Eduardo Lucio提出的问题 -computer

Eduardo Lucio

Asked: 2021-06-29 12:01:04 +0800 CST

Problema de gateway - "ping" funciona, "curl" não

5

Temos um servidor [S]SRV_GATEWAY com dois NICs ( [I]WAN/INT_LAN e [I]PRIV_LAN ) configurados como GATEWAY, DNS e DHCP para uma rede privada ( [N]PRIV_LAN ).

O servidor [S]SRV_GATEWAY acessa a internet (consome-se como DNS) e todos os outros servidores ( [S]PRIV_SRV_X ) consomem o DHCP, DNS e GATEWAY fornecidos pelo servidor [S]SRV_GATEWAY .

Disposição da rede...

                     [N]WAN/INT_LAN (10.2.0.0/24)
                      ↕
                     [I]WAN/INT_LAN
                  [S]SRV_GATEWAY
                     [I]PRIV_LAN
                      ↕
                     [N]PRIV_LAN (10.3.0.0/24)
                      ↕
       ...............................
       ↕              ↕              ↕
      [S]PRIV_SRV_0  [S]PRIV_SRV_1  [S]PRIV_SRV_0
                     [S]PRIV_SRV_2  [S]PRIV_SRV_0
                     [S]PRIV_SRV_3
    
     _ [N] - Network;
     _ [I] - Network Interface;
     _ [S] - Server.
    
     _ [N]WAN/INT_LAN - Has internet access;
     _ [N]PRIV_LAN - Private network.

PERGUNTA: Por que podemos pingservidores com sucesso na internet e não podemos acessar os mesmos servidores usando curlo servidor [S]PRIV_SRV_0 (veja a saída abaixo)?

    [root@okd4-bootstrap core]# ping -c 2 www.google.com
    PING www.google.com (172.217.18.196) 56(84) bytes of data.
    64 bytes from ham02s14-in-f196.1e100.net (172.217.18.196): icmp_seq=1 ttl=113 time=10.5 ms
    64 bytes from par10s38-in-f4.1e100.net (172.217.18.196): icmp_seq=2 ttl=113 time=10.6 ms
    
    --- www.google.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 10.500/10.548/10.597/0.048 ms

    [root@okd4-bootstrap core]# curl http://www.google.com
    curl: (7) Failed to connect to www.google.com port 80: No route to host

EXTRA:

Como SRV_GATEWAY foi definido como GATEWAY:

O servidor SRV_GATEWAY foi configurado como GATEWAY através de comandos...

Ativar encaminhamento de IP ...

tee "/etc/sysctl.d/ip_forward.conf" << EOF
net.ipv4.ip_forward=1
EOF
sysctl -w net.ipv4.ip_forward=1

Configure um gateway NAT de saída com destino nos dispositivos de mascaramento NIC ens3 ( [I]WAN/INT_LAN ) configurados no CIDR 10.3.0.0/24...

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o ens3 -j MASQUERADE -s 10.3.0.0/24
firewall-cmd --reload

Algumas informações obtidas do servidor [S]PRIV_SRV_0 :

[root@okd4-bootstrap core]# cat /etc/resolv.conf | grep -i '^nameserver' | head -n1 | cut -d ' ' -f2
10.3.0.14

[root@okd4-bootstrap core]# ip r
default via 10.3.0.14 dev ens3 proto dhcp metric 100 
10.3.0.0/24 dev ens3 proto kernel scope link src 10.3.0.4 metric 100 

[root@okd4-bootstrap core]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.3.0.14       0.0.0.0         UG    100    0        0 ens3
10.3.0.0        0.0.0.0         255.255.255.0   U     100    0        0 ens3

[root@okd4-bootstrap core]# netstat -r -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.3.0.14       0.0.0.0         UG        0 0          0 ens3
10.3.0.0        0.0.0.0         255.255.255.0   U         0 0          0 ens3

[root@okd4-bootstrap core]# ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=10.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=11.0 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 10.769/10.891/11.013/0.122 ms

[root@okd4-bootstrap core]# cat /etc/resolv.conf
# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 10.3.0.14
search okd.local

