Como criar / configurar o vpn usando somente SSH?

7

Aqui está o problema que estou tentando resolver. Existe um servidor ("sistema remoto") que eu sou capaz de fazer ssh a partir do meu computador local, mas este sistema remoto não tem conexão com a Internet. Eu quero fornecer o sistema remoto com acesso à internet através do meu computador local usando VPN baseada em ssh. Como faço isso? Eu tentei o seguinte, que parece funcionar parcialmente. O que quero dizer com 'trabalho parcial' é que os pacotes de conexão (pacotes de sincronização) são enviados para o meu computador local, mas não conseguem estabelecer a conexão com a Internet. Eu estou usando o tcpdump para capturar pacotes no computador local. O computador local e o sistema remoto estão executando o centos 7.

A configuração - Nota: os comandos abaixo são executados em ordem. Os comandos user @ remote são executados no servidor remoto e os comandos user @ local são executados no computador local.

[user@remote ~]$ ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
    inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
       valid_lft 1785sec preferred_lft 1785sec
    inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic 
       valid_lft 2591987sec preferred_lft 604787sec
    inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link 
       valid_lft forever preferred_lft forever
[user@local ~]$ ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
    inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
       valid_lft 1785sec preferred_lft 1785sec
    inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic 
       valid_lft 2591987sec preferred_lft 604787sec
    inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link 
       valid_lft forever preferred_lft forever

Crie a interface tun0 no sistema remoto .

[user@remote ~]$ sudo ip tuntap add tun0 mode tun
[user@remote ~]$ ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
    inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
       valid_lft 1785sec preferred_lft 1785sec
    inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic 
       valid_lft 2591987sec preferred_lft 604787sec
    inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link 
       valid_lft forever preferred_lft forever
3: tun0:  mtu 1500 qdisc noop state DOWN qlen 500
    link/none 

Crie a interface tun0 no sistema local .

[user@local ~]$ sudo ip tuntap add tun0 mode tun
[user@local ~]$ ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
    inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
       valid_lft 1785sec preferred_lft 1785sec
    inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic 
       valid_lft 2591987sec preferred_lft 604787sec
    inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link 
       valid_lft forever preferred_lft forever
3: tun0:  mtu 1500 qdisc noop state DOWN qlen 500
    link/none

Atribua um endereço IP ao tun0 e exiba-o:

[user@local ~]$ sudo ip addr add 10.0.2.1/30 dev tun0
[user@local ~]$ sudo ip link set dev tun0 up
[user@local ~]$ ip addr show tun0
3: tun0:  mtu 1500 qdisc pfifo_fast state DOWN qlen 500
    link/none 
    inet 10.0.2.1/30 scope global tun0
       valid_lft forever preferred_lft forever
[user@remote ~]$ sudo ip addr add 10.0.2.2/30 dev tun0
[user@remote ~]$ sudo ip link set dev tun0 up
[user@remote ~]$ ip addr show tun0
3: tun0:  mtu 1500 qdisc pfifo_fast state DOWN qlen 500
    link/none 
    inet 10.0.2.2/30 scope global tun0
       valid_lft forever preferred_lft forever

Modifique o sshd_config nos sistemas remoto e local para ativar o tunelamento:

[user@remote ~]$ sudo grep PermitTunnel /etc/ssh/sshd_config 
PermitTunnel point-to-point
[user@local ~]$ sudo grep PermitTunnel /etc/ssh/sshd_config 
PermitTunnel point-to-point

Crie o túnel ssh:

[user@local ~]$ sudo ssh -f -w0:0 root@remote true
root@remote's password: 
[user@local ~]$ ps aux | grep root@remote
root      1851  0.0  0.0  76112  1348 ?        Ss   23:12   0:00 ssh -f -w0:0 root@remote true

Teste o ping em ambos os servidores usando os novos endereços IP:

[user@local ~]$ ping 10.0.2.2 -c 2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
64 bytes from 10.0.2.2: icmp_seq=1 ttl=64 time=1.68 ms
64 bytes from 10.0.2.2: icmp_seq=2 ttl=64 time=0.861 ms

--- 10.0.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.861/1.274/1.688/0.415 ms
[user@remote ~]$ ping 10.0.2.1 -c 2
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=0.589 ms
64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=0.889 ms

