Re: [問答] Iptables 命令 疑問??

作者kuangs (kuangs)

看板Network

標題Re: [問答] Iptables 命令疑問??

時間Thu Mar 7 17:10:54 2013

※ 引述《kuangs (kuangs)》之銘言： : 小弟在學習Iptables 時遇到一個問題 : 當我下iptables -A INPUT -d 192.168.1.222 -p tcp -m state --state NEW -j DROP : 會無法開啟網頁但是可以PING 出去 (192.168.1.222 是我的interface IP) : 但是使用 : iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT : iptables -A INPUT -j DROP : 卻可以成功開啟網頁 : 查了一些書籍 : 第一條意思是目的端為192.168.1.222 的新連線封包(state NEW) 都DROP : 第二條允許成功建立的連線(state ESTABLISHED)通過 : 然後把所有的進入封包都DROP : 照理說第二條擋住的封包應該比第一條多 : 可是為什麼反而是第二條可以開網頁第一條不能呢???? : --------------------------------------------------------------------- : 第一條 : Chain INPUT (policy ACCEPT 87 packets, 8182 bytes) : pkts bytes target prot opt in out source destination : 0 0 REJECT icmp -- * * 0.0.0.0/0 192.168.1.222 icmp type 8 reject-with icmp-proto-unreachable : 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with tcp-reset : 0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.222 state NEW : 第二條 : Chain INPUT (policy ACCEPT 0 packets, 0 bytes) : pkts bytes target prot opt in out source destination : 0 0 REJECT icmp -- * * 0.0.0.0/0 192.168.1.222 icmp type 8 reject-with icmp-proto-unreachable : 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with tcp-reset : 0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.222 state NEW : 22 1572 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED : 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 : 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 : 順便請問一下在剛才網路上爬文時有一個疑問 : 當下iptable 指令時如果不加 -t 那下的指令算是 filter nat mangle 的哪一個呢??? 補充一下剛剛我分別使用第一條與第二條做Tcpdump 得到以下結果第一條無法開啟網頁 IP 192.168.1.222.1111 > 173.194.72.94.80: Flags [S], cksum 0xc85d (correct), seq 3501390017, win 8192, options [mss 1444,nop,wscale 8,nop,nop,sackOK], length 0 IP 173.194.72.94.80 > 192.168.1.222.1111: Flags [S.], cksum 0x6f05 (correct), seq 1429024355, ack 3501390018, win 62920, options [mss 1428,nop,nop,sackOK,nop,wscale 6], length 0 IP 192.168.1.222.1111 > 173.194.72.94.80: Flags [R], cksum 0x291d (correct), seq 3501390018, win 0, length 0 IP 192.168.1.222.1111 > 173.194.72.94.80: Flags [.], cksum 0xa47f (correct), ack 1, win 256, length 0 IP 173.194.72.94.80 > 192.168.1.222.1111: Flags [R], cksum 0x6f01 (correct), seq 1429024356, win 0, length 0 IP 216.115.100.102.80 > 192.168.1.222.1100: Flags [S.], cksum 0x420f (correct), seq 1363709487, ack 3942393240, win 14600, options [mss 1428,nop,nop,sackOK,nop,wscale 8], length 0 IP 192.168.1.222.1100 > 216.115.100.102.80: Flags [R], cksum 0x9b4f (correct), seq 3942393240, win 0, length 0 IP 192.168.1.222.1100 > 216.115.100.102.80: Flags [.], cksum 0x869c (correct), ack 1, win 16422, options [nop,nop,sack 1 {0:1}], length 0 IP 216.115.100.102.80 > 192.168.1.222.1100: Flags [R], cksum 0xcc6b (correct), seq 1363709488, win 0, length 0 第二條可以瀏覽網頁 IP 192.168.1.222.1062 > 173.194.72.94.80: Flags [S], cksum 0xb3a6 (correct), seq 2071618274, win 8192, options [mss 1444,nop,wscale 8,nop,nop,sackOK], length 0 IP 173.194.72.94.80 > 192.168.1.222.1062: Flags [S.], cksum 0x4e72 (correct), seq 3634935491, ack 2071618275, win 62920, options [mss 1428,nop,nop,sackOK,nop,wscale 6], length 0 IP 192.168.1.222.1062 > 173.194.72.94.80: Flags [.], cksum 0x83ec (correct), ack 1, win 256, length 0 IP 192.168.1.222.1062 > 173.194.72.94.80: Flags [P.], cksum 0x80e3 (correct), seq 1:2, ack 1, win 256, length 1 IP 173.194.72.94.80 > 192.168.1.222.1062: Flags [.], cksum 0x8113 (correct), ack 2, win 984, length 0 IP 173.194.72.94.80 > 192.168.1.222.1062: Flags [P.], cksum 0x680b (correct), seq 1:1069, ack 2, win 984, length 1068 IP 173.194.72.94.80 > 192.168.1.222.1062: Flags [F.], cksum 0x7ce6 (correct), seq 1069, ack 2, win 984, length 0 請各位大大幫忙解惑?!! -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 218.211.253.68

