Aqui está o problema que estou tentando resolver. Existe um servidor ("sistema remoto") que eu sou capaz de fazer ssh a partir do meu computador local, mas este sistema remoto não tem conexão com a Internet. Eu quero fornecer o sistema remoto com acesso à internet através do meu computador local usando VPN baseada em ssh. Como faço isso? Eu tentei o seguinte, que parece funcionar parcialmente. O que quero dizer com 'trabalho parcial' é que os pacotes de conexão (pacotes de sincronização) são enviados para o meu computador local, mas não conseguem estabelecer a conexão com a Internet. Eu estou usando o tcpdump para capturar pacotes no computador local. O computador local e o sistema remoto estão executando o centos 7.
A configuração - Nota: os comandos abaixo são executados em ordem. Os comandos user @ remote são executados no servidor remoto e os comandos user @ local são executados no computador local.
[user@remote ~]$ ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
valid_lft 1785sec preferred_lft 1785sec
inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic
valid_lft 2591987sec preferred_lft 604787sec
inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link
valid_lft forever preferred_lft forever
[user@local ~]$ ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
valid_lft 1785sec preferred_lft 1785sec
inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic
valid_lft 2591987sec preferred_lft 604787sec
inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link
valid_lft forever preferred_lft forever
Crie a interface tun0 no sistema remoto .
[user@remote ~]$ sudo ip tuntap add tun0 mode tun
[user@remote ~]$ ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
valid_lft 1785sec preferred_lft 1785sec
inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic
valid_lft 2591987sec preferred_lft 604787sec
inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link
valid_lft forever preferred_lft forever
3: tun0: mtu 1500 qdisc noop state DOWN qlen 500
link/none
Crie a interface tun0 no sistema local .
[user@local ~]$ sudo ip tuntap add tun0 mode tun
[user@local ~]$ ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
valid_lft 1785sec preferred_lft 1785sec
inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic
valid_lft 2591987sec preferred_lft 604787sec
inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link
valid_lft forever preferred_lft forever
3: tun0: mtu 1500 qdisc noop state DOWN qlen 500
link/none
Atribua um endereço IP ao tun0 e exiba-o:
[user@local ~]$ sudo ip addr add 10.0.2.1/30 dev tun0
[user@local ~]$ sudo ip link set dev tun0 up
[user@local ~]$ ip addr show tun0
3: tun0: mtu 1500 qdisc pfifo_fast state DOWN qlen 500
link/none
inet 10.0.2.1/30 scope global tun0
valid_lft forever preferred_lft forever
[user@remote ~]$ sudo ip addr add 10.0.2.2/30 dev tun0
[user@remote ~]$ sudo ip link set dev tun0 up
[user@remote ~]$ ip addr show tun0
3: tun0: mtu 1500 qdisc pfifo_fast state DOWN qlen 500
link/none
inet 10.0.2.2/30 scope global tun0
valid_lft forever preferred_lft forever
Modifique o sshd_config nos sistemas remoto e local para ativar o tunelamento:
[user@remote ~]$ sudo grep PermitTunnel /etc/ssh/sshd_config PermitTunnel point-to-point
[user@local ~]$ sudo grep PermitTunnel /etc/ssh/sshd_config PermitTunnel point-to-point
Crie o túnel ssh:
[user@local ~]$ sudo ssh -f -w0:0 root@remote true root@remote's password: [user@local ~]$ ps aux | grep root@remote root 1851 0.0 0.0 76112 1348 ? Ss 23:12 0:00 ssh -f -w0:0 root@remote true
Teste o ping em ambos os servidores usando os novos endereços IP:
[user@local ~]$ ping 10.0.2.2 -c 2 PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data. 64 bytes from 10.0.2.2: icmp_seq=1 ttl=64 time=1.68 ms 64 bytes from 10.0.2.2: icmp_seq=2 ttl=64 time=0.861 ms --- 10.0.2.2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.861/1.274/1.688/0.415 ms
[user@remote ~]$ ping 10.0.2.1 -c 2 PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data. 64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=0.589 ms 64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=0.889 ms --- 10.0.2.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.589/0.739/0.889/0.150 ms
[user@remote ~]$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default gateway 0.0.0.0 UG 100 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.252 U 0 0 0 tun0 AAA.BBB.CCC.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 [user@remote ~]$ ip route show default via AAA.BBB.CCC.1 dev eth0 proto static metric 100 10.0.2.0/30 dev tun0 proto kernel scope link src 10.0.2.2 AAA.BBB.CCC.0/24 dev eth0 proto kernel scope link src AAA.BBB.CCC.31 metric 100
Obtenha endereços IP do Google:
[user@local ~]$ nslookup google.com Server: s.e.r.ver Address: s.e.r.ver#53 Non-authoritative answer: Name: google.com Address: 173.194.219.101 Name: google.com Address: 173.194.219.100 Name: google.com Address: 173.194.219.113 Name: google.com Address: 173.194.219.102 Name: google.com Address: 173.194.219.139 Name: google.com Address: 173.194.219.138
IMPORTANTE: executei o comando acima em um horário diferente e obtive um resultado diferente. Não assuma que sua resposta será igual à minha para o nslookup acima.