--- 10.0.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.589/0.739/0.889/0.150 ms
[user@remote ~]$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    100    0        0 eth0
10.0.2.0        0.0.0.0         255.255.255.252 U     0      0        0 tun0
AAA.BBB.CCC.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
[user@remote ~]$ ip route show
default via AAA.BBB.CCC.1 dev eth0  proto static  metric 100 
10.0.2.0/30 dev tun0  proto kernel  scope link  src 10.0.2.2 
AAA.BBB.CCC.0/24 dev eth0  proto kernel  scope link  src AAA.BBB.CCC.31  metric 100 

Obtenha endereços IP do Google:

[user@local ~]$ nslookup google.com
Server:     s.e.r.ver
Address:    s.e.r.ver#53

Non-authoritative answer:
Name:   google.com
Address: 173.194.219.101
Name:   google.com
Address: 173.194.219.100
Name:   google.com
Address: 173.194.219.113
Name:   google.com
Address: 173.194.219.102
Name:   google.com
Address: 173.194.219.139
Name:   google.com
Address: 173.194.219.138

IMPORTANTE: executei o comando acima em um horário diferente e obtive um resultado diferente. Não assuma que sua resposta será igual à minha para o nslookup acima.

Como todos os endereços IP do Google começam com 173.194.219, vamos rotear todos esses endereços IP pelo computador local.

[user@remote ~]$ sudo ip route add 173.194.219.0/24 dev tun0
[user@remote ~]$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    100    0        0 eth0
10.0.2.0        0.0.0.0         255.255.255.252 U     0      0        0 tun0
AAA.BBB.CCC.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
173.194.219.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
[user@remote ~]$ ip route show
default via AAA.BBB.CCC.1 dev eth0  proto static  metric 100 
10.0.2.0/30 dev tun0  proto kernel  scope link  src 10.0.2.2 
AAA.BBB.CCC.0/24 dev eth0  proto kernel  scope link  src AAA.BBB.CCC.31  metric 100 
173.194.219.0/24 dev tun0  scope link 

Ativar ip_forwarding:

[user@local ~]$ grep ip_forward /etc/sysctl.conf 
net.ipv4.ip_forward = 1
[user@local ~]$ sudo service network restart
Restarting network (via systemctl):                        [  OK  ]

Configure a captura de pacotes no computador local usando o tcpdump:

[user@local ~]$ sudo tcpdump -nn -vv 'port not 22' -i any
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

Tente se conectar ao Google a partir do servidor remoto.

[user@remote ~]$ openssl s_client -connect google.com:443
socket: No route to host
connect:errno=113

Assim que o comando openssl é executado no servidor remoto, o tcpdump captura alguns pacotes:

    10.0.2.2.52768 > 173.194.219.102.443: Flags [S], cksum 0x8702 (correct), seq 994650730, win 29200, options [mss 1460,sackOK,TS val 7701438 ecr 0,nop,wscale 7], length 0
00:49:33.247753 IP (tos 0x0, ttl 64, id 46037, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.2.48774 > 173.194.219.100.443: Flags [S], cksum 0x47a7 (correct), seq 2218733674, win 29200, options [mss 1460,sackOK,TS val 7701439 ecr 0,nop,wscale 7], length 0
00:49:33.247883 IP (tos 0xc0, ttl 64, id 9538, offset 0, flags [none], proto ICMP (1), length 88)
    10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.100 unreachable - admin prohibited, length 68
    IP (tos 0x0, ttl 63, id 46037, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.2.48774 > 173.194.219.100.443: Flags [S], cksum 0x47a7 (correct), seq 2218733674, win 29200, options [mss 1460,sackOK,TS val 7701439 ecr 0,nop,wscale 7], length 0
00:49:33.253068 IP (tos 0x0, ttl 64, id 26282, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.2.51312 > 173.194.219.101.443: Flags [S], cksum 0x6ff8 (correct), seq 2634016105, win 29200, options [mss 1460,sackOK,TS val 7701443 ecr 0,nop,wscale 7], length 0
00:49:33.254771 IP (tos 0xc0, ttl 64, id 9539, offset 0, flags [none], proto ICMP (1), length 88)
    10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.101 unreachable - admin prohibited, length 68
    IP (tos 0x0, ttl 63, id 26282, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.2.51312 > 173.194.219.101.443: Flags [S], cksum 0x6ff8 (correct), seq 2634016105, win 29200, options [mss 1460,sackOK,TS val 7701443 ecr 0,nop,wscale 7], length 0
00:49:33.258805 IP (tos 0x0, ttl 64, id 9293, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.2.33686 > 173.194.219.139.443: Flags [S], cksum 0x542b (correct), seq 995927943, win 29200, options [mss 1460,sackOK,TS val 7701450 ecr 0,nop,wscale 7], length 0
00:49:33.258845 IP (tos 0xc0, ttl 64, id 9540, offset 0, flags [none], proto ICMP (1), length 88)
    10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.139 unreachable - admin prohibited, length 68
    IP (tos 0x0, ttl 63, id 9293, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.2.33686 > 173.194.219.139.443: Flags [S], cksum 0x542b (correct), seq 995927943, win 29200, options [mss 1460,sackOK,TS val 7701450 ecr 0,nop,wscale 7], length 0
^C
13 packets captured
13 packets received by filter
0 packets dropped by kernel

