AskOverflow.Dev

AskOverflow.Dev Logo AskOverflow.Dev Logo

AskOverflow.Dev Navigation

  • 主页
  • 系统&网络
  • Ubuntu
  • Unix
  • DBA
  • Computer
  • Coding
  • LangChain

Mobile menu

Close
  • 主页
  • 系统&网络
    • 最新
    • 热门
    • 标签
  • Ubuntu
    • 最新
    • 热门
    • 标签
  • Unix
    • 最新
    • 标签
  • DBA
    • 最新
    • 标签
  • Computer
    • 最新
    • 标签
  • Coding
    • 最新
    • 标签
主页 / user-195840

Eduardo Lucio's questions

Martin Hope
Eduardo Lucio
Asked: 2021-06-29 12:01:04 +0800 CST

网关问题 - “ping”有效,“curl”无效

  • 5

我们有一个[S]SRV_GATEWAY服务器,带有两个 NIC([I]WAN/INT_LAN和[I]PRIV_LAN),配置为专用网络([N]PRIV_LAN)的 GATEWAY、DNS 和 DHCP。

服务器[S]SRV_GATEWAY访问互联网(它使用自己作为 DNS),所有其他服务器([S]PRIV_SRV_X )使用服务器[S]SRV_GATEWAY提供的 DHCP、DNS 和 GATEWAY 。

  • 网络布局...
                     [N]WAN/INT_LAN (10.2.0.0/24)
                      ↕
                     [I]WAN/INT_LAN
                  [S]SRV_GATEWAY
                     [I]PRIV_LAN
                      ↕
                     [N]PRIV_LAN (10.3.0.0/24)
                      ↕
       ...............................
       ↕              ↕              ↕
      [S]PRIV_SRV_0  [S]PRIV_SRV_1  [S]PRIV_SRV_0
                     [S]PRIV_SRV_2  [S]PRIV_SRV_0
                     [S]PRIV_SRV_3
    
     _ [N] - Network;
     _ [I] - Network Interface;
     _ [S] - Server.
    
     _ [N]WAN/INT_LAN - Has internet access;
     _ [N]PRIV_LAN - Private network.

问题:为什么我们可以ping在 Internet 上成功运行服务器,但无法使用curl服务器[S]PRIV_SRV_0访问相同的服务器(请参阅下面的输出)?

    [root@okd4-bootstrap core]# ping -c 2 www.google.com
    PING www.google.com (172.217.18.196) 56(84) bytes of data.
    64 bytes from ham02s14-in-f196.1e100.net (172.217.18.196): icmp_seq=1 ttl=113 time=10.5 ms
    64 bytes from par10s38-in-f4.1e100.net (172.217.18.196): icmp_seq=2 ttl=113 time=10.6 ms
    
    --- www.google.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 10.500/10.548/10.597/0.048 ms

    [root@okd4-bootstrap core]# curl http://www.google.com
    curl: (7) Failed to connect to www.google.com port 80: No route to host

额外的:

  • SRV_GATEWAY如何设置为 GATEWAY:

服务器SRV_GATEWAY已通过命令配置为 GATEWAY...

启用IP 转发...

tee "/etc/sysctl.d/ip_forward.conf" << EOF
net.ipv4.ip_forward=1
EOF
sysctl -w net.ipv4.ip_forward=1

在 NIC ens3 ( [I]WAN/INT_LAN ) 上设置一个出站 NAT 网关,目标是在 CIDR 10.3.0.0/24 中配置的屏蔽设备...

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o ens3 -j MASQUERADE -s 10.3.0.0/24
firewall-cmd --reload
  • 从服务器[S]PRIV_SRV_0获得的一些信息:
[root@okd4-bootstrap core]# cat /etc/resolv.conf | grep -i '^nameserver' | head -n1 | cut -d ' ' -f2
10.3.0.14

[root@okd4-bootstrap core]# ip r
default via 10.3.0.14 dev ens3 proto dhcp metric 100 
10.3.0.0/24 dev ens3 proto kernel scope link src 10.3.0.4 metric 100 

[root@okd4-bootstrap core]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.3.0.14       0.0.0.0         UG    100    0        0 ens3
10.3.0.0        0.0.0.0         255.255.255.0   U     100    0        0 ens3

