| Цитата |
|---|
nmalykh пишет:
Это правило пропустит SYN пакеты из ЛВС наружу, но ответы на них (SYN ACK) правило -m state --state RELATED,ESTABLISHED не пропустит, поскольку соединение еще не перешло в состояние ESTABLISHED (оно пока NEW). |
Проведем эксперимент:
#iptables -F
#iptables -t nat -F
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD DROP
#iptables -A FORWARD -i eth0 -j ACCEPT
#iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#ping -c 2 fbsd
PING fbsd.local (192.168.100.20) 56(84) bytes of data.
64 bytes from fbsd.local (192.168.100.20): icmp_seq=1 ttl=64 time=3.35 ms
64 bytes from fbsd.local (192.168.100.20): icmp_seq=2 ttl=64 time=0.137 ms
--- fbsd.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.137/1.745/3.354/1.609 ms
#ping -c 2 zerling
PING zerling.local (192.168.0.2) 56(84) bytes of data.
64 bytes from zerling.local (192.168.0.2): icmp_seq=1 ttl=128 time=0.263 ms
64 bytes from zerling.local (192.168.0.2): icmp_seq=2 ttl=128 time=0.249 ms
--- zerling.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.249/0.256/0.263/0.007 ms
#ifconfig eth0|grep inet
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::210:22ff:feff:cb56/64 Scope:Link
#ifconfig vmnet1|grep inet
inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link
#host fbsd
fbsd.local has address 192.168.100.20
#host zerling
zerling.local has address 192.168.0.2
#tcpdump -i vmnet1 -vv
tcpdump: listening on vmnet1, link-type EN10MB (Ethernet), capture size 96 bytes
...
19:51:15.669849 arp who-has fbsd.local tell galaxy.local
19:51:15.669969 arp reply fbsd.local is-at 00:0c:29:dc:fb:43
19:51:27.728603 IP (tos 0x0, ttl 127, id 9005, offset 0, flags [DF], length: 48) zerling.local.1658 > fbsd.local.ssh: S [tcp sum ok] 320387860:320387860(0) win 65535 <mss 1460,nop,nop,sackOK>
19:51:27.728823 IP (tos 0x0, ttl 64, id 125, offset 0, flags [DF], length: 44) fbsd.local.ssh > zerling.local.1658: S [tcp sum ok] 581535683:581535683(0) ack 320387861 win 57344 <mss 1460>
19:51:27.729043 IP (tos 0x0, ttl 127, id 9006, offset 0, flags [DF], length: 40) zerling.local.1658 > fbsd.local.ssh: . [tcp sum ok] 1:1(0) ack 1 win 65535
19:51:27.733549 IP (tos 0x0, ttl 64, id 126, offset 0, flags [DF], length: 80) fbsd.local.ssh > zerling.local.1658: P [tcp sum ok] 1:41(40) ack 1 win 58400
19:51:27.788789 IP (tos 0x0, ttl 127, id 9007, offset 0, flags [DF], length: 68) zerling.local.1658 > fbsd.local.ssh: P [tcp sum ok] 1:29(28) ack 41 win 65495
19:51:27.789789 IP (tos 0x0, ttl 64, id 127, offset 0, flags [DF], length: 316) fbsd.local.ssh > zerling.local.1658: P 41:317(276) ack 29 win 58400
19:51:27.806546 IP (tos 0x0, ttl 127, id 9008, offset 0, flags [DF], length: 196) zerling.local.1658 > fbsd.local.ssh: P 29:185(156) ack 317 win 65219
19:51:27.815865 IP (tos 0x0, ttl 64, id 128, offset 0, flags [DF], length: 52) fbsd.local.ssh > zerling.local.1658: P [tcp sum ok] 319:329(12) ack 185 win 58400
...
28 packets captured
28 packets received by filter
0 packets dropped by kernel
Т.е. с правилами
#iptables -P FORWARD DROP
#iptables -A FORWARD -i eth0 -j ACCEPT
#iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
SSH от машины на eth0 до вирт машины в host-network на vmnet1 работает нормально, с машины в vmnet1 до машины в eth0 пакеты не доходят(т.к. правило -A FORWARD -i eth0 -j ACCEPT пропускает SYN-ы только от машины на eth0).
Эти 2 правила в данном случае эквивалентны:
# iptables -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -i eth0 -o vmnet1 -j ACCEPT
# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Первое форвардит любые пакеты, летящие с локалки на eth0 куда угодно(пакеты как новых соединений, так и уже установленных). А второе правило пропускает все пакеты только для уже установленных соединений.
