rai*_*san 6 iptables networking tcp-ip
背景
操作系统:在 VirtualBox 上运行的 Ubuntu 16.04 x64
我是一名 Ubuntu/Linux 知识最少的开发人员,并已被分配到一个项目,该项目的目标是在与某些端点通信时利用tcpcrypt。
tcpcrypt 带有一个 shell 脚本,它在 iptables 中设置所需的条目,以将数据包路由到 tcpcrypt 以进行加密/解密。执行此脚本后 iptables 看起来像:
筛选
Chain INPUT (policy ACCEPT 4 packets, 552 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- lo any anywhere anywhere tcp dpt:65530 tos match0x22/0xff
0 0 NFQUEUE tcp -- any any !localhost anywhere tcp dpt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN NFQUEUE num 666
0 0 NFQUEUE tcp -- any any anywhere anywhere multiport sports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 536 bytes)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE tcp -- any any anywhere anywhere multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tos match0x04/0xff owner UID match tcpcryptd NFQUEUE num 666
0 0 NFQUEUE tcp -- any any anywhere anywhere tcp spt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666
纳特
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s owner UID match tcpcryptd
REDIRECT tcp -- anywhere anywhere multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530
碾压
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
TOS all -- anywhere anywhere tos match0x04/0xff TOS and 0x00
有了这些条目,每个数据包都被放在一个队列中,tcpcrypt 在其中选择 enc/dec。
更新
这是 iptables 的脚本:
Chain INPUT (policy ACCEPT 4 packets, 552 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- lo any anywhere anywhere tcp dpt:65530 tos match0x22/0xff
0 0 NFQUEUE tcp -- any any !localhost anywhere tcp dpt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN NFQUEUE num 666
0 0 NFQUEUE tcp -- any any anywhere anywhere multiport sports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 536 bytes)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE tcp -- any any anywhere anywhere multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tos match0x04/0xff owner UID match tcpcryptd NFQUEUE num 666
0 0 NFQUEUE tcp -- any any anywhere anywhere tcp spt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666
题
我应该如何修改iptables当前(见上文)条目以实现以下限制:
我试过的
A)我尝试将所需的 IP 地址添加到OUTPUT链中的tcp 目的地,如下所示:
Chain OUTPUT (policy ACCEPT 4 packets, 536 bytes)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE tcp -- any any anywhere XXX.XXX.XXX.XXX multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s tos match0x04/0xff owner UID match tcpcryptd NFQUEUE num 666
0 0 NFQUEUE tcp -- any any anywhere XXX.XXX.XXX.XXX tcp spt:65530 flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK NFQUEUE num 666
B)我尝试将源和目标参数添加到 NAT 规则:
target prot opt source destination
REDIRECT tcp -- XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX multiport dports !ssh,261,https,nntps,614,ldaps,684,695,ftps-data,ftps,telnets:pop3s redir ports 65530
但不管目标地址如何,所有数据包仍然发送到 tcpcrypt。
找到了一个解决方案,一个基于方法 B)的可行解决方案:
nat对于表链上的传入数据包PREROUTING,我尝试按如下方式进行过滤
$nat PREROUTING -p tcp -s XXX.XXX.XXX.XXX $to_enabled_port \
-j $REDIRECT
其中-s选项和 IP 值位于 后面-p tcp。然后我把它改为
$nat PREROUTING -s XXX.XXX.XXX.XXX -p tcp $to_enabled_port \
-j $REDIRECT
通过这种改变和相应OUTPUT的修改链nat,达到了预期的结果。
有趣的是,上述任何命令的输出iptables -t nat --line-numbers -L -nv看起来都完全相同。尽管如此,根据我的限制,只有第二个产生结果。
这是其修改版本iptables.sh,允许指定一个或多个 IP 来限制 tcpcrypt。
见FILTER_IP下文。
$nat PREROUTING -p tcp -s XXX.XXX.XXX.XXX $to_enabled_port \
-j $REDIRECT
| 归档时间: |
|
| 查看次数: |
694 次 |
| 最近记录: |