나는 지난 며칠 동안 이 문제를 해결하려고 노력했지만 성공하지 못했습니다. 이것은 내 스크립트가 아니며 GITHUB에서 약간 수정한 다른 사람의 스크립트입니다(https://github.com/ianlee/standalone-fw). 내 스크립트가 작동하지 않아서 다른 사람의 스크립트를 시도해보고 작동하는지 확인하려고 생각했지만 작동하지 않고 내 솔루션을 원하지 않지만 완전히 막혀서 여기에 있습니다. 이것은 bash 스크립트입니다.
현재 설정은 2개의 가상 머신으로, 둘 다 최신 버전의 Fedora를 실행하고 있습니다. 그들은 모두 NAT 네트워크와 내부 네트워크를 가지고 있어 서로 통신할 수 있습니다. NAT 네트워크를 생성할 때 네트워크 CIDR 192.168.10.0/24를 지정했습니다. Enp0s1은 NAT 네트워크 연결이고 Enp0s8은 내부 네트워크입니다.
서로의 "내부" 컴퓨터를 핑할 수 있도록 다음 2개의 스크립트를 실행합니다.
EXTERNAL_INTERFACE="enp0s1"
INTERNAL_GATEWAY_BINDING="1"
INTERNAL_INTERFACE="enp0s8"
INTERNAL_SUBNET="192.168.10"
INTERNAL_BINDING="2"
DNS_IP1="8.8.8.8"
DNS_IP2="8.8.4.4"
ifconfig $EXTERNAL_INTERFACE down
ifconfig $INTERNAL_INTERFACE $INTERNAL_SUBNET.$INTERNAL_BINDING up
route add default gw $INTERNAL_SUBNET.$INTERNAL_GATEWAY_BINDING
echo -e "$DNS_IP1\nnameserver $DNS_IP2\n" >/etc/resolv.conf
이는 외부 컴퓨터, 즉 스크립트가 실행될 컴퓨터에 있습니다.
FIREWALL_IP="192.168.10.5"
EXTERNAL_SUBNET="192.168.0.0"
INTERNAL_INTERFACE="enp0s8"
INTERNAL_SUBNET="192.168.10"
INTERNAL_BINDING="1"
DNS_IP1="8.8.8.8"
DNS_IP2="8.8.4.4"
ifconfig $INTERNAL_INTERFACE $INTERNAL_SUBNET.$INTERNAL_BINDING up
route add -net $INTERNAL_SUBNET.0 netmask 255.255.255.0 gw $INTERNAL_SUBNET.$INTERNAL_BINDING
echo "1" >/proc/sys/net/ipv4/ip_forward
route add -net $EXTERNAL_SUBNET netmask 255.255.255.0 gw $FIREWALL_IP
echo -e "$DNS_IP1\nnameserver $DNS_IP2\n" >/etc/resolv.conf
여기서 192.168.10.5는 인터넷에 연결된 Enp0s1의 주소입니다. 192.168.10.1과 192.168.10.2에서 서로 ping을 보낼 수 있지만 그런 다음 스크립트를 실행하려고 합니다.
#interface name
EXTERNAL="enp0s1"
INTERNAL="enp0s8"
INTERNAL_NETWORK="192.168.10.0/24"
#Allowing ports
TCP_ALLOW_PORTS_IN="22,80,443,8080,3131" #from these ports (acting as a client)
TCP_ALLOW_PORTS_OUT="22,80,443,8080,3131"
UDP_ALLOW_PORTS_IN="80"
UDP_ALLOW_PORTS_OUT="80"
#internal server ip
INTERNAL_SERVER_IP="192.168.10.2"
TCP_ALLOW_PORTS_IN_SERVER="80,22,443,8080,3131" #acting as server (allow connections to these ports)
TCP_ALLOW_PORTS_OUT_SERVER="80,22,443,8080,3131"
UDP_ALLOW_PORTS_IN_SERVER="80"
UDP_ALLOW_PORTS_OUT_SERVER="80"
ICMP_ALLOW_TYPES="0,8"
#block traffic to and from these IP addresses
IP_BLOCK=""
#block these ports regardless of IP or protocol.