Como todos os endereços IP do Google começam com 173.194.219, vamos rotear todos esses endereços IP pelo computador local.
[user@remote ~]$ sudo ip route add 173.194.219.0/24 dev tun0 [user@remote ~]$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default gateway 0.0.0.0 UG 100 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.252 U 0 0 0 tun0 AAA.BBB.CCC.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 173.194.219.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 [user@remote ~]$ ip route show default via AAA.BBB.CCC.1 dev eth0 proto static metric 100 10.0.2.0/30 dev tun0 proto kernel scope link src 10.0.2.2 AAA.BBB.CCC.0/24 dev eth0 proto kernel scope link src AAA.BBB.CCC.31 metric 100 173.194.219.0/24 dev tun0 scope link
Ativar ip_forwarding:
[user@local ~]$ grep ip_forward /etc/sysctl.conf net.ipv4.ip_forward = 1 [user@local ~]$ sudo service network restart Restarting network (via systemctl): [ OK ]
Configure a captura de pacotes no computador local usando o tcpdump:
[user@local ~]$ sudo tcpdump -nn -vv 'port not 22' -i any tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Tente se conectar ao Google a partir do servidor remoto.
[user@remote ~]$ openssl s_client -connect google.com:443 socket: No route to host connect:errno=113
Assim que o comando openssl é executado no servidor remoto, o tcpdump captura alguns pacotes:
10.0.2.2.52768 > 173.194.219.102.443: Flags [S], cksum 0x8702 (correct), seq 994650730, win 29200, options [mss 1460,sackOK,TS val 7701438 ecr 0,nop,wscale 7], length 0
00:49:33.247753 IP (tos 0x0, ttl 64, id 46037, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.48774 > 173.194.219.100.443: Flags [S], cksum 0x47a7 (correct), seq 2218733674, win 29200, options [mss 1460,sackOK,TS val 7701439 ecr 0,nop,wscale 7], length 0
00:49:33.247883 IP (tos 0xc0, ttl 64, id 9538, offset 0, flags [none], proto ICMP (1), length 88)
10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.100 unreachable - admin prohibited, length 68
IP (tos 0x0, ttl 63, id 46037, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.48774 > 173.194.219.100.443: Flags [S], cksum 0x47a7 (correct), seq 2218733674, win 29200, options [mss 1460,sackOK,TS val 7701439 ecr 0,nop,wscale 7], length 0
00:49:33.253068 IP (tos 0x0, ttl 64, id 26282, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.51312 > 173.194.219.101.443: Flags [S], cksum 0x6ff8 (correct), seq 2634016105, win 29200, options [mss 1460,sackOK,TS val 7701443 ecr 0,nop,wscale 7], length 0
00:49:33.254771 IP (tos 0xc0, ttl 64, id 9539, offset 0, flags [none], proto ICMP (1), length 88)
10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.101 unreachable - admin prohibited, length 68
IP (tos 0x0, ttl 63, id 26282, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.51312 > 173.194.219.101.443: Flags [S], cksum 0x6ff8 (correct), seq 2634016105, win 29200, options [mss 1460,sackOK,TS val 7701443 ecr 0,nop,wscale 7], length 0
00:49:33.258805 IP (tos 0x0, ttl 64, id 9293, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.33686 > 173.194.219.139.443: Flags [S], cksum 0x542b (correct), seq 995927943, win 29200, options [mss 1460,sackOK,TS val 7701450 ecr 0,nop,wscale 7], length 0
00:49:33.258845 IP (tos 0xc0, ttl 64, id 9540, offset 0, flags [none], proto ICMP (1), length 88)
10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.139 unreachable - admin prohibited, length 68
IP (tos 0x0, ttl 63, id 9293, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.33686 > 173.194.219.139.443: Flags [S], cksum 0x542b (correct), seq 995927943, win 29200, options [mss 1460,sackOK,TS val 7701450 ecr 0,nop,wscale 7], length 0
^C
13 packets captured
13 packets received by filter
0 packets dropped by kernel
Os pacotes capturados usando o tcpdump sugerem que é feita uma tentativa de estabelecer a conexão (os pacotes Sync são enviados), mas nada é recebido. Também há uma mensagem 10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.139 unreachable - admin prohibited, length 68 que parece sugerir um problema.