→ asadfish:你應該是用router本身開網頁吧?? 03/07 20:03

→ kuangs:Route做NAT 所以出去是Route的IP 03/08 09:01

推 asadfish:所以…是不是用router本身開的= =|||…我輸了… 03/08 09:34

→ asadfish:http://0rz.tw/duUmw 我只能給你這張圖… 03/08 09:35

→ kuangs:Route 後面電腦開的 03/08 10:30

推 asadfish:iptables -L -n -v，filter 的 Forward 跟 nat 全貼一下 03/08 10:43

Filter Chain INPUT (policy ACCEPT 27813 packets, 2496K bytes) pkts bytes target prot opt in out source destination 0 0 REJECT icmp -- * * 0.0.0.0/0 192.168.1.222 icmp type 8 reject-with icmp-proto-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with tcp-reset 1371 1610K DROP tcp -- * * 0.0.0.0/0 192.168.1.222 state NEW Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 33320 packets, 2957K bytes) pkts bytes target prot opt in out source destination nat Chain PREROUTING (policy ACCEPT 10267 packets, 1460K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.222 tcp dpt:4000 to:172.31.3.1 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.222 tcp dpt:23456 to:172.31.3.1:22 0 0 DNAT icmp -- * * 0.0.0.0/0 192.168.1.222 icmp type 8 to:172.31.3.1 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.222 tcp dpt:22 to:172.31.3.1 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.222 tcp dpt:443 to:172.31.3.1 Chain POSTROUTING (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination 22679 1905K SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x3e9 gw gw c0a801fe to:192.168.1.222 1 69 SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x8ff2710 gw gw c0a801fe to:192.168.1.222 0 0 SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x8ff2711 gw gw c0a801fe to:192.168.1.222 0 0 SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x8ff2712 gw gw c0a801fe to:192.168.1.222 Chain OUTPUT (policy ACCEPT 27697 packets, 2326K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.222 tcp dpt:4000 to:172.31.3.1 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.222 tcp dpt:23456 to:172.31.3.1:22 0 0 DNAT icmp -- * * 0.0.0.0/0 192.168.1.222 icmp type 8 to:172.31.3.1 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.222 tcp dpt:22 to:172.31.3.1 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.222 tcp dpt:443 to:172.31.3.1 mangle Chain PREROUTING (policy ACCEPT 42831 packets, 6328K bytes) pkts bytes target prot opt in out source destination 35261 5063K IMQ all -- eth0 * 0.0.0.0/0 0.0.0.0/0 IMQ: todev 0 1840 623K IMQ all -- eth3 * 0.0.0.0/0 0.0.0.0/0 IMQ: todev 3 1840 623K IMQ all -- eth3 * 0.0.0.0/0 0.0.0.0/0 IMQ: todev 1 35261 5063K IMQ all -- eth0 * 0.0.0.0/0 0.0.0.0/0 IMQ: todev 60 Chain INPUT (policy ACCEPT 31582 packets, 4712K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 197 packets, 10302 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 35218 packets, 3134K bytes) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 MARK set 0x8ff2710 22 1643 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 MARK set 0x8ff2710 0 0 MARK tcp -- * * 172.31.3.1 0.0.0.0/0 tcp spt:4000 MARK set 0x4647535 0 0 MARK icmp -- * * 172.31.3.1 0.0.0.0/0 icmp type 0 MARK set 0x464753a 905 85408 MARK tcp -- * * 172.31.3.1 0.0.0.0/0 tcp spt:22 MARK set 0x464753f 0 0 MARK tcp -- * * 172.31.3.1 0.0.0.0/0 tcp spt:443 MARK set 0x4647544 22687 1906K MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 ICMPID id is 1001 MARK set 0x3e9 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:1001 MARK set 0x3e9 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:1101 MARK set 0x3e9 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1001 MARK set 0x3e9 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:10001:10100 MARK set 0x3e9 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:12001:12100 MARK set 0x3e9 5718 480K MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 ICMPID id is 1002 MARK set 0x3ea 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:1002 MARK set 0x3ea 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:1102 MARK set 0x3ea 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1002 MARK set 0x3ea 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:10101:10200 MARK set 0x3ea 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:12101:12200 MARK set 0x3ea 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 MARK set 0x8ff2711 0 0 CTDIRMARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW,ESTABLISHED CTDIRMARK set original0x8ff2712 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctdirmark match --mark_original 0x8ff2712 MARK set 0x8ff2712 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 MARK set 0x8ff2712 Chain POSTROUTING (policy ACCEPT 35415 packets, 3144K bytes) pkts bytes target prot opt in out source destination 23065 1937K IMQ all -- * eth0 0.0.0.0/0 0.0.0.0/0 IMQ: todev 60 5716 480K IMQ all -- * eth1 0.0.0.0/0 0.0.0.0/0 IMQ: todev 60 ※ 編輯: kuangs 來自: 218.211.253.68 (03/08 11:13)

→ posture:首先確認一下,規則是在router上？後面的電腦開不了網頁？ 03/11 11:38

→ posture:如果是這樣，請看filter的Forward chain，跟INPUT無關 03/11 11:38

→ posture:除非有nat，redirect了http到router，才會跟input有關 03/11 11:39

→ posture:再來，能不能ping，跟你提供的兩條規則也無關，ping是icmp 03/11 11:39

→ posture:發現上一篇很多人都回應了.看到你的mangle有打mark udp 53 03/11 11:57

→ posture:client的dns是設router？router本身有dns？ 03/11 11:57