[root@okd4-bootstrap core]# tracepath 8.8.8.8
 1?: [LOCALHOST]                      pmtu 1500
 1:  api-int.mbr.okd.local                                 0.526ms 
 1:  api-int.mbr.okd.local                                 0.855ms 
 2:  okd4-services.okd.local                               1.842ms !H
     Resume: pmtu 1500 

[root@okd4-bootstrap core]# tracepath www.google.com
 1?: [LOCALHOST]                      pmtu 1500
 1:  api.mbr.okd.local                                     0.481ms 
 1:  api-int.mbr.okd.local                                 0.562ms 
 2:  api.mbr.okd.local                                     0.553ms !H
     Resume: pmtu 1500 

[root@okd4-bootstrap core]# ip route show
default via 10.3.0.14 dev ens3 proto dhcp metric 100 
10.3.0.0/24 dev ens3 proto kernel scope link src 10.3.0.4 metric 100 

[root@okd4-bootstrap core]# nslookup www.google.com
Server:         10.3.0.14
Address:        10.3.0.14#53

Non-authoritative answer:
Name:   www.google.com
Address: 172.217.18.196
Name:   www.google.com
Address: 2a00:1450:4007:805::2004

[root@okd4-bootstrap core]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Obrigado! =D

Eduardo Lucio

Asked: 2021-06-22 10:37:25 +0800 CST

Como posso configurar os nomes de host dos meus servidores a partir de serviços na rede? O que devo usar? Um DHCP? Um DNS? Ambos?

5

Estou tentando estabelecer uma forma de configurar os hostnames dos meus servidores de forma centralizada, ou seja, a partir de algum serviço da rede que faz isso.

Eu sei que existem três nomes que identificam um servidor...

Transiente: Recebido da configuração de rede;
Estático: Fornecido pelo kernel;
Bonito: Fornecido pelo usuário.

Então eu queria que meu servidor CentOS 7/8 usasse o nome do host transitório como seu nome. De forma prática, que ao logar no terminal me mostre o nome que foi obtido da rede...

[user_name@my-net-hostname ~]$

... e que a máquina possa pelo menos se identificar pelo nome...

[user_name@my-net-hostname ~]$ ping -c 4 my-net-hostname
PING my-net-hostname.my.domain (10.3.0.4) 56(84) bytes of data.
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=1 ttl=64 time=0.193 ms
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=2 ttl=64 time=0.086 ms
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=3 ttl=64 time=0.077 ms
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=4 ttl=64 time=0.098 ms

--- my-net-hostname.my.domain ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.077/0.113/0.193/0.046 ms

NOTA: No caso acima este hostname foi definido em um DHCP e também existe um DNS que conhece o nome "my-net-hostname".

OBS: Me parece que a forma correta de fazer isso é com um DHCP e um DNS, ou seja, um define o nome do servidor (hostname) e o outro define onde encontrar esse servidor, mas estou tendo dificuldade em confirmar isso em formação.

PERGUNTA: Como posso configurar os nomes de host dos meus servidores a partir de serviços na rede? O que devo usar? Um DHCP? Um DNS? Ambos?

Obrigado! =D

[Ref(s): https://askubuntu.com/questions/104918/how-to-get-the-hostname-from-a-dhcp-server , https://codingbee.net/rhcsa/rhcsa-configuring -hostnames-and-dns , https://www.redhat.com/sysadmin/set-hostname-linux ]

Eduardo Lucio

Asked: 2021-06-12 13:48:48 +0800 CST

Rede de máquina virtual KVM - Rede apenas convidado-convidado/VM-VM (sem acesso de host/hipervisor, sem conectividade de saída)

6

Eu sei que com o comando virsh posso criar vários tipos de redes (uma "rede NAT", por exemplo) como podemos ver nessas URLs...

Gerenciamento de rede KVM Rede
baseada em NAT padrão KVM (página 33)

PERGUNTA: Como posso criar uma rede ( lan_n ) onde apenas os convidados/VMs tenham conectividade, sem conectividade de saída e sem conectividade de host/hipervisor?

