Vir die afgelope maand kan ek dit nie oplos nie, ek maak verskillende iptables-reëls, geaktiveerde en gedeaktiveerde modules op kern, maar met dieselfde resultate en selfs meer pakkies het deur iptables gedaal. Dit maak op gebruikers wat 'n vertraging van 3/5 sekondes het wanneer hulle toegang probeer tot verskillende gedeelde vouers van 192.168.1.0/24 tot 192.168.3.0/28 op die virtuele masjien.

Ek sien dit op logs:

Feb 14 13:53:02 ns129115 kernel: [12426815.202643] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=61932 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK PSH URGP=0
Feb 14 13:53:02 ns129115 kernel: [12426815.393379] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=61933 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK URGP=0
Feb 14 13:53:02 ns129115 kernel: [12426815.834944] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=61934 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK URGP=0
Feb 14 13:53:02 ns129115 kernel: [12426815.835219] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=136 TOS=0x10 PREC=0x00 TTL=64 ID=61935 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK PSH URGP=0
Feb 14 13:53:19 ns129115 kernel: [12426832.829664] IPTables-FWD-Dropped: IN=br0 OUT=br0 PHYSIN=vnet0 PHYSOUT=eth2 MAC=70:85:c2:4f:14:c1:00:16:3e:ea:18:01:08:00 SRC=192.168.1.156 DST=192.168.1.125 LEN=319 TOS=0x00 PREC=0x00 TTL=128 ID=16660 DF PROTO=TCP SPT=49169 DPT=54820 WINDOW=256 RES=0x00 ACK PSH URGP=0
Feb 14 13:53:39 ns129115 kernel: [12426852.496117] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=29023 DF PROTO=TCP SPT=22115 DPT=52214 WINDOW=263 RES=0x00 ACK PSH URGP=0
Feb 14 13:53:49 ns129115 kernel: [12426862.856776] IPTables-FWD-Dropped: IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=vnet0 MAC=00:16:3e:ea:18:01:90:2b:34:b0:20:a4:08:00 SRC=192.168.1.237 DST=192.168.1.156 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1644 DF PROTO=TCP SPT=49244 DPT=49169 WINDOW=1879 RES=0x00 ACK URGP=0
Feb 14 13:53:50 ns129115 kernel: [12426863.288983] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=29069 DF PROTO=TCP SPT=22115 DPT=52214 WINDOW=263 RES=0x00 ACK PSH URGP=0
Feb 14 13:54:19 ns129115 kernel: [12426892.906806] IPTables-FWD-Dropped: IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=vnet0 MAC=00:16:3e:ea:18:01:74:d4:35:6a:18:7a:08:00 SRC=192.168.1.199 DST=192.168.1.156 LEN=248 TOS=0x00 PREC=0x00 TTL=128 ID=13244 DF PROTO=TCP SPT=49678 DPT=49169 WINDOW=256 RES=0x00 ACK PSH URGP=0
Feb 14 13:54:42 ns129115 kernel: [12426915.939242] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=136 TOS=0x10 PREC=0x00 TTL=64 ID=61969 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK PSH URGP=0

Die Debian-bediener met iptables en 2 brûe

  • BR0, is die brug met internettoegang tot die poort 192.168.1.1 en alle gebruikers is op hierdie netwerk
  • VIRBR10, die 2de brug, vm1 is aan hierdie brug verbind met ip 192.168.3.12 (192.168.3.0/28) en het nat met iptables na buite wat deur br0 gaan

Hier »» Die netwerkgrafiek met gateway en hypervizor

Hier is my roete tabel

~ roete lys

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 br0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.3.0     *               255.255.255.240 U     0      0        0 virbr10

~ brctl wys

bridge name     bridge id               STP enabled     interfaces
br0             8000.0cc47ac18d3c       yes             eth2
virbr10         8000.525400c4b847       yes             virbr10-dummy
                                                        vnet2

~ iptables reëls

#!/bin/sh
#Flushing all rules
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# Allow basic INPUT traffic.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ACCEPT

#
#MTU
iptables -t mangle -A FORWARD -o virbr1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1460
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#SMB
#Port: netbios - 445/tcp
#Port: netbios-ns – 137/udp -- NETBIOS Name Service
#Port: netbios-dgm – 138/udp -- NETBIOS Datagram Service
#Port: netbios-ssn – 139/tcp -- NETBIOS session service
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 445 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 137:138 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --sport 137 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --sport 138 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --sport 139 -j ACCEPT