[root@okd4-bootstrap core]# netstat -r -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.3.0.14       0.0.0.0         UG        0 0          0 ens3
10.3.0.0        0.0.0.0         255.255.255.0   U         0 0          0 ens3

[root@okd4-bootstrap core]# ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=10.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=11.0 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 10.769/10.891/11.013/0.122 ms

[root@okd4-bootstrap core]# cat /etc/resolv.conf
# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 10.3.0.14
search okd.local

[root@okd4-bootstrap core]# tracepath 8.8.8.8
 1?: [LOCALHOST]                      pmtu 1500
 1:  api-int.mbr.okd.local                                 0.526ms 
 1:  api-int.mbr.okd.local                                 0.855ms 
 2:  okd4-services.okd.local                               1.842ms !H
     Resume: pmtu 1500 

[root@okd4-bootstrap core]# tracepath www.google.com
 1?: [LOCALHOST]                      pmtu 1500
 1:  api.mbr.okd.local                                     0.481ms 
 1:  api-int.mbr.okd.local                                 0.562ms 
 2:  api.mbr.okd.local                                     0.553ms !H
     Resume: pmtu 1500 

[root@okd4-bootstrap core]# ip route show
default via 10.3.0.14 dev ens3 proto dhcp metric 100 
10.3.0.0/24 dev ens3 proto kernel scope link src 10.3.0.4 metric 100 

[root@okd4-bootstrap core]# nslookup www.google.com
Server:         10.3.0.14
Address:        10.3.0.14#53

Non-authoritative answer:
Name:   www.google.com
Address: 172.217.18.196
Name:   www.google.com
Address: 2a00:1450:4007:805::2004

[root@okd4-bootstrap core]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

谢谢!=D

networking dns
  • 1 个回答
  • 565 Views
Martin Hope
Eduardo Lucio
Asked: 2021-06-22 10:37:25 +0800 CST

如何从网络上的服务配置我的服务器的主机名?我应该使用什么?DHCP?一个DNS?两个都?

  • 5

我正在尝试建立一种以集中方式配置服务器主机名的方法,即从网络上的某些服务进行配置。

我知道有三个名称可以标识服务器...

  • 瞬态:从网络配置中接收;
  • 静态:由内核提供;
  • 漂亮:由用户提供。

所以我希望我的CentOS 7/8服务器使用临时主机名作为其名称。实际上,当登录终端时,它会向我显示从网络获得的名称......

[user_name@my-net-hostname ~]$

...并且机器至少可以通过名称识别自己...

[user_name@my-net-hostname ~]$ ping -c 4 my-net-hostname
PING my-net-hostname.my.domain (10.3.0.4) 56(84) bytes of data.
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=1 ttl=64 time=0.193 ms
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=2 ttl=64 time=0.086 ms
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=3 ttl=64 time=0.077 ms
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=4 ttl=64 time=0.098 ms

--- my-net-hostname.my.domain ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.077/0.113/0.193/0.046 ms

注意:在上述情况下,此主机名是在 DHCP 中定义的,并且还有一个知道名称“my-net-hostname”的 DNS。

注意:在我看来,正确的方法是使用 DHCP 和 DNS,也就是说,一个定义服务器名称(主机名),另一个定义在哪里可以找到该服务器,但我很难确认这一点信息。


问题:如何从网络上的服务配置我的服务器的主机名?我应该使用什么?DHCP?一个DNS?两个都?


谢谢!=D

[参考文献:https://askubuntu.com/questions/104918/how-to-get-the-hostname-from-a-dhcp-server,https://codingbee.net/rhcsa/rhcsa-configuring -hostnames-and-dns , https://www.redhat.com/sysadmin/set-hostname-linux ]

dns dhcp
  • 1 个回答
  • 77 Views
Martin Hope
Eduardo Lucio
Asked: 2021-06-12 13:48:48 +0800 CST

KVM 虚拟机网络 - Guest-guest/VM-VM only 网络(无主机/管理程序访问,无出站连接)

  • 6

我知道使用virsh命令可以创建多种类型的网络(例如“NAT 网络”),正如我们在这些 URL 中看到的那样……

KVM 网络管理
KVM 默认基于 NAT 的网络(第 33 页)

问题:如何创建一个只有来宾/VM 有连接、没有出站连接和没有主机/管理程序连接的网络 ( lan_n )?