Alguma sugestão sobre como resolver este problema? Existem regras de iptable que precisam ser adicionadas? Algum problema de firewall (firewall-d?).
Nota # 1
[user@local ~]$ sudo iptables -t nat -A POSTROUTING -s 10.0.2.2/32 ! -d 10.0.2.1/30 -j MASQUERADE -o eth0 [user@local ~]$ sudo iptables-save # Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017 *nat :PREROUTING ACCEPT [35:8926] :INPUT ACCEPT [1:84] :OUTPUT ACCEPT [6:439] :POSTROUTING ACCEPT [6:439] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING -s 10.0.2.2/32 ! -d 10.0.2.0/30 -j MASQUERADE -A POSTROUTING_ZONES -o eth0 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i eth0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Sat Apr 15 01:40:57 2017 # Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017 *mangle :PREROUTING ACCEPT [169:18687] :INPUT ACCEPT [144:11583] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [80:8149] :POSTROUTING ACCEPT [80:8149] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i eth0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Sat Apr 15 01:40:57 2017 # Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017 *security :INPUT ACCEPT [2197:163931] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1229:185742] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Sat Apr 15 01:40:57 2017 # Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017 *raw :PREROUTING ACCEPT [2362:184437] :OUTPUT ACCEPT [1229:185742] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Sat Apr 15 01:40:57 2017 # Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [80:8149] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i eth0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o eth0 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i eth0 -g IN_public -A INPUT_ZONES -g IN_public -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Sat Apr 15 01:40:57 2017
Nota # 2:
telnet webserver 80 eu capturei os seguintes pacotes. Esse é o comportamento esperado desde que a conexão TCP seja estabelecida (S, S-Ack, Ack).
[user@webserver ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:17:30.411474 IP (tos 0x10, ttl 64, id 34376, offset 0, flags [DF], proto TCP (6), length 60)
local.server.46710 > web.server.80: Flags [S], cksum 0x8412 (incorrect -> 0x6d96), seq 3018586542, win 29200, options [mss 1460,sackOK,TS val 3047398 ecr 0,nop,wscale 7], length 0
07:17:30.411557 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
web.server.80 > local.server.46710: Flags [S.], cksum 0x8412 (incorrect -> 0x9114), seq 2651711943, ack 3018586543, win 28960, options [mss 1460,sackOK,TS val 37704524 ecr 3047398,nop,wscale 7], length 0
07:17:30.411725 IP (tos 0x10, ttl 64, id 34377, offset 0, flags [DF], proto TCP (6), length 52)
local.server.46710 > web.server.80: Flags [.], cksum 0x840a (incorrect -> 0x301c), seq 1, ack 1, win 229, options [nop,nop,TS val 3047398 ecr 37704524], length 0
Quando tento conectar-me ao servidor web do servidor remoto através do servidor local, o tcpdump no servidor web não captura nenhum pacote (nem mesmo a sincronização inicial), mas o servidor local captura o pacote Sync sendo enviado ao servidor web (veja abaixo). Isso me faz acreditar que algo está impedindo que os pacotes sejam enviados para o servidor da Web - talvez um erro de configuração ou firewall.