#RDP
#Port: 3389
# connections from outside
iptables -I FORWARD -o virbr10 -d 192.168.3.12 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 3589 -j DNAT --to 192.168.3.12:3389

# Masquerade local subnet
iptables -I FORWARD -o virbr10 -d 192.168.3.0/28 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 -j MASQUERADE
iptables -A FORWARD -o virbr10 -m state --state RELATED,ESTABLISHED -j ACCEPT
#Permite conexiones salientes de virbr10 hacia la red 192.168.1.0/24
iptables -A FORWARD -i virbr10 -o br0 -j ACCEPT
iptables -A FORWARD -o virbr10 -i br0 -j ACCEPT
iptables -A FORWARD -i virbr10 -o lo -j ACCEPT

###
#KVM routed guest
# DHCP packets sent to VMs have no checksum (due to a longstanding bug).
iptables -t mangle -A POSTROUTING -o virbr10 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fil

# Do not masquerade to these reserved address blocks.
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 -d 224.0.0.0/24 -j RETURN
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 -d 255.255.255.255/32 -j RETURN
# Masquerade all packets going from VMs to the LAN/Internet.
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -p tcp -j MASQUERADE --to-ports 1024-65535
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -p udp -j MASQUERADE --to-ports 1024-65535
iptables -t nat -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -j MASQUERADE

# Accept SSH connections.
iptables -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -j ACCEPT

# Accept Radmin
iptables -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 4899 -j ACCEPT

# Allow inbound traffic to the private subnet.
iptables -A FORWARD -d 192.168.3.0/28 -o virbr10 -m state --state ESTABLISHED,RELATED -j ACCEPT
#7218-12_07 Slow desk access iptables -A FORWARD -d 192.168.1.0/24 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#7218-12_07 Slow desk access iptables -A FORWARD -d 192.168.3.0/28 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outbound traffic from the private subnet.
iptables -A FORWARD -s 192.168.3.0/28 -i virbr10 -m state --state ESTABLISHED,RELATED -j ACCEPT
#7218-12_07 Slow desk access iptables -A FORWARD -s 192.168.1.0/24 -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#7218-12_07 Slow desk access iptables -A FORWARD -s 192.168.3.0/28 -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow traffic between virtual machines.
iptables -A FORWARD -i virbr10 -o virbr10 -j ACCEPT
# Reject everything else.
iptables -A FORWARD -i virbr10 -j REJECT --reject-with icmp-port-unreachable
# Accept DNS (port 53) and DHCP (port 67) packets from VMs.
iptables -A INPUT -i virbr10 -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
iptables -A INPUT -i virbr10 -p tcp -m tcp -m multiport --dports 53,67 -j ACCEPT

#ICMP
iptables -A OUTPUT -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Reject everything else.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

#Log packets droped
iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-INPUT-Dropped: " --log-level 4
iptables -A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables-FWD-Dropped: " --log-level 4
iptables -A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-OUTPUT-Dropped: " --log-level 4

Opdaterings

  1. Het die logboekketting na die einde van die skrif verander en die nuwe loginskrywings geplak
answer

Nadat ek op Google gesoek het, kan ek dit oplos.

  1. Die stadige toegang tot gedeelde lêers met SMB op domeinbeheerder in Windows Server 2012 R2 is omdat die gidsherleidings-GPO veranderinge maak op toestemmings in gebruikersprofiellêer tydens die herleidingsproses wanneer die gids nie in die bestemming bestaan ​​nie. Gebaseer op iamrafic van Microsfot Technet ( skakel ), moet ons vouertoestemmings hierna verander:

Create the folder in the required location Disable inheritance of permissions from the parent and remove all inherited permissions by clicking the appropriate button. One entry will already be in the DACL: Local Administrators.

Alter Local Administrators: Full Control: This folder, subfolders and files

Add SYSTEM: Full Control: This folder, subfolder and files.

Add CREATOR OWNER: Full Control: This folder, subfolders and files.

Add Authenticated Users: List folder / read data, Create folders / append data: This folder only

Add Domain Admins: Full Control: This folder, subfolders and files.

Click OK.