Os pacotes capturados usando o tcpdump sugerem que é feita uma tentativa de estabelecer a conexão (os pacotes Sync são enviados), mas nada é recebido. Também há uma mensagem 10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.139 unreachable - admin prohibited, length 68 que parece sugerir um problema.

Alguma sugestão sobre como resolver este problema? Existem regras de iptable que precisam ser adicionadas? Algum problema de firewall (firewall-d?).

Nota # 1
Saída do iptables-save:
[user@local ~]$ sudo iptables -t nat -A POSTROUTING -s 10.0.2.2/32 ! -d 10.0.2.1/30 -j MASQUERADE -o eth0
[user@local ~]$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017
*nat
:PREROUTING ACCEPT [35:8926]
:INPUT ACCEPT [1:84]
:OUTPUT ACCEPT [6:439]
:POSTROUTING ACCEPT [6:439]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING -s 10.0.2.2/32 ! -d 10.0.2.0/30 -j MASQUERADE
-A POSTROUTING_ZONES -o eth0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sat Apr 15 01:40:57 2017
# Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017
*mangle
:PREROUTING ACCEPT [169:18687]
:INPUT ACCEPT [144:11583]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80:8149]
:POSTROUTING ACCEPT [80:8149]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sat Apr 15 01:40:57 2017
# Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017
*security
:INPUT ACCEPT [2197:163931]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1229:185742]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Sat Apr 15 01:40:57 2017
# Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017
*raw
:PREROUTING ACCEPT [2362:184437]
:OUTPUT ACCEPT [1229:185742]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Sat Apr 15 01:40:57 2017
# Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80:8149]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i eth0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o eth0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i eth0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Apr 15 01:40:57 2017

Nota # 2:
Eu configuro um servidor web apache em um host separado que somente o servidor local tem acesso. Eu executei o tcpdump no servidor web escutando na porta 80. Quando eu executo telnet webserver 80 eu capturei os seguintes pacotes. Esse é o comportamento esperado desde que a conexão TCP seja estabelecida (S, S-Ack, Ack).
[user@webserver ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i eth0 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:17:30.411474 IP (tos 0x10, ttl 64, id 34376, offset 0, flags [DF], proto TCP (6), length 60)
    local.server.46710 > web.server.80: Flags [S], cksum 0x8412 (incorrect -> 0x6d96), seq 3018586542, win 29200, options [mss 1460,sackOK,TS val 3047398 ecr 0,nop,wscale 7], length 0
07:17:30.411557 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    web.server.80 > local.server.46710: Flags [S.], cksum 0x8412 (incorrect -> 0x9114), seq 2651711943, ack 3018586543, win 28960, options [mss 1460,sackOK,TS val 37704524 ecr 3047398,nop,wscale 7], length 0
07:17:30.411725 IP (tos 0x10, ttl 64, id 34377, offset 0, flags [DF], proto TCP (6), length 52)
    local.server.46710 > web.server.80: Flags [.], cksum 0x840a (incorrect -> 0x301c), seq 1, ack 1, win 229, options [nop,nop,TS val 3047398 ecr 37704524], length 0

Quando tento conectar-me ao servidor web do servidor remoto através do servidor local, o tcpdump no servidor web não captura nenhum pacote (nem mesmo a sincronização inicial), mas o servidor local captura o pacote Sync sendo enviado ao servidor web (veja abaixo). Isso me faz acreditar que algo está impedindo que os pacotes sejam enviados para o servidor da Web - talvez um erro de configuração ou firewall.