NOTA: A conectividade com outros recursos será fornecida por um servidor de firewall pfSense que terá acesso a outra rede ( wan_n ) com conectividade de saída e outros recursos.

Network layout...

                [N]wan_n
                 ↕
                [I]wan_n
            [V]pfsense_vm
                [I]lan_n
                 ↕
                [N]lan_n
                 ↕
   .............................
   ↕             ↕             ↕
  [V]some_vm_0  [V]some_vm_1  [V]some_vm_4
                [V]some_vm_2  [V]some_vm_5
                [V]some_vm_3

 _ [N] - Network;
 _ [I] - Network Interface;
 _ [V] - Virtual Machine.

NOTA: O sistema operacional do host/hipervisor é o CentOS 7 .

Obrigado! =D

Eduardo Lucio

Asked: 2021-02-12 07:50:26 +0800 CST

tesseract - compila e instala (`configure`, `make`, `make install`...) tesseract versão 3 (tesseract-ocr-3.XX.XX)

5

PROBLEMA:

Estou tentando compilar e instalar ( configure, make, make install...) tesseract versão 3 ( tesseract-ocr-3.02.02) no Ubuntu Server 20.04 LTS e está ocorrendo o seguinte erro...

Compilar e instalar comandos...

tar -zxvf tesseract-ocr-3.02.02.tar.gz
cd ./tesseract-ocr-3.02.02
./autogen.sh
./configure
make -j 4 && make install
ldconfig

Saída de erro...

[...]
-I../viewer -I/usr/local/include/leptonica -g -O2 -MT con_comp.lo -MD -MP -MF .deps/con_comp.Tpo -c con_comp.cpp  -fPIC -DPIC -o .libs/con_comp.o
libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I.. -O3 -DNDEBUG -DUSE_STD_NAMESPACE -I../cutil -I../ccutil -I../ccstruct -I../dict -I../ccmain -I../classify -I../textord -I../wordrec -I../neural_networks/runtime -I../image -I../viewer -I/usr/local/include/leptonica -g -O2 -MT con_comp.lo -MD -MP -MF .deps/con_comp.Tpo -c con_comp.cpp -o con_comp.o >/dev/null 2>&1
libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I.. -O3 -DNDEBUG -DUSE_STD_NAMESPACE -I../cutil -I../ccutil -I../ccstruct -I../dict -I../ccmain -I../classify -I../textord -I../wordrec -I../neural_networks/runtime -I../image -I../viewer -I/usr/local/include/leptonica -g -O2 -MT classifier_factory.lo -MD -MP -MF .deps/classifier_factory.Tpo -c classifier_factory.cpp -o classifier_factory.o >/dev/null 2>&1
mv -f .deps/char_samp.Tpo .deps/char_samp.Plo
mv -f .deps/con_comp.Tpo .deps/con_comp.Plo
mv -f .deps/classifier_factory.Tpo .deps/classifier_factory.Plo
make[2]: Leaving directory '/usr/local/lib/tesseract-ocr/cube'
make[1]: *** [Makefile:481: all-recursive] Error 1
make[1]: Leaving directory '/usr/local/lib/tesseract-ocr'
make: *** [Makefile:390: all] Error 2

PERGUNTA:

O que posso fazer para obter mais informações sobre esse erro?

IMPORTANTE:

O método usado para construir e instalar o tesseract ( configure, make, make install...) é um processo padrão e bem conhecido... Então, com base nisso, acho que existem maneiras conhecidas de obter mais informações para que possamos diagnosticar o que está acontecendo. Quase não há informações na internet sobre esse erro específico, então eu realmente preciso de ajuda com isso .

Obrigado! =D

Eduardo Lucio

Asked: 2021-01-16 14:20:01 +0800 CST

python3.2 - ERROR:root:code for hash md5 não foi encontrado

6

Temos um aplicativo legado e precisa do Python versão 3.2 para funcionar . Por esse motivo, compilamos e instalamos o Python versão 3.2.

