packages from router não corresponde à regra de iptables dnat

Question

packages from router não corresponde à regra de iptables dnat

#1 resposta do (0 votos)

0

Eu tenho as seguintes regras para encaminhar a porta 443 do externo para um host interno:

IF_INET=ppp0
IF_INET_IP=1.2.3.4    # Router External IP
IF_LAN_IP=192.168.0.1 # Router Internal IP
IF_LAN_NET=192.168.0.0/24
VPN_HOST=192.168.0.2  # Internet Host with a HTTPS Webserver

iptables -t nat -A PREROUTING -d $IF_INET_IP -p tcp --dport 443 -j DNAT --to $VPN_HOST
iptables -A FORWARD -i $IF_INET -o $IF_LAN -p tcp -d $VPN_HOST --dport 443 -j ACCEPT

Que o serviço também é acessível a partir do interno Eu também tenho uma regra de snat:

iptables -t nat -A POSTROUTING -d $VPN_HOST -p tcp --dport 443 -s $IF_LAN_NET -j SNAT --to $IF_LAN_IP

O problema é agora, quando eu quero abrir o dns-address (que aponta para $ IF_INET_IP) do próprio roteador onde iptables faz o nat, que os pacotes não são encaminhados para o host interno.

Eu defini as regras a seguir para rastrear o problema:

iptables -t raw -A OUTPUT -p tcp -d $IF_INET_IP --dport 443 -j TRACE

e tenho isso:

TRACE: raw:OUTPUT:rule:6 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: raw:OUTPUT:policy:7 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: mangle:OUTPUT:policy:1 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: nat:OUTPUT:policy:1 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: filter:OUTPUT:rule:1 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: nat:POSTROUTING:policy:4 IN= OUT=lo SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307) UID=0 GID=0
TRACE: raw:PREROUTING:rule:4 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)
TRACE: raw:PREROUTING:rule:6 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)
TRACE: raw:PREROUTING:policy:7 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)
TRACE: mangle:PREROUTING:policy:1 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)
TRACE: mangle:INPUT:policy:1 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)
TRACE: filter:INPUT:rule:2 IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35855 DF PROTO=TCP SPT=35594 DPT=443 SEQ=89529104 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A02C9971F0000000001030307)

Andy Idea como posso fazer isso?

networking iptables nat linux

por TCr 25.03.2014 / 16:37

1 resposta

Tags networking iptables nat linux

Obtendo #NUM! para ninhos externos da divisão de instrução IF Configura o Outlook para enviar arquivos para a pasta em vez da pasta Itens excluídos

score 0 · Answer 1

ok, encontrei a solução para o meu problema:

iptables -t nat -A OUTPUT -d $IF_INET_IP -p tcp --dport 443 -j DNAT --to $VPN_HOST

Ele redireciona o pacote direto na saída para a direção certa.