我想将ssh端口从ubuntu-fw(防火墙)转发到ubuntu-server1。
| 互联网| --- | 路由器(硬件)| --- | ubuntu-fw | ---- | ubuntu-server1 |
路由器(硬件):Fritz-Box
ubuntu-fw:用作防火墙的ubuntu 16
ubuntu-server1:ubuntu 16作为ssh服务器
路由器(硬件)将端口转发到ubuntu-fw。但是,出于测试目的,我在两台计算机之间放置了一台计算机:
| 测试电脑| --- | ubuntu-fw | ---- | ubuntu-server1 |
现在,我想使用ubuntu-fw从test-pc访问我的ubuntu-server1:
ssh myuser@ubuntu-server1
网络拓扑如下:
测试计算机:192.168.183.253/24
ubuntu-fw:eth0:192.168.0.254/24和eth2:192.168.183.254/24
ubuntu服务器:192.168.0.16/24
我的问题是如何转发ubuntu-fw中的端口22?
我启用了路由:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
我还创建了一个规则,该规则允许ubuntu-server1使用ubuntu-fw作为NAT连接到Internet。这很好。但是,当我想将端口22转发到ubuntu-server1时,我失败了。
为了生成iptables脚本,我使用fwbuilder。
我创建了一个nat规则,导致(编译后):fwbuilder NAT规则的图片
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.183.254 --dport 22 -j DNAT --to-destination 192.168.0.16
并且我创建了一个导致(编译后)的策略:fwbuilder策略的图片
$IPTABLES -A FORWARD -i eth2 -p tcp -m tcp -d 192.168.0.16 --dport 22 -m state --state NEW -j ACCEPT
当我尝试从test-pc建立连接时,我看到:
ssh: connect to host 192.168.183.254 port 22: Connection timed out
有人知道我在做什么错吗?
这是iptables -v -x -n -L的输出
Chain INPUT (policy DROP 417 packets, 49211 bytes)
pkts bytes target prot opt in out source destination
28201 2294981 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 In_RULE_1 tcp -- eth0 * 192.168.0.0/24 192.168.0.254 tcp dpt:22 state NEW
0 0 In_RULE_2 tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp multiport dports 21,80,443 state NEW
0 0 In_RULE_5 all -- eth2 * 0.0.0.0/0 192.168.183.254
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3071 2805588 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 104 In_RULE_2 tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp multiport dports 21,80,443 state NEW
7 420 ACCEPT tcp -- eth2 * 0.0.0.0/0 192.168.0.16 tcp dpt:22 state NEW
Chain OUTPUT (policy DROP 8 packets, 480 bytes)
pkts bytes target prot opt in out source destination
15619 310844265 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Out_RULE_0 tcp -- * eth2 192.168.183.254 0.0.0.0/0 tcp multiport dports 80,443 state NEW
Chain In_RULE_1 (1 references)
pkts bytes target prot opt in out source destination
1 60 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 1 -- ACCEPT "
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain In_RULE_2 (2 references)
pkts bytes target prot opt in out source destination
2 104 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 2 -- ACCEPT "
2 104 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain In_RULE_5 (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 5 -- DENY "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Out_RULE_0 (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "RULE 0 -- ACCEPT "
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
以及sudo iptables -t nat -v -x -n -L的输出:
Chain PREROUTING (policy ACCEPT 1049 packets, 207739 bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- * * 0.0.0.0/0 192.168.183.254 tcp dpt:22 to:192.168.0.16
Chain INPUT (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 22 packets, 1308 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
2 104 SNAT all -- * eth2 192.168.0.0/24 0.0.0.0/0 to:192.168.183.254
由于我要添加许多其他策略,因此我想对NAT规则也使用fwbuilder。
这是tcpdump的输出sudo tcpdump -n -tttt -i eth2 port 22:
2017-04-21 20:07:01.745154 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84033839 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:02.745098 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84034089 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:04.747111 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84034590 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:08.756022 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84035592 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:16.767457 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84037596 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:32.778145 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84041600 ecr 0,nop,wscale 6], length 0
2017-04-21 20:08:04.829078 IP 192.168.183.253.33774 > 192.168.183.254.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84049616 ecr 0,nop,wscale 6], length 0
并从sudo tcpdump -n -tttt -i eth0 port 22 | grep -v 192.168.0.47(实际上192.168.0.47是我的计算机,使用ssh到192.168.183.254和192.168.183.253,并且使用另一台路由器到该网络)
2017-04-21 20:07:01.745195 IP 192.168.183.253.33774 > 192.168.0.16.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84033839 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:02.745136 IP 192.168.183.253.33774 > 192.168.0.16.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84034089 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:04.747139 IP 192.168.183.253.33774 > 192.168.0.16.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84034590 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:08.756068 IP 192.168.183.253.33774 > 192.168.0.16.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84035592 ecr 0,nop,wscale 6], length 0
2017-04-21 20:07:16.767486 IP 192.168.183.253.33774 > 192.168.0.16.22: Flags [S], seq 2118693960, win 29200, options [mss 1460,sackOK,TS val 84037596 ecr 0,nop,wscale 6], length 0
我可以解决问题。我在目标(192.168.0.16)的路由表中犯了一个错误。更改此计算机上的网关可使端口转发工作。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句