iptables 不轉發。輸入代替

iptables 不轉發。輸入代替

我已經在我的 ubuntu 無頭伺服器上設定了 iptables:

iptables -S

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -s 10.1.3.90/32 -i eth0 -j LOG --log-prefix "INPUT: "
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i ppp0 -j ACCEPT
-A FORWARD -s 10.1.3.90/32 -i eth0 -j LOG --log-prefix "FORWARD: "
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -j ACCEPT

iptables -S -t nat

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -s 10.1.3.90/32 -j LOG --log-prefix "ROUTE: "
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 11108 -j DNAT --to-destination 169.254.1.2:11108
-A PREROUTING -i eth0 -p udp -m udp --dport 11108 -j DNAT --to-destination 169.254.1.2:11108
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5555 -j DNAT --to-destination 169.254.1.2:5555
-A PREROUTING -i eth0 -j DNAT --to-destination 169.254.2.2
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 169.254.1.2/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 169.254.2.2/32 -o eth0 -j MASQUERADE

當我將 UDP 封包傳送到連接埠 11108 時,它應該被路由到 ppp0 169.254.1.2:11108 並且應該應用 FORWARD 規則。相反,應用 INPUT 規則並且不路由資料包。

這是來自核心的日誌。沒有轉發:

Jun 20 10:58:51 ubuntu kernel: [  337.871043] INPUT: IN=eth0 OUT= MAC=00:1c:42:02:04:dd:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.117 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=22127 PROTO=UDP SPT=11108 DPT=11108 LEN=32 
Jun 20 10:58:53 ubuntu kernel: [  339.865420] INPUT: IN=eth0 OUT= MAC=00:1c:42:02:04:dd:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.117 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=22484 PROTO=UDP SPT=11108 DPT=11108 LEN=48 
Jun 20 10:58:55 ubuntu kernel: [  341.864446] INPUT: IN=eth0 OUT= MAC=00:1c:42:02:04:dd:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.117 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=22818 PROTO=UDP SPT=11108 DPT=11108 LEN=48 
Jun 20 10:58:57 ubuntu kernel: [  343.707469] ROUTE: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=23133 PROTO=UDP SPT=138 DPT=138 LEN=209 
Jun 20 10:58:57 ubuntu kernel: [  343.863994] INPUT: IN=eth0 OUT= MAC=00:1c:42:02:04:dd:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.117 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=23266 PROTO=UDP SPT=11108 DPT=11108 LEN=48 
Jun 20 10:58:59 ubuntu kernel: [  345.877465] INPUT: IN=eth0 OUT= MAC=00:1c:42:02:04:dd:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.117 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=23684 PROTO=UDP SPT=11108 DPT=11108 LEN=32 
Jun 20 10:58:59 ubuntu kernel: [  345.879215] INPUT: IN=eth0 OUT= MAC=00:1c:42:02:04:dd:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.117 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=23707 PROTO=UDP SPT=11108 DPT=11108 LEN=48 
Jun 20 10:59:00 ubuntu kernel: [  346.010347] ROUTE: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=23798 PROTO=UDP SPT=137 DPT=137 LEN=58 
Jun 20 10:59:00 ubuntu kernel: [  346.759893] ROUTE: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=23811 PROTO=UDP SPT=137 DPT=137 LEN=58 
Jun 20 10:59:01 ubuntu kernel: [  347.509887] ROUTE: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=23944 PROTO=UDP SPT=137 DPT=137 LEN=58 
Jun 20 10:59:01 ubuntu kernel: [  347.878185] INPUT: IN=eth0 OUT= MAC=00:1c:42:02:04:dd:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.117 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=24086 PROTO=UDP SPT=11108 DPT=11108 LEN=48 
Jun 20 10:59:01 ubuntu kernel: [  347.881900] INPUT: IN=eth0 OUT= MAC=00:1c:42:02:04:dd:00:1c:42:d7:b0:24:08:00 SRC=10.1.3.90 DST=10.1.3.117 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=24109 PROTO=UDP SPT=11108 DPT=11108 LEN=32 

答案1

將您的規則集減少到最低限度並從那裡開始測試。有一些多餘的規則可能會發生衝突。我會從以下開始:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -i eth0 -p udp -m udp --dport 11108 -j DNAT --to-destination 169.254.1.2:11108

我還可以用來watch查看資料包所命中的鏈/規則

watch -n1 iptables -vnL
watch -n1 iptables -vnl -t nat

APIPA 位址不一定是最適合客戶端使用的位址,但這不應影響接收資料包。

相關內容