BLOCK_PORTS_IN="0,23"
BLOCK_PORTS_OUT="0,23"
MAXIMIZE_THROUGHPUT="20"
MINIMIZE_DELAY="21,22"
DNS_PORT_IN="53"
DNS_PORT_OUT="53"
DHCP_PORT_IN="67"
DHCP_PORT_OUT="68"
#empty all existing chains
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -F
#set policies to drop
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -P INPUT DROP
#SNAT
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
#DNAT
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_IN_SERVER -j DNAT --to $INTERNAL_SERVER_IP
iptables -t nat -A PREROUTING -i $EXTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_IN_SERVER -j DNAT --to $INTERNAL_SERVER_IP
arr=$(echo $ICMP_ALLOW_TYPES | tr "," "\n")
for x in $arr
do
iptables -t nat -A PREROUTING -i $EXTERNAL -p icmp --icmp-type $x -m state --state NEW,ESTABLISHED -j DNAT --to $INTERNAL_SERVER_IP
done
#MANGLE
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $MINIMIZE_DELAY -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m multiport --sports $MAXIMIZE_THROUGHPUT -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports $MINIMIZE_DELAY -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports $MAXIMIZE_THROUGHPUT -j TOS --set-tos Maximize-Throughput
iptables -N dhcpin
iptables -N dhcpout
iptables -N dhcpforward
iptables -N blockin
iptables -N blockout
iptables -N necessitiesin
iptables -N necessitiesout
iptables -N necessitiesforward
iptables -N icmpin
iptables -N udpin
iptables -N tcpin
iptables -N udpout
iptables -N tcpout
#chain for blocking Inbound traffic
#block inbound traffic from specific IPs
if [[ -n $IP_BLOCK ]]; then
iptables -A blockin -i $EXTERNAL -s $IP_BLOCK -j DROP
fi
#block inbound traffic from a source address from the outside matching your internal network.
iptables -A blockin -i $EXTERNAL -s $INTERNAL_NETWORK -j DROP
#block syn and fin bits.
iptables -A blockin -i $EXTERNAL -p tcp ! --syn -m state --state NEW -j DROP
iptables -A blockin -i $EXTERNAL -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A blockout -i $INTERNAL -p tcp ! --syn -m state --state NEW -j DROP
iptables -A blockout -i $INTERNAL -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#block inbound traffic to and from specified ports
iptables -A blockin -i $EXTERNAL -p udp -m multiport --sports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --dports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --sports $BLOCK_PORTS_IN -j DROP
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --dports $BLOCK_PORTS_IN -j DROP
#drop SYN packets from ports less than 1024
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --sports 0:1023 -m state --state NEW -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --sports 0:1023 -m state --state NEW -j DROP
#drop SYN packets to high ports
iptables -A blockin -i $EXTERNAL -p tcp -m multiport --dports 32768:32775,137:139,111,515 -j DROP
iptables -A blockin -i $EXTERNAL -p udp -m multiport --dports 32768:32775,137:139 -j DROP
#block outbound traffic from specific IPs
if [[ -n $IP_BLOCK ]]; then
iptables -A blockout -i $INTERNAL -d $IP_BLOCK -j DROP
fi
iptables -A blockout -i $INTERNAL ! -s $INTERNAL_NETWORK -j DROP
#block out bound to and from specified ports
iptables -A blockout -i $INTERNAL -p udp -m multiport --sports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --dports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p tcp -m multiport --sports $BLOCK_PORTS_OUT -j DROP
iptables -A blockout -i $INTERNAL -p tcp -m multiport --dports $BLOCK_PORTS_OUT -j DROP
#drop SYN packets from ports less than 1024
iptables -A blockout -i $INTERNAL -p tcp -m multiport --sports 0:1023 -m state --state NEW -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --sports 0:1023 -m state --state NEW -j DROP
#Block all external traffic directed to ports 32768 – 32775, 137 – 139, TCP ports 111 and 515.