Conseguimos compilar e instalar com sucesso a versão 3.2 Python no Ubuntu 20.04.1 LTS , mas começamos a ter problemas ao usar a biblioteca Python "hashlib" como pode ser visto no trecho abaixo...

root@sinj:/usr/local/src/lbginst# /usr/local/lb/py32/bin/python3.2 -c "import hashlib;m=hashlib.md5();print(m.hexdigest())"
ERROR:root:code for hash md5 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type md5
ERROR:root:code for hash sha1 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha1
ERROR:root:code for hash sha224 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha224
ERROR:root:code for hash sha256 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha256
ERROR:root:code for hash sha384 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha384
ERROR:root:code for hash sha512 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha512
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute 'md5'

PERGUNTA: Como podemos resolver o problema apresentado?

NOTA I: Após consultar dezenas de fontes na internet, começamos a suspeitar de algo relacionado aos binários libssl.so libcrypto.so .
NOTA II: Informações sobre como podemos diagnosticar o que está acontecendo também são muito bem-vindas!

Obrigado! =D

ATUALIZAÇÃO: Outro sintoma é a ocorrência desta mensagem durante o processo de construção ( make, make install)...

Failed to build these modules:
_hashlib           _ssl

Eduardo Lucio

Asked: 2019-12-11 13:27:39 +0800 CST

Manjaro (KDE) rodando como um servidor rdp

6

Questão simples, mas difícil de resolver... Até aqui... =|

Como fazer o Manjaro (KDE) funcionar como um servidor rdp ?

NOTAS: I - Gostamos muito do protocolo rdp e já o usamos no passado com outras distros Linux (Ubuntu) como servidor, mas estamos tendo dificuldade em fazer o rdp funcionar no Manjaro (KDE) como servidor; II - Sabemos que existem muitas outras opções de acesso remoto, mas nossa realidade de uso exige que utilizemos RDP, por isso pedimos que todas as respostas tratem exclusivamente de uma solução rdp .

Obrigado! =D

LINKS INTERESSANTES SOBRE O ASSUNTO:

https://forum.manjaro.org/t/xrdp-cant-get-plasma-to-start-after-initial-logging-into-xrdp-xorg-session/110678

https://forum.manjaro.org/t/not-able-to-rdp-from-windows-to-manjaro-vm-via-xrdp-xorg/94357/2

https://wiki.archlinux.org/index.php/xrdp

ATUALIZAR:

Temos realmente tentado fazer o rdp (xrdp) funcionar com o Manjaro KDE (KDE5), mas estamos tendo muitas dificuldades... =|

Usamos muita documentação e informação na internet principalmente nesses links...

https://raw.githubusercontent.com/Microsoft/linux-vm-tools/master/arch/install-config.sh

https://www.hiroom2.com/2019/06/15/ubuntu-1904-xrdp-kde-en/

Aparentemente é possível fazer o xrdp funcionar com o KDE 5, mas não conseguimos fazê-lo funcionar com o Manjaro KDE...

SITUAÇÃO ATUAL:

. LOG xrdp-sesman

less +F /var/log/xrdp-sesman.log

[20191211-14:03:27] [DEBUG] Closed socket 8 (AF_INET 127.0.0.1:3350)
[20191211-14:03:27] [INFO ] Xorg :10 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log  
[20191211-14:03:37] [ERROR] X server for display 10 startup timeout
[20191211-14:03:37] [CORE ] waiting for window manager (pid 5102) to exit
[20191211-14:03:37] [ERROR] X server for display 10 startup timeout
[20191211-14:03:37] [ERROR] another Xserver might already be active on display 10 - see log
[20191211-14:03:37] [DEBUG] aborting connection...
[20191211-14:03:37] [CORE ] window manager (pid 5102) did exit, cleaning up session
[20191211-14:03:37] [INFO ] calling auth_stop_session and auth_end from pid 5101
[20191211-14:03:37] [DEBUG] cleanup_sockets:
[20191211-14:03:37] [DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_socket_10
[20191211-14:03:37] [DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10
[20191211-14:03:37] [DEBUG] cleanup_sockets: failed to delete /tmp/.xrdp/xrdpapi_10
[20191211-14:03:37] [INFO ] ++ terminated session:  username eduardolac, display :10.0, session_pid 5101, ip 192.168.12.1:33886 - socket: 1

