servidor kvm debian com iptables está descartando pacotes de ponte

Question

servidor kvm debian com iptables está descartando pacotes de ponte

#1 resposta do (0 votos)

1

Durante o mês passado eu não posso resolver isso, eu faço diferentes regras iptables, módulos habilitados e desabilitados no kernel, mas tendo os mesmos resultados e mais pacotes foram perdidos pelo iptables. Isso faz com que os usuários tenham 3/5 segundos de atraso ao tentar acessar diferentes pastas compartilhadas de 192.168.1.0/24 a 192.168.3.0/28 na máquina virtual.

Eu vejo isso nos logs:

Feb 14 13:53:02 ns129115 kernel: [12426815.202643] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=61932 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK PSH URGP=0
Feb 14 13:53:02 ns129115 kernel: [12426815.393379] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=61933 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK URGP=0
Feb 14 13:53:02 ns129115 kernel: [12426815.834944] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=61934 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK URGP=0
Feb 14 13:53:02 ns129115 kernel: [12426815.835219] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=136 TOS=0x10 PREC=0x00 TTL=64 ID=61935 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK PSH URGP=0
Feb 14 13:53:19 ns129115 kernel: [12426832.829664] IPTables-FWD-Dropped: IN=br0 OUT=br0 PHYSIN=vnet0 PHYSOUT=eth2 MAC=70:85:c2:4f:14:c1:00:16:3e:ea:18:01:08:00 SRC=192.168.1.156 DST=192.168.1.125 LEN=319 TOS=0x00 PREC=0x00 TTL=128 ID=16660 DF PROTO=TCP SPT=49169 DPT=54820 WINDOW=256 RES=0x00 ACK PSH URGP=0
Feb 14 13:53:39 ns129115 kernel: [12426852.496117] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=29023 DF PROTO=TCP SPT=22115 DPT=52214 WINDOW=263 RES=0x00 ACK PSH URGP=0
Feb 14 13:53:49 ns129115 kernel: [12426862.856776] IPTables-FWD-Dropped: IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=vnet0 MAC=00:16:3e:ea:18:01:90:2b:34:b0:20:a4:08:00 SRC=192.168.1.237 DST=192.168.1.156 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1644 DF PROTO=TCP SPT=49244 DPT=49169 WINDOW=1879 RES=0x00 ACK URGP=0
Feb 14 13:53:50 ns129115 kernel: [12426863.288983] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=29069 DF PROTO=TCP SPT=22115 DPT=52214 WINDOW=263 RES=0x00 ACK PSH URGP=0
Feb 14 13:54:19 ns129115 kernel: [12426892.906806] IPTables-FWD-Dropped: IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=vnet0 MAC=00:16:3e:ea:18:01:74:d4:35:6a:18:7a:08:00 SRC=192.168.1.199 DST=192.168.1.156 LEN=248 TOS=0x00 PREC=0x00 TTL=128 ID=13244 DF PROTO=TCP SPT=49678 DPT=49169 WINDOW=256 RES=0x00 ACK PSH URGP=0
Feb 14 13:54:42 ns129115 kernel: [12426915.939242] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=136 TOS=0x10 PREC=0x00 TTL=64 ID=61969 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK PSH URGP=0

O servidor Debian com iptables e 2 pontes

BR0, é a ponte com acesso à Internet para o gateway 192.168.1.1 e todos os usuários estão nessa rede
VIRBR10, a 2ª bridge, vm1 foi conectada a esta bridge com ip 192.168.3.12 (192.168.3.0/28) e tem nat com iptables para o exterior passando por br0

Aqui »» O gráfico de rede com gateway e hypervizor

Aqui está minha tabela de rotas

~ lista de rotas

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 br0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.3.0     *               255.255.255.240 U     0      0        0 virbr10

~ brctl show

bridge name     bridge id               STP enabled     interfaces
br0             8000.0cc47ac18d3c       yes             eth2
virbr10         8000.525400c4b847       yes             virbr10-dummy
                                                        vnet2

~ regras do iptables

#!/bin/sh
#Flushing all rules
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# Allow basic INPUT traffic.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ACCEPT

#
#MTU
iptables -t mangle -A FORWARD -o virbr1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1460
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#SMB
#Port: netbios - 445/tcp
#Port: netbios-ns – 137/udp -- NETBIOS Name Service
#Port: netbios-dgm – 138/udp -- NETBIOS Datagram Service
#Port: netbios-ssn – 139/tcp -- NETBIOS session service
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 445 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 137:138 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --sport 137 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --sport 138 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --sport 139 -j ACCEPT