[user@local ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i any
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
02:24:09.135842 IP (tos 0x10, ttl 64, id 38062, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.2.50558 > web.server.80: Flags [S], cksum 0x668d (correct), seq 69756226, win 29200, options [mss 1460,sackOK,TS val 4780524 ecr 0,nop,wscale 7], length 0

IMPORTANTE: os pacotes não estão sendo roteados através de eth0, mas é feita uma tentativa de enviar os pacotes para o servidor web via tun0 (que falha). Eu posso confirmar isso executando tcpdump na interface tun0:

[user@local ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i tun0
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
02:28:10.295972 IP (tos 0x10, ttl 64, id 46976, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.2.50560 > webserver.80: Flags [S], cksum 0xd560 (correct), seq 605366388, win 29200, options [mss 1460,sackOK,TS val 5021684 ecr 0,nop,wscale 7], length 0

Nota # 3:
Eu desliguei o firewalld no computador local e os pacotes Sync foram recebidos pelo servidor web.
[user@local ~]$ sudo systemctl stop firewalld
[user@webserver ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:25:17.390912 IP (tos 0x10, ttl 63, id 61767, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.2.50580 > web.server.80: Flags [S], cksum 0x30dc (correct), seq 2601927549, win 29200, options [mss 1460,sackOK,TS val 7123514 ecr 0,nop,wscale 7], length 0
08:25:17.391003 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    web.server.80 > 10.0.2.2.50580: Flags [S.], cksum 0x4e23 (incorrect -> 0xa316), seq 959115533, ack 2601927550, win 28960, options [mss 1460,sackOK,TS val 41771503 ecr 7123514,nop,wscale 7], length 0
08:25:17.391192 IP (tos 0x0, ttl 128, id 60032, offset 0, flags [none], proto TCP (6), length 40)
    10.0.2.2.50580 > web.server.80: Flags [R], cksum 0x7339 (correct), seq 2601927550, win 8192, length 0
08:25:18.393794 IP (tos 0x10, ttl 63, id 61768, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.2.2.50580 > web.server.80: Flags [S], cksum 0x2cf1 (correct), seq 2601927549, win 29200, options [mss 1460,sackOK,TS val 7124517 ecr 0,nop,wscale 7], length 0
08:25:18.393898 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    web.server.80 > 10.0.2.2.50580: Flags [S.], cksum 0x4e23 (incorrect -> 0x7e71), seq 974785773, ack 2601927550, win 28960, options [mss 1460,sackOK,TS val 41772506 ecr 7124517,nop,wscale 7], length 0
08:25:18.394003 IP (tos 0x0, ttl 128, id 60033, offset 0, flags [none], proto TCP (6), length 40)
    10.0.2.2.50580 > web.server.80: Flags [R], cksum 0x566a (correct), seq 2601927550, win 8192, length 0

Agora, claramente, o IP de origem precisa ser atualizado para corresponder ao endereço IP do servidor local antes que o pacote seja enviado ao servidor da web. Como sugerido pela @xin, o NAT precisa ser configurado no servidor local.

Nota # 4:
Uma vez que eu tentei me conectar ao servidor web, eu posso ver que a contagem de pacotes da regra 9 aumenta em 1 (como visto abaixo).
[user@local ~]$ sudo iptables -nvL --line-numbers
..........
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        1    60 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
4        1    60 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
5        1    60 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
6        1    60 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
7        1    60 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
8        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
9        1    60 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
..........
[user@local ~]$ sudo iptables -D FORWARD 9

Quando a regra 9 da cadeia FORWARD for excluída (de cima, como sugerido @xin), posso me conectar ao servidor da Web.

[user@local ~]$ sudo iptables -nvL --line-numbers
..........
Chain FORWARD (policy ACCEPT 1 packets, 60 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       12  5857 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        2   120 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
4        2   120 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
5        2   120 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
6        2   120 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
7        2   120 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
8        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
..........
    
por Ali 09.04.2017 / 07:01

1 resposta

4

O endereço de origem dos pacotes deve ser substituído por um dos endereços da máquina local para que as respostas possam ser recebidas pela máquina local, caso contrário não há motivos para enviar esses pacotes para os próximos roteadores. iptables MASQUERADE e SNAT são úteis para alterar o endereço de origem desses pacotes:

[user@local ~]$ iptables -t nat -A POSTROUTING -s 10.0.2.2/32 ! -d 10.0.2.1/30 -j MASQUERADE -o eth0
    
por 14.04.2017 / 09:05