注意:与其他资源的连接将由pfSense防火墙服务器提供,该服务器将有权访问具有出站连接和其他资源的另一个网络 ( wan_n )。

Network layout...

                [N]wan_n
                 ↕
                [I]wan_n
            [V]pfsense_vm
                [I]lan_n
                 ↕
                [N]lan_n
                 ↕
   .............................
   ↕             ↕             ↕
  [V]some_vm_0  [V]some_vm_1  [V]some_vm_4
                [V]some_vm_2  [V]some_vm_5
                [V]some_vm_3

 _ [N] - Network;
 _ [I] - Network Interface;
 _ [V] - Virtual Machine.

注意:主机/管理程序操作系统是CentOS 7。

谢谢!=D

virtualization networking
  • 1 个回答
  • 637 Views
Martin Hope
Eduardo Lucio
Asked: 2021-02-12 07:50:26 +0800 CST

tesseract - 构建和安装 (`configure`, `make`, `make install`...) tesseract 版本 3 (tesseract-ocr-3.XX.XX)

  • 5

问题:

我正在尝试在 Ubuntu Server 20.04 LTS 上构建和安装 ( configure, make, make install...) tesseract版本 3 ( tesseract-ocr-3.02.02) 并且发生以下错误...

构建和安装命令...

tar -zxvf tesseract-ocr-3.02.02.tar.gz
cd ./tesseract-ocr-3.02.02
./autogen.sh
./configure
make -j 4 && make install
ldconfig

错误输出...

[...]
-I../viewer -I/usr/local/include/leptonica -g -O2 -MT con_comp.lo -MD -MP -MF .deps/con_comp.Tpo -c con_comp.cpp  -fPIC -DPIC -o .libs/con_comp.o
libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I.. -O3 -DNDEBUG -DUSE_STD_NAMESPACE -I../cutil -I../ccutil -I../ccstruct -I../dict -I../ccmain -I../classify -I../textord -I../wordrec -I../neural_networks/runtime -I../image -I../viewer -I/usr/local/include/leptonica -g -O2 -MT con_comp.lo -MD -MP -MF .deps/con_comp.Tpo -c con_comp.cpp -o con_comp.o >/dev/null 2>&1
libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I.. -O3 -DNDEBUG -DUSE_STD_NAMESPACE -I../cutil -I../ccutil -I../ccstruct -I../dict -I../ccmain -I../classify -I../textord -I../wordrec -I../neural_networks/runtime -I../image -I../viewer -I/usr/local/include/leptonica -g -O2 -MT classifier_factory.lo -MD -MP -MF .deps/classifier_factory.Tpo -c classifier_factory.cpp -o classifier_factory.o >/dev/null 2>&1
mv -f .deps/char_samp.Tpo .deps/char_samp.Plo
mv -f .deps/con_comp.Tpo .deps/con_comp.Plo
mv -f .deps/classifier_factory.Tpo .deps/classifier_factory.Plo
make[2]: Leaving directory '/usr/local/lib/tesseract-ocr/cube'
make[1]: *** [Makefile:481: all-recursive] Error 1
make[1]: Leaving directory '/usr/local/lib/tesseract-ocr'
make: *** [Makefile:390: all] Error 2

问题:

我该怎么做才能获得有关此错误的更多信息?

重要的:

用于构建和安装 tesseract ( configure, make, make install...) 的方法是一个标准且众所周知的过程......因此,基于此,我认为有已知的方法可以获取更多信息,以便我们可以诊断正在发生的事情。互联网上几乎没有关于这个特定错误的信息,所以我真的需要帮助。

谢谢!=D

ubuntu compile
  • 1 个回答
  • 107 Views
Martin Hope
Eduardo Lucio
Asked: 2021-01-16 14:20:01 +0800 CST

python3.2 - 错误:root:未找到哈希 md5 的代码

  • 6

我们有一个遗留应用程序,它需要 Python 3.2 版才能工作。为此,我们编译并安装Python 3.2 版。

我们能够在Ubuntu 20.04.1 LTS上成功编译和安装 3.2 版 Python ,但是我们开始遇到使用Python“hashlib”库的问题,如下面的摘录所示......

root@sinj:/usr/local/src/lbginst# /usr/local/lb/py32/bin/python3.2 -c "import hashlib;m=hashlib.md5();print(m.hexdigest())"
ERROR:root:code for hash md5 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type md5
ERROR:root:code for hash sha1 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha1
ERROR:root:code for hash sha224 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha224
ERROR:root:code for hash sha256 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha256
ERROR:root:code for hash sha384 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha384
ERROR:root:code for hash sha512 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha512
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute 'md5'

问题:我们如何解决提出的问题?