#RDP
#Port: 3389
# connections from outside
iptables -I FORWARD -o virbr10 -d 192.168.3.12 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 3589 -j DNAT --to 192.168.3.12:3389

# Masquerade local subnet
iptables -I FORWARD -o virbr10 -d 192.168.3.0/28 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 -j MASQUERADE
iptables -A FORWARD -o virbr10 -m state --state RELATED,ESTABLISHED -j ACCEPT
#Permite conexiones salientes de virbr10 hacia la red 192.168.1.0/24
iptables -A FORWARD -i virbr10 -o br0 -j ACCEPT
iptables -A FORWARD -o virbr10 -i br0 -j ACCEPT
iptables -A FORWARD -i virbr10 -o lo -j ACCEPT

###
#KVM routed guest
# DHCP packets sent to VMs have no checksum (due to a longstanding bug).
iptables -t mangle -A POSTROUTING -o virbr10 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fil

# Do not masquerade to these reserved address blocks.
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 -d 224.0.0.0/24 -j RETURN
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 -d 255.255.255.255/32 -j RETURN
# Masquerade all packets going from VMs to the LAN/Internet.
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -p tcp -j MASQUERADE --to-ports 1024-65535
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -p udp -j MASQUERADE --to-ports 1024-65535
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -j MASQUERADE

# Accept SSH connections.
iptables -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -j ACCEPT

# Accept Radmin
iptables -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 4899 -j ACCEPT

# Allow inbound traffic to the private subnet.
iptables -A FORWARD -d 192.168.3.0/28 -o virbr10 -m state --state ESTABLISHED,RELATED -j ACCEPT
#7218-12_07 Slow desk access iptables -A FORWARD -d 192.168.1.0/24 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#7218-12_07 Slow desk access iptables -A FORWARD -d 192.168.3.0/28 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outbound traffic from the private subnet.
iptables -A FORWARD -s 192.168.3.0/28 -i virbr10 -m state --state ESTABLISHED,RELATED -j ACCEPT
#7218-12_07 Slow desk access iptables -A FORWARD -s 192.168.1.0/24 -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#7218-12_07 Slow desk access iptables -A FORWARD -s 192.168.3.0/28 -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow traffic between virtual machines.
iptables -A FORWARD -i virbr10 -o virbr10 -j ACCEPT
# Reject everything else.
iptables -A FORWARD -i virbr10 -j REJECT --reject-with icmp-port-unreachable
# Accept DNS (port 53) and DHCP (port 67) packets from VMs.
iptables -A INPUT -i virbr10 -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
iptables -A INPUT -i virbr10 -p tcp -m tcp -m multiport --dports 53,67 -j ACCEPT

#ICMP
iptables -A OUTPUT -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Reject everything else.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

#Log packets droped
iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-INPUT-Dropped: " --log-level 4
iptables -A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables-FWD-Dropped: " --log-level 4
iptables -A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-OUTPUT-Dropped: " --log-level 4

Atualizações

Alterou a cadeia de logs para o final do script e colou as novas entradas de log

iptables kvm-virtualization route

por Matias 14.02.2018 / 14:27

1 resposta

Tags iptables kvm-virtualization route

Por que o Mysql ou o Mysqldump dizem que o erro 1049 não foi encontrado? Quando o segundo controlador de domínio está inativo, os clientes perdem a autenticação

score 0 · Accepted Answer

Depois de pesquisar no Google, posso resolver isso.

O acesso lento a arquivos compartilhados com SMB no controlador de domínio no Windows Server 2012 R2 é porque o GPO de redirecionamento de pasta faz alterações nas permissões na pasta de perfil do usuário durante o processo de redirecionamento quando a pasta não existe no destino. Baseado no iamrafic da Microsfot Technet ( link ), precisamos alterar as permissões de pasta para isso:

Create the folder in the required location Disable inheritance of permissions from the parent and remove all inherited permissions by clicking the appropriate button. One entry will already be in the DACL: Local Administrators.

Alter Local Administrators: Full Control: This folder, subfolders and files

Add SYSTEM: Full Control: This folder, subfolder and files.

Add CREATOR OWNER: Full Control: This folder, subfolders and files.

Add Authenticated Users: List folder / read data, Create folders / append data: This folder only

Add Domain Admins: Full Control: This folder, subfolders and files.

Click OK.

O outro problema foram as regras do iptables, eu precisei executar uma cadeia completa e consertar a ordem para cada regra FORWARD, porque isso altera o desempenho quando o pacote é analisado. Aqui os novos.