[user@local ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i any
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
02:24:09.135842 IP (tos 0x10, ttl 64, id 38062, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.50558 > web.server.80: Flags [S], cksum 0x668d (correct), seq 69756226, win 29200, options [mss 1460,sackOK,TS val 4780524 ecr 0,nop,wscale 7], length 0
IMPORTANTE: os pacotes não estão sendo roteados através de eth0, mas é feita uma tentativa de enviar os pacotes para o servidor web via tun0 (que falha). Eu posso confirmar isso executando tcpdump na interface tun0:
[user@local ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i tun0
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
02:28:10.295972 IP (tos 0x10, ttl 64, id 46976, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.50560 > webserver.80: Flags [S], cksum 0xd560 (correct), seq 605366388, win 29200, options [mss 1460,sackOK,TS val 5021684 ecr 0,nop,wscale 7], length 0
Nota # 3:
[user@local ~]$ sudo systemctl stop firewalld
[user@webserver ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:25:17.390912 IP (tos 0x10, ttl 63, id 61767, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.50580 > web.server.80: Flags [S], cksum 0x30dc (correct), seq 2601927549, win 29200, options [mss 1460,sackOK,TS val 7123514 ecr 0,nop,wscale 7], length 0
08:25:17.391003 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
web.server.80 > 10.0.2.2.50580: Flags [S.], cksum 0x4e23 (incorrect -> 0xa316), seq 959115533, ack 2601927550, win 28960, options [mss 1460,sackOK,TS val 41771503 ecr 7123514,nop,wscale 7], length 0
08:25:17.391192 IP (tos 0x0, ttl 128, id 60032, offset 0, flags [none], proto TCP (6), length 40)
10.0.2.2.50580 > web.server.80: Flags [R], cksum 0x7339 (correct), seq 2601927550, win 8192, length 0
08:25:18.393794 IP (tos 0x10, ttl 63, id 61768, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.50580 > web.server.80: Flags [S], cksum 0x2cf1 (correct), seq 2601927549, win 29200, options [mss 1460,sackOK,TS val 7124517 ecr 0,nop,wscale 7], length 0
08:25:18.393898 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
web.server.80 > 10.0.2.2.50580: Flags [S.], cksum 0x4e23 (incorrect -> 0x7e71), seq 974785773, ack 2601927550, win 28960, options [mss 1460,sackOK,TS val 41772506 ecr 7124517,nop,wscale 7], length 0
08:25:18.394003 IP (tos 0x0, ttl 128, id 60033, offset 0, flags [none], proto TCP (6), length 40)
10.0.2.2.50580 > web.server.80: Flags [R], cksum 0x566a (correct), seq 2601927550, win 8192, length 0
Agora, claramente, o IP de origem precisa ser atualizado para corresponder ao endereço IP do servidor local antes que o pacote seja enviado ao servidor da web. Como sugerido pela @xin, o NAT precisa ser configurado no servidor local.
Nota # 4:
[user@local ~]$ sudo iptables -nvL --line-numbers .......... Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 1 60 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 4 1 60 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 5 1 60 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 6 1 60 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 7 1 60 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 9 1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited .......... [user@local ~]$ sudo iptables -D FORWARD 9
Quando a regra 9 da cadeia FORWARD for excluída (de cima, como sugerido @xin), posso me conectar ao servidor da Web.
[user@local ~]$ sudo iptables -nvL --line-numbers .......... Chain FORWARD (policy ACCEPT 1 packets, 60 bytes) num pkts bytes target prot opt in out source destination 1 12 5857 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 2 120 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 4 2 120 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 5 2 120 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 6 2 120 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 7 2 120 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID ..........
O endereço de origem dos pacotes deve ser substituído por um dos endereços da máquina local para que as respostas possam ser recebidas pela máquina local, caso contrário não há motivos para enviar esses pacotes para os próximos roteadores. iptables MASQUERADE e SNAT são úteis para alterar o endereço de origem desses pacotes:
[user@local ~]$ iptables -t nat -A POSTROUTING -s 10.0.2.2/32 ! -d 10.0.2.1/30 -j MASQUERADE -o eth0