rhel7, DNAT a neocekavane chovani [trochu delsi]
"Zdeněk Kaminski"
sutr na valasske-laboratore.cz
Neděle Leden 25 13:23:38 CET 2015
Dobry den,
mam server A (rhel7 s jadrem 3.17.6-1.el7 z elrepo kvuli radici) se
sitovkami net1 a net4, net4 je do sveta, net1 je do vnitrni site. Ve
vnitrni siti mam server B.
Server A ma jednu verejnou adresu 194.228.208.19 a zaroven dela proxy arp
pro jinou verejnou adresu 194.228.208.24 (jiste duvody)
konfigurace firewallu na serveru A:
iptables -t nat -A PREROUTING -p tcp -d 194.228.208.24 --dport https -j
DNAT --to-destination 192.168.1.168:22
Zadne jine dalsi pravidlo v nat tabulce neni. V tabulce filter nejsou
zadna FORWARD pravidla, policy je ACCEPT
celou dobu do RHEL6 (2.6.18) ziji v domeni, ze DNAT funguje tak, ze:
1. prijde paket na rozhrani eth0
2. pravidlo prerouting s akci DNAT ho vezme, prepise cilovou adresu,
prepise cilovy port
3. paket dal posle do eth1
4. vic nic
Takze bych mel pridat pravidlo
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.168 --sport 22 -j SNAT
--to-source 194.228.208.24:443
Jenze me to na serveru A funguje (dostanu se z Inetu na onen ssh port) i
bez toho pravidla. A vubec se mi takove chovani nelibi.
A take kdyz uz se na ten server B z inetu prihlasim, tak ve firewallu na
serveru A nevidim, ze by se zvysoval pocet paketu u toho pravidla
PREROUTING. Grrrr.
Netusite prosim, co se zmenilo mezi 2.6.18 a 3.17.6? Nebo ziji obecne v
bludu?
Diiiiky za nakopnuti spravny smerem...
Skript, kterym poustim firewall:
----------------------------------
iptables -t filter -X
iptables -t filter -Z
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -N bad-fw
iptables -A bad-fw -p tcp --dport ssh -j ACCEPT
iptables -A bad-fw -j REJECT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i net4 -j bad-fw
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 194.228.208.24 --dport https -j
LOG --log-prefix 'FW [ladici 0]: '
iptables -t nat -A PREROUTING -p tcp -d 194.228.208.24 --dport https -j
DNAT --to 192.168.1.168:22
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.168 -o net4 --sport 22
-j LOG --log-prefix 'FW [ladici 1]: '
Cely vypis firewallu na Serveru A:
----------------------------------
Tabulka filter:
Chain INPUT (policy ACCEPT 5107 packets, 537K bytes)
pkts bytes target prot opt in out source
destination
239 20048 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4043 338K bad-fw all -- net4 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 193 packets, 31714 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 10478 packets, 1125K bytes)
pkts bytes target prot opt in out source
destination
Chain bad-fw (1 references)
pkts bytes target prot opt in out source
destination
523 38673 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
3520 300K REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Tabulka nat:
Chain PREROUTING (policy ACCEPT 402 packets, 39632 bytes)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- * * 0.0.0.0/0
194.228.208.24 tcp dpt:443 LOG flags 0 level 4 prefix "FW
[ladici 0]: "
0 0 DNAT tcp -- * * 0.0.0.0/0
194.228.208.24 tcp dpt:443 to:192.168.1.168:22
Chain INPUT (policy ACCEPT 152 packets, 13372 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- * net4 192.168.1.168
0.0.0.0/0 tcp spt:22 LOG flags 0 level 4 prefix "FW [ladici
1]: "
Z.K.
--
Wallachian Laboratories? Freeride in UN*X systems...
Další informace o konferenci Linux