    #!/bin/sh

    #Flushing all rules
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -t nat -F
    iptables -t mangle -F
    iptables -F
    iptables -X
    iptables -t raw -F

    # Basic tables
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT

    # 

    iptables -A FORWARD -o virbr32 -s 192.168.1.0/24 -d 192.168.100.0/28 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i virbr32 -s 192.168.100.0/28 -d 192.168.1.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -o virbr32 -i br0 -j ACCEPT
    iptables -A FORWARD -i virbr32 -s 192.168.100.0/2 -j ACCEPT
    iptables -A FORWARD -i virbr32 -o virbr32 -j ACCEPT
    iptables -A FORWARD -i virbr32 -j LOG --log-prefix "iptables-FORWARD-REJECT: "
    iptables -A FORWARD -i virbr32 -j REJECT --reject-with icmp-port-unreachable

    # Masquerade local subnet
    iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -j MASQUERADE
    # Do not masquerade to these reserved address blocks.
    iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -d 224.0.0.0/24 -j RETURN
    iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -d 255.255.255.255/32 -j RETURN

    # SMB
    # RPC EPM                  TCP 135 
    # RPC over HTTPS           TCP 593 
    # SMB (for named pipes)    TCP 445
    # Ephemeral Range, Dynamic *
    iptables -I FORWARD 6 -o virbr32 -i br0 -m conntrack --ctstate NEW -p tcp -d 192.168.100.12 --dport 445 -j ACCEPT
    iptables -I FORWARD 7 -o virbr32 -i br0 -m conntrack --ctstate NEW -p tcp -d 192.168.100.12 --dport 139 -j ACCEPT

    # Accept DNS (port 53) and DHCP (port 67) packets from VMs.
    iptables -I FORWARD 8 -o virbr32 -i br0 -m conntrack --ctstate NEW -p tcp -m tcp -m multiport --dports 53,67 -j ACCEPT
    iptables -I FORWARD 9 -i virbr32 -o br0 -m conntrack --ctstate NEW -p udp -m udp -m multiport --dports 53,67 -j ACCEPT

    # 

    # 

    # The two rules below assure that only TCP packets get examined. All others 
    # continue into the *filter table.
    iptables -t raw -N TCPFLAGS
    iptables -t raw -A PREROUTING -p tcp -j TCPFLAGS
    iptables -t raw -A PREROUTING -j ACCEPT

    # Quickly accept standard handshakes
    # ALLOW ACK or ACK/SYN
    #-A TCPFLAGS -j ACCEPT
    iptables -t raw -A TCPFLAGS -p tcp --tcp-flags FIN,ACK,URG,PSH,RST ACK -j ACCEPT

    # Allow ACK/FIN with either URG or PSH, or both, or neither
    # but SYN and RST can't be set
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags FIN,SYN,ACK,RST  ACK,FIN -j ACCEPT

    # Allow SYN or ACK/SYN
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags FIN,SYN,URG,PSH,RST SYN -j ACCEPT

    # Allow RST or ACK/RST
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags FIN,SYN,URG,PSH,RST RST -j ACCEPT

    # This rule catches xmas-tree and fin attacks
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags FIN FIN -j DROP
    # This rule catches xmas-tree and syn/rst attacks
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags SYN SYN -j DROP

    # This rule catches null attacks
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags ALL NONE -j DROP

    #-A TCPFLAGS -p tcp -ecn-tcp-cwr -j DROP
    # these rules catch bad ack combinations
    #-A TCPFLAGS -p tcp --tcp-flags ACK     ACK     -j ACC
    #iptables -t raw  -A TCPFLAGS -j ACCEPT

    # So, what do we accept for tcp?
    # handshakes (ACK/FIN), (ACK/SYN), (SYN), (ACK), (RST), (ACK/RST), 
    # and data packets with PSH or URG or FIN or ACK

    # 

    #Log packets droped
    iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-INPUT-Dropped: " --log-level 4
    iptables -A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables-FWD-Dropped: " --log-level 4
    iptables -A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-OUTPUT-Dropped: " --log-level 4

Como você pode ver, usei iptables -I FORWARD em vez de iptables -A FORWARD porque com isso posso executar uma ordenação de regras na minha tabela de filtros colocando primeiro as regras mais importantes e depois vai mais fundo depois de DROP ou negar o resto. Todas as regras FORWARD vão antes desta linha

    iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

Editar : Eu só preciso fazer algumas alterações para ter mais taxa de transferência quando copiar arquivos da VM para o exterior na lan 192.168.1.0/24, eu não posso levar mais de 4Mb / s. Qualquer conselho será apreciado !!