. LOG xrdp

less +F /var/log/xrdp.log

[20191211-14:05:19] [DEBUG] Closed socket 12 (AF_INET 192.168.12.253:3389)
[20191211-14:05:19] [DEBUG] xrdp_mm_module_cleanup
[20191211-14:05:19] [INFO ] Socket 12: AF_INET connection received from 192.168.12.1 port 34186
[20191211-14:05:19] [DEBUG] Closed socket 12 (AF_INET 192.168.12.253:3389)
[20191211-14:05:19] [DEBUG] Closed socket 11 (AF_INET 0.0.0.0:3389)
[20191211-14:05:19] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20191211-14:05:19] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20191211-14:05:19] [DEBUG] TLSv1.3 enabled
[20191211-14:05:19] [DEBUG] TLSv1.2 enabled
[20191211-14:05:19] [DEBUG] Security layer: requested 3, selected 0
[20191211-14:05:19] [INFO ] connected client computer name: eduardo-nb
[20191211-14:05:19] [INFO ] adding channel item name cliprdr chan_id 1004 flags 0xc0a00000
[20191211-14:05:19] [INFO ] adding channel item name drdynvc chan_id 1005 flags 0xc0800000
[20191211-14:05:19] [INFO ] Non-TLS connection established from 192.168.12.1 port 34186: encrypted with standard RDP security
[20191211-14:05:19] [DEBUG] xrdp_00001455_wm_login_mode_event_00000001
[20191211-14:05:19] [INFO ] Cannot find keymap file /etc/xrdp/km-00000416.ini
[20191211-14:05:19] [INFO ] Cannot find keymap file /etc/xrdp/km-00000416.ini
[20191211-14:05:19] [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini
[20191211-14:05:19] [WARN ] local keymap file for 0x00000416 found and doesn't match built in keymap, using local keymap file
[20191211-14:05:20] [DEBUG] Closed socket 23 (AF_UNIX)

. Comportamento Remmina

Está oscilando entre duas telas como esta imagem...

Eduardo Lucio

Asked: 2019-09-21 08:58:00 +0800 CST

Cliente Samba e Windows 10 Home - "NT_STATUS_LOGON_FAILURE"/"Acesso negado"

3

Estou tentando acessar um compartilhamento de arquivo de um Windows 10 Home usando um cliente Samba. No entanto, os seguintes erros acontecem ...

1# - smbclient

[root@eduardo-nb eduardo]# smbclient -L 192.168.0.5 -W WORKGROUP -U eduardo
Enter WORKGROUP\eduardo's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

2# - Golfinho

OBS: A única forma de ter acesso ao compartilhamento é seguindo os procedimentos aqui descritos...

Compartilhamento de arquivos não funciona

... que consistem em permitir o acesso a "Todos" e "Desativar compartilhamento protegido por senha".

PERGUNTA: Gostaria de acessar este compartilhamento com meu usuário Windows 10 Home existente (tem prerrogativas administrativas)... Então, o que pode estar acontecendo?

Obrigado! =D

[Refs.: https://askubuntu.com/q/47291/134723 , https://askubuntu.com/q/109507/134723 , https://answers.microsoft.com/en-us/windows/forum/ all/file-sharing-not-working/e6df6ac5-bb5a-41b3-8253-bd59b49d94bd , https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/samba-client-and-windows- 10-home/a7502032-240a-4fc8-a756-132d46831adf?tm=1568998329476]

ATUALIZAÇÃO I: Meu /etc/samba/smb.conf...

@harrymc

[global]
   workgroup = WORKGROUP
   server string = Samba Server
   allow insecure wide links = yes
   printcap name = /etc/printcap
   load printers = yes
   log file = /var/log/samba/%m.log
   max log size = 50
   security = user
   dns proxy = no

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

[eduardo]
   follow symlinks = yes
   wide links = yes
   comment = Manjaro Linux Samba share
   path = /home/eduardo
   available = yes
   valid users = eduardo
   read only = no
   browseable = yes
   public = no
   writeable = yes

Eduardo Lucio

Asked: 2019-08-23 12:17:27 +0800 CST

firewall-cmd - add-forward-port não funciona

12

Eu tenho um servidor KVM (host) com várias máquinas virtuais (convidados).