注意 I:在互联网上查阅了数十个资源后,我们开始怀疑与libssl.so libcrypto.so二进制文件有关的某些内容。
注二:我们如何诊断正在发生的事情的信息也非常受欢迎!

谢谢!=D


更新:另一个症状是在构建过程中出现此消息(make,make install)......

Failed to build these modules:
_hashlib           _ssl   
ubuntu python
  • 2 个回答
  • 2845 Views
Martin Hope
Eduardo Lucio
Asked: 2019-12-11 13:27:39 +0800 CST

Manjaro (KDE) 作为 rdp 服务器运行

  • 6

简单的问题,但很难解决......到目前为止...... =|

如何使Manjaro (KDE)作为 rdp服务器工作?

注意: 我- 我们非常喜欢 rdp 协议,并且过去曾将它与其他 Linux 发行版 (Ubuntu) 一起用作服务器,但我们很难让 rdp 在 Manjaro (KDE) 作为服务器上工作; II - 我们知道远程访问还有许多其他选项,但我们的使用现实要求我们使用 RDP,所以请我们要求所有答案都专门针对 rdp 解决方案。

谢谢!=D

关于该主题的有趣链接:

https://forum.manjaro.org/t/xrdp-cant-get-plasma-to-start-after-initial-logging-into-xrdp-xorg-session/110678

https://forum.manjaro.org/t/not-able-to-rdp-from-windows-to-manjaro-vm-via-xrdp-xorg/94357/2

https://wiki.archlinux.org/index.php/xrdp


更新:

我们一直在努力让 rdp (xrdp) 与 Manjaro KDE (KDE5) 一起工作,但我们遇到了很多困难...... =|

我们在互联网上使用了大量的文档和信息,尤其是在这些链接中......

https://raw.githubusercontent.com/Microsoft/linux-vm-tools/master/arch/install-config.sh

https://www.hiroom2.com/2019/06/15/ubuntu-1904-xrdp-kde-en/

显然可以使 xrdp 与 KDE 5 一起使用,但我们无法使其与 Manjaro KDE 一起使用...

现在的情况:

. 登录 xrdp-sesman

less +F /var/log/xrdp-sesman.log

[20191211-14:03:27] [DEBUG] Closed socket 8 (AF_INET 127.0.0.1:3350)
[20191211-14:03:27] [INFO ] Xorg :10 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log  
[20191211-14:03:37] [ERROR] X server for display 10 startup timeout
[20191211-14:03:37] [CORE ] waiting for window manager (pid 5102) to exit
[20191211-14:03:37] [ERROR] X server for display 10 startup timeout
[20191211-14:03:37] [ERROR] another Xserver might already be active on display 10 - see log
[20191211-14:03:37] [DEBUG] aborting connection...
[20191211-14:03:37] [CORE ] window manager (pid 5102) did exit, cleaning up session
[20191211-14:03:37] [INFO ] calling auth_stop_session and auth_end from pid 5101
[20191211-14:03:37] [DEBUG] cleanup_sockets:
[20191211-14:03:37] [DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_socket_10
[20191211-14:03:37] [DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10
[20191211-14:03:37] [DEBUG] cleanup_sockets: failed to delete /tmp/.xrdp/xrdpapi_10
[20191211-14:03:37] [INFO ] ++ terminated session:  username eduardolac, display :10.0, session_pid 5101, ip 192.168.12.1:33886 - socket: 1

