J'ai des problèmes avec mon port vers l'avant. NAT semble fonctionner correctement et un des ports en avant semble fonctionner (port udp 7887 vers la machine 192.168.1.100). Mais pas les autres.
Je doute que cela soit important, mais eth1 et eth2 sont situés sur une carte réseau double port.
L'accès Internet WAN est fourni avec DHCP, donc une solution doit être indépendante de WAN_IP si possible.
/opt/firewall.sh
#!/bin/sh
WAN="eth1"
LAN="eth2"
#ifconfig $LAN up
#ifconfig $LAN 192.168.1.1 netmask 255.255.255.0
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $WAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# Allow ICMP echo reply/destination unreachable/time exceeded.
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# SSH
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT
# WWW
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT
# TOR
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT
# I2P
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250
iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT
iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1047K packets, 80M bytes)
pkts bytes target prot opt in out source destination
5 232 DNAT tcp -- eth1 any anywhere anywhere multiport dports ssh to:192.168.1.250
1 60 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:www to:192.168.1.99:80
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 9001,9030 to:192.168.1.250
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 7887 to:192.168.1.100
12166 4042K DNAT udp -- eth1 any anywhere anywhere multiport dports 7887 to:192.168.1.100
0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 8887 to:192.168.1.250
0 0 DNAT udp -- eth1 any anywhere anywhere multiport dports 8887 to:192.168.1.250
Chain POSTROUTING (policy ACCEPT 12313 packets, 4085K bytes)
pkts bytes target prot opt in out source destination
637K 46M MASQUERADE all -- any eth1 anywhere anywhere
Chain OUTPUT (policy ACCEPT 395 packets, 62752 bytes)
pkts bytes target prot opt in out source destination
iptables -L -v
Chain INPUT (policy DROP 9336 packets, 846K bytes)
pkts bytes target prot opt in out source destination
1 76 ACCEPT all -- lo any anywhere anywhere
467 55711 ACCEPT all -- eth2 any anywhere anywhere
64 5598 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
18 1796 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
60586 29M ACCEPT all -- any eth2 anywhere anywhere state RELATED,ESTABLISHED
70888 126M ACCEPT all -- eth2 eth1 anywhere anywhere
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports ssh
0 0 ACCEPT tcp -- any any anywhere 192.168.1.99 tcp dpt:www state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 9001,9030
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.100 multiport dports 7887
646 310K ACCEPT udp -- eth1 eth2 anywhere 192.168.1.100 multiport dports 7887
0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 8887
0 0 ACCEPT udp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 8887
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
157 13421 ACCEPT all -- any lo anywhere anywhere
76 9678 ACCEPT all -- any eth1 anywhere anywhere
159 26706 ACCEPT all -- any eth2 anywhere anywhere
Test d'accès:
me@external-host $ ssh WAN_IP
ssh: connect to host WAN_IP port 22: Connection timed out
me@external-host $ wget WAN_IP
--2012-05-06 15:46:50-- http://WAN_IP/
Connecting to |WAN_IP|:80... failed: Connection timed out.
Accéder aux journaux de test:
May 8 21:04:18 router kernel: [11692.837693] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=35931 DF PROTO=TCP SPT=52319 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:19 router kernel: [11693.837174] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24784 DF PROTO=TCP SPT=52320 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:20 router kernel: [11694.835943] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=57280 DF PROTO=TCP SPT=52321 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:21 router kernel: [11695.835159] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=10721 DF PROTO=TCP SPT=52322 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:22 router kernel: [11696.833763] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19002 DF PROTO=TCP SPT=52323 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:23 router kernel: [11697.832960] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=17468 DF PROTO=TCP SPT=52324 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:24 router kernel: [11698.831733] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=32834 DF PROTO=TCP SPT=52325 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:25 router kernel: [11699.830620] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=28252 DF PROTO=TCP SPT=52326 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:26 router kernel: [11700.829493] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=43537 DF PROTO=TCP SPT=52327 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 8 21:04:27 router kernel: [11701.829118] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=55720 DF PROTO=TCP SPT=52328 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
iptables
nat
port-forwarding
Robert Foss
la source
la source
iptables -I INPUT 1 -i $LAN -j LOG
pour déboguer votre problèmeFORWARD
chaîne (iptables -A FORWARD -j LOG
) pour voir si elle est supprimée ou non.Réponses:
Il s'avère qu'une machine interne était en panne et que mon WAN_IP avait changé (en raison de DHCP).
Pendant mon dépannage, j'ai un peu renforcé le script et il est maintenant entièrement fonctionnel sans être trop sophistiqué. N'hésitez pas à en saisir une copie!
/opt/firewall.sh
la source