Meu objetivo é meu host encaminhar a porta 222 para a porta 22 de um convidado executando um serviço ssh.

Isso funciona ...

iptables -I OUTPUT -d 0.0.0.0/0 -j ACCEPT
iptables -I FORWARD -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -d 0.0.0.0/0 -j ACCEPT
iptables -t nat -I PREROUTING -d 0.0.0.0/0 -p tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22

Isso não funciona ...

firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter OUTPUT 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter FORWARD 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter INPUT 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 nat PREROUTING 0 -d 0.0.0.0/0 -p tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22
firewall-cmd --reload

Isso também não funciona ...

firewall-cmd --permanent --zone=public --add-forward-port=port=222:proto=tcp:toport=22:toaddr=10.1.0.9
firewall-cmd --reload

PERGUNTA: Por que as regras definidas com firewall-cmdnão funcionam?

NOTA I: O firewall-cmdé o serviço de firewall padrão do CentOS 7. Isso me parece um problema sem solução! Pesquisei em muitos, muitos fóruns e nada funciona! Estou começando a acreditar que isso é uma limitação ou bug no firewall-cmd...

OBS II: Sei que sshele próprio fornece os meios para tornar isso possível, mas quero muito que esse processo seja "transparente" para o usuário acessar diretamente o convidado.

[ Refs.: https://serverfault.com/q/915257/276753 , https://serverfault.com/q/980223/276753 , https://sebastianblade.com/how-to-modify-ssh-port- in-centos7/ , https://www.rootusers.com/how-to-use-firewalld-rich-rules-and-zones-for-filtering-and-nat/ , https://www.centos.org/ fóruns/viewtopic.php?f=50&t=71454 ]

SINTOMA:

O comando...

ssh root@[HOST_IP] -p 222

... me retorna o seguinte erro...

ssh: conectar ao host 172.16.13.8 porta 222: Conexão recusada

ATUALIZAÇÃO I:

@mwfearnley iptables-salvar saída...

iptables-save - FUNCIONA...

[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*nat
:PREROUTING ACCEPT [1:70]
:INPUT ACCEPT [1:70]
:OUTPUT ACCEPT [2:146]
:POSTROUTING ACCEPT [3:206]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.1.0.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens33 -g POST_public
-A POSTROUTING_ZONES -o br0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*mangle
:PREROUTING ACCEPT [672:77587]
:INPUT ACCEPT [610:68993]
:FORWARD ACCEPT [58:7886]
:OUTPUT ACCEPT [655:151604]
:POSTROUTING ACCEPT [713:159490]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*security
:INPUT ACCEPT [609:68793]
:FORWARD ACCEPT [58:7886]
:OUTPUT ACCEPT [660:152010]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*raw
:PREROUTING ACCEPT [672:77587]
:OUTPUT ACCEPT [655:151604]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j ACCEPT
-A FORWARD -d 10.1.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens33 -g FWDI_public
-A FORWARD_IN_ZONES -i br0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens33 -g FWDO_public
-A FORWARD_OUT_ZONES -o br0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens33 -g IN_public
-A INPUT_ZONES -i br0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Thu Aug 22 11:59:17 2019

iptables-save - NÃO FUNCIONA...

[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*nat
:PREROUTING ACCEPT [1:72]
:INPUT ACCEPT [1:72]
:OUTPUT ACCEPT [5:371]
:POSTROUTING ACCEPT [5:371]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.1.0.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens33 -g POST_public
-A POSTROUTING_ZONES -o br0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PREROUTING_direct -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*mangle
:PREROUTING ACCEPT [12:1319]
:INPUT ACCEPT [11:1259]
:FORWARD ACCEPT [1:60]
:OUTPUT ACCEPT [12:1070]
:POSTROUTING ACCEPT [12:1070]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*security
:INPUT ACCEPT [11:1259]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1070]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*raw
:PREROUTING ACCEPT [12:1319]
:OUTPUT ACCEPT [12:1070]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 10.1.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens33 -g FWDI_public
-A FORWARD_IN_ZONES -i br0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens33 -g FWDO_public
-A FORWARD_OUT_ZONES -o br0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FORWARD_direct -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens33 -g IN_public
-A INPUT_ZONES -i br0 -g IN_public
-A INPUT_ZONES -g IN_public
-A INPUT_direct -j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT_direct -j ACCEPT
COMMIT
# Completed on Thu Aug 22 11:59:16 2019