. 记录 xrdp

less +F /var/log/xrdp.log

[20191211-14:05:19] [DEBUG] Closed socket 12 (AF_INET 192.168.12.253:3389)
[20191211-14:05:19] [DEBUG] xrdp_mm_module_cleanup
[20191211-14:05:19] [INFO ] Socket 12: AF_INET connection received from 192.168.12.1 port 34186
[20191211-14:05:19] [DEBUG] Closed socket 12 (AF_INET 192.168.12.253:3389)
[20191211-14:05:19] [DEBUG] Closed socket 11 (AF_INET 0.0.0.0:3389)
[20191211-14:05:19] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20191211-14:05:19] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20191211-14:05:19] [DEBUG] TLSv1.3 enabled
[20191211-14:05:19] [DEBUG] TLSv1.2 enabled
[20191211-14:05:19] [DEBUG] Security layer: requested 3, selected 0
[20191211-14:05:19] [INFO ] connected client computer name: eduardo-nb
[20191211-14:05:19] [INFO ] adding channel item name cliprdr chan_id 1004 flags 0xc0a00000
[20191211-14:05:19] [INFO ] adding channel item name drdynvc chan_id 1005 flags 0xc0800000
[20191211-14:05:19] [INFO ] Non-TLS connection established from 192.168.12.1 port 34186: encrypted with standard RDP security
[20191211-14:05:19] [DEBUG] xrdp_00001455_wm_login_mode_event_00000001
[20191211-14:05:19] [INFO ] Cannot find keymap file /etc/xrdp/km-00000416.ini
[20191211-14:05:19] [INFO ] Cannot find keymap file /etc/xrdp/km-00000416.ini
[20191211-14:05:19] [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini
[20191211-14:05:19] [WARN ] local keymap file for 0x00000416 found and doesn't match built in keymap, using local keymap file
[20191211-14:05:20] [DEBUG] Closed socket 23 (AF_UNIX)

. 雷米娜行为

它在两个屏幕之间振荡,因为这个图像......

雷米娜行为

remote-desktop remote-access
  • 1 个回答
  • 12096 Views
Martin Hope
Eduardo Lucio
Asked: 2019-09-21 08:58:00 +0800 CST

Samba 客户端和 Windows 10 主页 - “NT_STATUS_LOGON_FAILURE”/“访问被拒绝”

  • 3

我正在尝试使用 Samba 客户端从Windows 10 Home访问文件共享。但是会发生以下错误...

1# - smbclient

[root@eduardo-nb eduardo]# smbclient -L 192.168.0.5 -W WORKGROUP -U eduardo
Enter WORKGROUP\eduardo's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

2# - 海豚

拒绝访问 smb://WORKGROUP%5Ceduardo@192.168.0.5/D。


注意:获得共享访问权限的唯一方法是按照此处描述的过程...

文件共享不起作用

...包括允许访问“所有人”和“关闭密码保护共享”。

问题:我想与我现有的 Windows 10 家庭用户(具有管理特权)访问此共享...那么可能发生什么?

谢谢!=D

[参考:https : //askubuntu.com/q/47291/134723,https : //askubuntu.com/q/109507/134723,https: //answers.microsoft.com/en-us/windows/forum/全部/文件共享-不工作/e6df6ac5-bb5a-41b3-8253-bd59b49d94bd,https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/samba-client-and-windows- 10-home/a7502032-240a-4fc8-a756-132d46831adf?tm=1568998329476]


更新我:我的/etc/samba/smb.conf...

@harrymc

[global]
   workgroup = WORKGROUP
   server string = Samba Server
   allow insecure wide links = yes
   printcap name = /etc/printcap
   load printers = yes
   log file = /var/log/samba/%m.log
   max log size = 50
   security = user
   dns proxy = no

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

[eduardo]
   follow symlinks = yes
   wide links = yes
   comment = Manjaro Linux Samba share
   path = /home/eduardo
   available = yes
   valid users = eduardo
   read only = no
   browseable = yes
   public = no
   writeable = yes
windows-10 network-shares
  • 1 个回答
  • 1969 Views
Martin Hope
Eduardo Lucio
Asked: 2019-08-23 12:17:27 +0800 CST

firewall-cmd - 添加转发端口不起作用

  • 12

我有一个带有多个虚拟机(来宾)的 KVM 服务器(主机)。

我的目标是我的主机将端口 222 转发到运行 ssh 服务的来宾的端口 22。

这有效...

iptables -I OUTPUT -d 0.0.0.0/0 -j ACCEPT
iptables -I FORWARD -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -d 0.0.0.0/0 -j ACCEPT
iptables -t nat -I PREROUTING -d 0.0.0.0/0 -p tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22

这行不通...

firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter OUTPUT 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter FORWARD 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter INPUT 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 nat PREROUTING 0 -d 0.0.0.0/0 -p tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22
firewall-cmd --reload

这也行不通...

firewall-cmd --permanent --zone=public --add-forward-port=port=222:proto=tcp:toport=22:toaddr=10.1.0.9
firewall-cmd --reload

问题:为什么设置的规则firewall-cmd不起作用?

