAT net:eth0 dmz:192.168.0.252 tcp 80
Ping(DROP) net:eth1 $FW
Ping(DROP) net:eth0 $FW
Ping(ACCEPT) loc $FW
Ping(ACCEPT) loc dmz
Ping(ACCEPT) dmz loc
Ping(ACCEPT) dmz net:eth0
Ping(ACCEPT) dmz $FW
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
SSH(ACCEPT) dmz $FW
> cat tcrules
#MARK SOURCE DEST PROTO DEST_PORT(S)
1:P 192.168.0.0/24 -
2:P 192.168.4.0/22 -
1 $FW
答案1
我看到的第一個錯誤應該cat mask是cat masq。
如果您有masq名為 的文件mask,它將使用 masq 的預設配置。