我有一個小網路。
它有一個連接到網際網路 (WAN) 的防火牆,具有真實的 IP 和 DNS 名稱,也充當內部網路 (LAN) 的 DHCP 伺服器。在防火牆電腦上,我為位於 LAN 中的網站伺服器設定了連接埠轉送。這是我的nftables.conf:
#!/usr/sbin/nft -f
flush ruleset
define lan = eth0
define wan = eth1
define lan_addresses = 192.168.100.0/24
define server_address = 192.168.100.2
define server_http_port = 80
define server_https_port = 443
table firewall {
map hosts {
type ipv4_addr . ether_addr : verdict
elements = {
192.168.100.2 . 30:01:ED:BD:6B:CB : accept , # SERVER
192.168.100.3 . 30:01:ED:BD:6B:C1 : accept , # CLIENT
}
}
set remote_allowed {
type ipv4_addr
elements = { 91.198.174.192 , 209.51.188.148 }
}
chain prerouting {
type nat hook prerouting priority 0; policy accept;
# server
iifname $wan ip protocol tcp tcp dport $server_http_port log prefix "Server HTTP Prerouted " dnat $server_address:$server_http_port
iifname $wan ip protocol tcp tcp dport $server_https_port log prefix "Server HTTPS Prerouted " dnat $server_address:$server_https_port
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
ip saddr $lan_addresses oifname $wan masquerade
# server
iifname $wan ip protocol tcp ip saddr $server_address tcp sport $server_http_port log prefix "Server HTTP Postrouted " masquerade
iifname $wan ip protocol tcp ip saddr $server_address tcp sport $server_https_port log prefix "Server HTTPS Postrouted " masquerade
}
chain input {
type filter hook input priority 0; policy drop;
# drop invalid, allow established
ct state vmap {invalid : drop, established : accept, related : accept}
# allow loopback
iifname "lo" accept
# allow ping from LAN
iifname $lan ip saddr $lan_addresses ip protocol icmp icmp type echo-request accept
# allow SSH from LAN
iifname != $wan ip protocol tcp tcp dport 22 accept
# allow SSH from allowed remotes
iifname $wan ip protocol tcp ip saddr @remote_allowed tcp dport 22 accept
# open SQUID, DHCP port for lan
iifname $lan ip protocol tcp ip saddr $lan_addresses tcp dport {3128, 67} accept
# LAN nice reject
iifname != $wan ip saddr $lan_addresses reject with icmp type host-prohibited
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state {established,related} accept
# server
iifname $wan ip protocol tcp ip daddr $server_address tcp dport $server_http_port log prefix "Server HTTP Forwarded To " accept
iifname $lan ip protocol tcp ip saddr $server_address tcp sport $server_http_port log prefix "Server HTTP Forwarded From " accept
iifname $wan ip protocol tcp ip daddr $server_address tcp dport $server_https_port log prefix "Server HTTPS Forwarded To " accept
iifname $lan ip protocol tcp ip saddr $server_address tcp sport $server_https_port log prefix "Server HTTPS Forwarded From " accept
# only allow selected machines to access internet
iifname $lan oifname $wan ip saddr . ether saddr vmap @hosts
iifname $lan oifname $wan reject
}
chain output {
type filter hook output priority 0; policy accept;
}
}
只要我不嘗試從 LAN 存取我的伺服器,此設定就可以正常工作,在這種情況下我會收到
No route to host錯誤訊息:
> ping 192.168.100.1 # OK
> ping example.com # OK
> curl http://192.168.100.2 # OK
> curl http://192.168.100.1 # `No route to host`
> curl http://93.184.216.34 # `No route to host`
> curl http://example.com # `No route to host`
如何修改 netfilter 設定以便可以使用防火牆 IP 或 DNS 名稱存取 LAN 伺服器?
PS我需要這個以便我可以正確配置吉茲見面 會議錄音通過吉加西,它使用網站 URL 連接到會議。
PPS 此配置僅允許指定用戶端無限制地存取網際網路。
答案1
我能夠在不接觸防火牆配置的情況下克服這個問題。我已將包含本機伺服器位址和 DNS 名稱的項目新增至用戶端/etc/hosts檔案:
192.168.100.3 example.com
我認為它也可以由 DHCP 伺服器廣播。