注一:这firewall-cmd是CentOS 7默认的防火墙服务。这在我看来是一个无解的问题!我搜索了很多很多论坛,但没有任何效果!我开始相信这是一个限制或错误firewall-cmd......

注二:我知道它ssh本身提供了使这成为可能的方法,但我真的希望这个过程对用户直接访问来宾是“透明的”。

[参考: https : //serverfault.com/q/915257/276753,https : //serverfault.com/q/980223/276753,https : //sebastianblade.com/how-to-modify-ssh-port- in-centos7/, https://www.rootusers.com/how-to-use-firewalld-rich-rules-and-zones-for-filtering-and-nat/, https://www.centos.org/论坛/viewtopic.php?f=50&t=71454 ]


症状:

命令...

ssh root@[HOST_IP] -p 222

...返回以下错误...

ssh:连接到主机 172.16.13.8 端口 222:连接被拒绝


更新一:

@mwfearnley iptables-保存输出...

iptables-save -工作...

[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*nat
:PREROUTING ACCEPT [1:70]
:INPUT ACCEPT [1:70]
:OUTPUT ACCEPT [2:146]
:POSTROUTING ACCEPT [3:206]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.1.0.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens33 -g POST_public
-A POSTROUTING_ZONES -o br0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*mangle
:PREROUTING ACCEPT [672:77587]
:INPUT ACCEPT [610:68993]
:FORWARD ACCEPT [58:7886]
:OUTPUT ACCEPT [655:151604]
:POSTROUTING ACCEPT [713:159490]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*security
:INPUT ACCEPT [609:68793]
:FORWARD ACCEPT [58:7886]
:OUTPUT ACCEPT [660:152010]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*raw
:PREROUTING ACCEPT [672:77587]
:OUTPUT ACCEPT [655:151604]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j ACCEPT
-A FORWARD -d 10.1.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens33 -g FWDI_public
-A FORWARD_IN_ZONES -i br0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens33 -g FWDO_public
-A FORWARD_OUT_ZONES -o br0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens33 -g IN_public
-A INPUT_ZONES -i br0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Thu Aug 22 11:59:17 2019

iptables-save -不工作......

[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*nat
:PREROUTING ACCEPT [1:72]
:INPUT ACCEPT [1:72]
:OUTPUT ACCEPT [5:371]
:POSTROUTING ACCEPT [5:371]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.1.0.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens33 -g POST_public
-A POSTROUTING_ZONES -o br0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PREROUTING_direct -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*mangle
:PREROUTING ACCEPT [12:1319]
:INPUT ACCEPT [11:1259]
:FORWARD ACCEPT [1:60]
:OUTPUT ACCEPT [12:1070]
:POSTROUTING ACCEPT [12:1070]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*security
:INPUT ACCEPT [11:1259]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1070]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*raw
:PREROUTING ACCEPT [12:1319]
:OUTPUT ACCEPT [12:1070]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 10.1.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens33 -g FWDI_public
-A FORWARD_IN_ZONES -i br0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens33 -g FWDO_public
-A FORWARD_OUT_ZONES -o br0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FORWARD_direct -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens33 -g IN_public
-A INPUT_ZONES -i br0 -g IN_public
-A INPUT_ZONES -g IN_public
-A INPUT_direct -j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT_direct -j ACCEPT
COMMIT
# Completed on Thu Aug 22 11:59:16 2019

iptables-save -不要太工作......

[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*nat
:PREROUTING ACCEPT [5:371]
:INPUT ACCEPT [1:67]
:OUTPUT ACCEPT [2:134]
:POSTROUTING ACCEPT [2:134]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.1.0.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens33 -g POST_public
-A POSTROUTING_ZONES -o br0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination 10.1.0.9:22
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*mangle
:PREROUTING ACCEPT [17:1649]
:INPUT ACCEPT [12:1285]
:FORWARD ACCEPT [5:364]
:OUTPUT ACCEPT [10:3037]
:POSTROUTING ACCEPT [14:3341]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public_allow -p tcp -m tcp --dport 222 -j MARK --set-xmark 0x64/0xffffffff
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*security
:INPUT ACCEPT [12:1285]
:FORWARD ACCEPT [4:304]
:OUTPUT ACCEPT [10:3037]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*raw
:PREROUTING ACCEPT [17:1649]
:OUTPUT ACCEPT [10:3037]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8:2813]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 10.1.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens33 -g FWDI_public
-A FORWARD_IN_ZONES -i br0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens33 -g FWDO_public
-A FORWARD_OUT_ZONES -o br0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x64 -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens33 -g IN_public
-A INPUT_ZONES -i br0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Thu Aug 22 11:59:36 2019