  1. Die ander probleem was my iptables-reëls, ek moes 'n volledige nuwe kettings uitvoer en die volgorde vir elke FORWARD-reël regmaak omdat dit die prestasie verander wanneer die pakkie geanaliseer word. Hier is die nuwes.
    #!/bin/sh
    
    #Flushing all rules
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -t nat -F
    iptables -t mangle -F
    iptables -F
    iptables -X
    iptables -t raw -F
    
    # Basic tables
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    
    # 
    
    iptables -A FORWARD -o virbr32 -s 192.168.1.0/24 -d 192.168.100.0/28 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i virbr32 -s 192.168.100.0/28 -d 192.168.1.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -o virbr32 -i br0 -j ACCEPT
    iptables -A FORWARD -i virbr32 -s 192.168.100.0/2 -j ACCEPT
    iptables -A FORWARD -i virbr32 -o virbr32 -j ACCEPT
    iptables -A FORWARD -i virbr32 -j LOG --log-prefix "iptables-FORWARD-REJECT: "
    iptables -A FORWARD -i virbr32 -j REJECT --reject-with icmp-port-unreachable
    
    # Masquerade local subnet
    iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -j MASQUERADE
    # Do not masquerade to these reserved address blocks.
    iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -d 224.0.0.0/24 -j RETURN
    iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -d 255.255.255.255/32 -j RETURN
    
    # SMB
    # RPC EPM                  TCP 135 
    # RPC over HTTPS           TCP 593 
    # SMB (for named pipes)    TCP 445
    # Ephemeral Range, Dynamic *
    iptables -I FORWARD 6 -o virbr32 -i br0 -m conntrack --ctstate NEW -p tcp -d 192.168.100.12 --dport 445 -j ACCEPT
    iptables -I FORWARD 7 -o virbr32 -i br0 -m conntrack --ctstate NEW -p tcp -d 192.168.100.12 --dport 139 -j ACCEPT
    
    # Accept DNS (port 53) and DHCP (port 67) packets from VMs.
    iptables -I FORWARD 8 -o virbr32 -i br0 -m conntrack --ctstate NEW -p tcp -m tcp -m multiport --dports 53,67 -j ACCEPT
    iptables -I FORWARD 9 -i virbr32 -o br0 -m conntrack --ctstate NEW -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
    
    # 
    
    # 
    
    # The two rules below assure that only TCP packets get examined. All others 
    # continue into the *filter table.
    iptables -t raw -N TCPFLAGS
    iptables -t raw -A PREROUTING -p tcp -j TCPFLAGS
    iptables -t raw -A PREROUTING -j ACCEPT
    
    # Quickly accept standard handshakes
    # ALLOW ACK or ACK/SYN
    #-A TCPFLAGS -j ACCEPT
    iptables -t raw -A TCPFLAGS -p tcp --tcp-flags FIN,ACK,URG,PSH,RST ACK -j ACCEPT
    
    # Allow ACK/FIN with either URG or PSH, or both, or neither
    # but SYN and RST can't be set
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags FIN,SYN,ACK,RST  ACK,FIN -j ACCEPT
    
    # Allow SYN or ACK/SYN
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags FIN,SYN,URG,PSH,RST SYN -j ACCEPT
    
    # Allow RST or ACK/RST
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags FIN,SYN,URG,PSH,RST RST -j ACCEPT
    
    # This rule catches xmas-tree and fin attacks
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags FIN FIN -j DROP
    # This rule catches xmas-tree and syn/rst attacks
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags SYN SYN -j DROP
    
    # This rule catches null attacks
    iptables -t raw  -A TCPFLAGS -p tcp --tcp-flags ALL NONE -j DROP
    
    #-A TCPFLAGS -p tcp -ecn-tcp-cwr -j DROP
    # these rules catch bad ack combinations
    #-A TCPFLAGS -p tcp --tcp-flags ACK     ACK     -j ACC
    #iptables -t raw  -A TCPFLAGS -j ACCEPT
    
    # So, what do we accept for tcp?
    # handshakes (ACK/FIN), (ACK/SYN), (SYN), (ACK), (RST), (ACK/RST), 
    # and data packets with PSH or URG or FIN or ACK
    
    # 
    
    #Log packets droped
    iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-INPUT-Dropped: " --log-level 4
    iptables -A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables-FWD-Dropped: " --log-level 4
    iptables -A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-OUTPUT-Dropped: " --log-level 4
  • Soos jy kan sien, het ek iptables gebruik -I FORWARD in plaas van iptables -A FORWARD, want hiermee kan ek 'n geordende reëls op my filtertabel uitvoer deur die belangrikste reëls eerste te plaas en dan dieper na DROP te gaan of die res te ontken. Alle VOORWAARTSE reëls gaan voor hierdie reël
    iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

Wysig : Ek hoef net 'n paar veranderinge aan te bring om meer oordragtempo te neem wanneer lêers van die vm na buite in die lan 192.168.1.0/24 kopieer, ek kan nie meer as 4Mb/s neem nie. Enige raad sal waardeer word!!