iptables-save - NÃO FUNCIONA TAMBÉM...

[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*nat
:PREROUTING ACCEPT [5:371]
:INPUT ACCEPT [1:67]
:OUTPUT ACCEPT [2:134]
:POSTROUTING ACCEPT [2:134]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.1.0.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens33 -g POST_public
-A POSTROUTING_ZONES -o br0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination 10.1.0.9:22
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*mangle
:PREROUTING ACCEPT [17:1649]
:INPUT ACCEPT [12:1285]
:FORWARD ACCEPT [5:364]
:OUTPUT ACCEPT [10:3037]
:POSTROUTING ACCEPT [14:3341]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public_allow -p tcp -m tcp --dport 222 -j MARK --set-xmark 0x64/0xffffffff
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*security
:INPUT ACCEPT [12:1285]
:FORWARD ACCEPT [4:304]
:OUTPUT ACCEPT [10:3037]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*raw
:PREROUTING ACCEPT [17:1649]
:OUTPUT ACCEPT [10:3037]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8:2813]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 10.1.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens33 -g FWDI_public
-A FORWARD_IN_ZONES -i br0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens33 -g FWDO_public
-A FORWARD_OUT_ZONES -o br0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x64 -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens33 -g IN_public
-A INPUT_ZONES -i br0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Thu Aug 22 11:59:36 2019

ATUALIZAÇÃO II:

A primeira regra em FORWARD de "works" é ACEITAR. Isso permite que cada pacote seja encaminhado. Os outros têm regras para aceitar pacotes DNATted, mas mais tarde na cadeia. Então... Podemos resolver o problema se descobrirmos por que isso funciona ...

iptables -I FORWARD -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --add-forward-port=port=222:proto=tcp:toport=22:toaddr=10.1.0.9
firewall-cmd --reload

... e por que isso não ...

firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter FORWARD 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --add-forward-port=port=222:proto=tcp:toport=22:toaddr=10.1.0.9
firewall-cmd --reload

Problema de gateway - "ping" funciona, "curl" não

Como posso configurar os nomes de host dos meus servidores a partir de serviços na rede? O que devo usar? Um DHCP? Um DNS? Ambos?

Rede de máquina virtual KVM - Rede apenas convidado-convidado/VM-VM (sem acesso de host/hipervisor, sem conectividade de saída)

tesseract - compila e instala (`configure`, `make`, `make install`...) tesseract versão 3 (tesseract-ocr-3.XX.XX)

python3.2 - ERROR:root:code for hash md5 não foi encontrado

Manjaro (KDE) rodando como um servidor rdp

Cliente Samba e Windows 10 Home - "NT_STATUS_LOGON_FAILURE"/"Acesso negado"

firewall-cmd - add-forward-port não funciona

Como posso reduzir o consumo do processo `vmmem`?

Baixar vídeo do Microsoft Stream

O Google Chrome DevTools falhou ao analisar o SourceMap: chrome-extension

O visualizador de fotos do Windows não pode ser executado porque não há memória suficiente?

Como faço para ativar o WindowsXP agora que o suporte acabou?

Área de trabalho remota congelando intermitentemente

O que significa ter uma máscara de sub-rede /32?

Ponteiro do mouse movendo-se nas teclas de seta pressionadas no Windows?

O VirtualBox falha ao iniciar com VERR_NEM_VM_CREATE_FAILED

Os aplicativos não aparecem nas configurações de privacidade da câmera e do microfone no MacBook

Eduardo Lucio's questions