更新二:

“works”的 FORWARD 中的第一条规则是 ACCEPT。这允许转发每个数据包。其他人有接受 DNAT 数据包的规则,但在链的后面。所以......如果我们找出为什么这有效......我们也许能够解决问题......

iptables -I FORWARD -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --add-forward-port=port=222:proto=tcp:toport=22:toaddr=10.1.0.9
firewall-cmd --reload

......为什么这不是......

firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter FORWARD 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --add-forward-port=port=222:proto=tcp:toport=22:toaddr=10.1.0.9
firewall-cmd --reload
port-forwarding firewall
  • 1 个回答
  • 8713 Views

Sidebar

Stats

  • 问题 205573
  • 回答 270741
  • 最佳答案 135370
  • 用户 68524
  • 热门
  • 回答
  • Marko Smith

    如何减少“vmmem”进程的消耗?

    • 11 个回答
  • Marko Smith

    从 Microsoft Stream 下载视频

    • 4 个回答
  • Marko Smith

    Google Chrome DevTools 无法解析 SourceMap:chrome-extension

    • 6 个回答
  • Marko Smith

    Windows 照片查看器因为内存不足而无法运行?

    • 5 个回答
  • Marko Smith

    支持结束后如何激活 WindowsXP?

    • 6 个回答
  • Marko Smith

    远程桌面间歇性冻结

    • 7 个回答
  • Marko Smith

    子网掩码 /32 是什么意思?

    • 6 个回答
  • Marko Smith

    鼠标指针在 Windows 中按下的箭头键上移动?

    • 1 个回答
  • Marko Smith

    VirtualBox 无法以 VERR_NEM_VM_CREATE_FAILED 启动

    • 8 个回答
  • Marko Smith

    应用程序不会出现在 MacBook 的摄像头和麦克风隐私设置中

    • 5 个回答
  • Martin Hope
    Vickel Firefox 不再允许粘贴到 WhatsApp 网页中? 2023-08-18 05:04:35 +0800 CST
  • Martin Hope
    Saaru Lindestøkke 为什么使用 Python 的 tar 库时 tar.xz 文件比 macOS tar 小 15 倍? 2021-03-14 09:37:48 +0800 CST
  • Martin Hope
    CiaranWelsh 如何减少“vmmem”进程的消耗? 2020-06-10 02:06:58 +0800 CST
  • Martin Hope
    Jim Windows 10 搜索未加载,显示空白窗口 2020-02-06 03:28:26 +0800 CST
  • Martin Hope
    andre_ss6 远程桌面间歇性冻结 2019-09-11 12:56:40 +0800 CST
  • Martin Hope
    Riley Carney 为什么在 URL 后面加一个点会删除登录信息? 2019-08-06 10:59:24 +0800 CST
  • Martin Hope
    zdimension 鼠标指针在 Windows 中按下的箭头键上移动? 2019-08-04 06:39:57 +0800 CST
  • Martin Hope
    jonsca 我所有的 Firefox 附加组件突然被禁用了,我该如何重新启用它们? 2019-05-04 17:58:52 +0800 CST
  • Martin Hope
    MCK 是否可以使用文本创建二维码? 2019-04-02 06:32:14 +0800 CST
  • Martin Hope
    SoniEx2 更改 git init 默认分支名称 2019-04-01 06:16:56 +0800 CST

热门标签

windows-10 linux windows microsoft-excel networking ubuntu worksheet-function bash command-line hard-drive

Explore

  • 主页
  • 问题
    • 最新
    • 热门
  • 标签
  • 帮助

Footer

AskOverflow.Dev

关于我们

  • 关于我们
  • 联系我们

Legal Stuff

  • Privacy Policy

Language

  • Pt
  • Server
  • Unix

© 2023 AskOverflow.DEV All Rights Reserve