iptables -A blockout -i $INTERNAL -p tcp -m multiport --dports 32768:32775,137:139,111,515 -j DROP
iptables -A blockout -i $INTERNAL -p udp -m multiport --dports 32768:32775,137:139 -j DROP
#allow inbound udp dns traffic
iptables -A necessitiesin -i $EXTERNAL -p udp -m multiport --sports $DNS_PORT_IN -j ACCEPT
iptables -A necessitiesforward -i $EXTERNAL -o $INTERNAL -p udp -m multiport --sports $DNS_PORT_IN -j ACCEPT
#allow inbound tcp dns traffic
iptables -A necessitiesin -i $EXTERNAL -p tcp -m multiport --sports $DNS_PORT_IN -j ACCEPT
iptables -A necessitiesforward -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --sports $DNS_PORT_IN -j ACCEPT
#allow outbound udp dns traffic
iptables -A necessitiesout -o $EXTERNAL -p udp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
iptables -A necessitiesforward -o $EXTERNAL -i $INTERNAL -p udp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
#allow outbound tcp dns traffic
iptables -A necessitiesout -o $EXTERNAL -p tcp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
iptables -A necessitiesforward -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --dports $DNS_PORT_OUT -j ACCEPT
#allow inbound udp dhcp traffic
iptables -A dhcpin -i $EXTERNAL -p udp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
iptables -A dhcpforward -i $EXTERNAL -o $INTERNAL -p udp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
#allow inbound tcp dhcp traffic
iptables -A dhcpin -i $EXTERNAL -p tcp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
iptables -A dhcpforward -i $EXTERNAL -o $INTERNAL -p tcp --dport $DHCP_PORT_OUT -m multiport --sports $DHCP_PORT_IN -j ACCEPT
#allow outbound udp dhcp traffic
iptables -A dhcpout -o $EXTERNAL -p udp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
iptables -A dhcpforward -o $EXTERNAL -i $INTERNAL -p udp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
#allow outbound tcp dhcp traffic
iptables -A dhcpout -o $EXTERNAL -p tcp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
iptables -A dhcpforward -o $EXTERNAL -i $INTERNAL -p tcp --sport $DHCP_PORT_IN -m multiport --dports $DHCP_PORT_OUT -j ACCEPT
#ICMP Chain
arr=$(echo $ICMP_ALLOW_TYPES | tr "," "\n")
for x in $arr
do
iptables -A icmpin -i $EXTERNAL -p icmp --icmp-type $x -m state --state NEW,ESTABLISHED -j ACCEPT
done
#allow inbound udp user defined traffic
iptables -A udpin -i $EXTERNAL -o $INTERNAL -p udp -m multiport --sports $UDP_ALLOW_PORTS_IN -m state --state ESTABLISHED -j ACCEPT # acting as a client
iptables -A udpin -i $EXTERNAL -o $INTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_IN_SERVER -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a server
#add inbound udp chain to default input chain
#allow inbound user defined traffic
iptables -A tcpin -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --sports $TCP_ALLOW_PORTS_IN -m state --state ESTABLISHED -j ACCEPT # acting as a client
iptables -A tcpin -i $EXTERNAL -o $INTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_IN_SERVER -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a server
#allow outbound udp user defined traffic
iptables -A udpout -o $EXTERNAL -i $INTERNAL -p udp -m multiport --dports $UDP_ALLOW_PORTS_OUT -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a client
iptables -A udpout -o $EXTERNAL -i $INTERNAL -p udp -m multiport --sports $UDP_ALLOW_PORTS_OUT_SERVER -m state --state ESTABLISHED -j ACCEPT # acting as a server
#allow outbound tcp user defined traffic
iptables -A tcpout -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --dports $TCP_ALLOW_PORTS_OUT -m state --state NEW,ESTABLISHED -j ACCEPT # acting as a client
iptables -A tcpout -o $EXTERNAL -i $INTERNAL -p tcp -m multiport --sports $TCP_ALLOW_PORTS_OUT_SERVER -m state --state ESTABLISHED -j ACCEPT # acting as a server
iptables -A INPUT -j dhcpin
iptables -A OUTPUT -j dhcpout
iptables -A FORWARD -j dhcpforward
iptables -A FORWARD -j blockin
iptables -A INPUT -j blockin
iptables -A FORWARD -j blockout
iptables -A INPUT -j blockout
iptables -A INPUT -j necessitiesin
iptables -A OUTPUT -j necessitiesout
iptables -A FORWARD -j necessitiesforward
iptables -A FORWARD -p icmp -j icmpin
iptables -A FORWARD -p udp -j udpin
iptables -A FORWARD -p tcp -j tcpin
iptables -A FORWARD -p udp -j udpout
iptables -A FORWARD -p tcp -j tcpout
외부 컴퓨터에서 프로그램을 실행 중이고 허용된 TCP 또는 UDP 포트에 ping을 시도하면 응답이 없습니다. Wireshark를 통과하는 것을 볼 수 있지만 ping 명령 자체는 아무런 응답을 생성하지 않습니다. 이것이 정말로 나를 죽이고 있기 때문에 어떤 도움이라도 크게 감사하겠습니다.
답변1
따라서 외부 네트워크 주소(fw CPU)는 게이트웨이를 향하는 192.168.0.0/24입니다. 이는 연결된 장치에 대해 실행 가능한 호스트 주소로 192.168.0.1 - 192.168.0.254를 만들지 만 호스트는 192.168.10.0에 있습니다. 다른 네트워크 주소 /24의 192.168.0보다 2개의 서로 다른 네트워크 주소가 통신할 수 있도록 라우터를 추가해야 합니다. 그렇지 않으면 트래픽이 192.168.10.0/24로 라우팅되지 않습니다. 가상박스를 사용하고 계시나요?