我有一台
Linux机器和一台实现NAT的路由器后面的Windows机器(该图可能有点矫枉过正,但是是
fun to make):
我将路由器上的RDP端口(3389)转发到Linux机器,因为我想审核RDP连接.为了让Linux机器转发RDP流量,我写了这些iptables规则:
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination win-box
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
端口正在侦听Windows机器:
C:\Users\nimmy>netstat -a
Active Connections
Proto Local Address Foreign Address State
(..snip..)
TCP 0.0.0.0:3389 WIN-BOX:0 LISTENING
(..snip..)
并且端口在Linux机器上转发:
# tcpdump port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:33:11.451663 IP shieldsup.grc.com.56387 > linux-box.myapt.lan.ms-wbt-server: Flags [S], seq 94663035, win 8192, options [mss 1460], length 0
01:33:11.451846 IP shieldsup.grc.com.56387 > win-box.myapt.lan.ms-wbt-server: Flags [S], seq 94663035, win 8192, options [mss 1460], length 0
但是,我没有从外部获得任何成功的RDP连接.端口甚至没有响应:
C:\Users\outside-nimmy>telnet example.com 3389
Connecting To example.com...Could not open connection to the host, on port 3389: Connect failed
有任何想法吗?
更新
根据@Zhiqiang Ma,我在连接尝试期间查看了nf_conntrack proc文件,这就是我所看到的(192.168.3.1 = linux-box,192.168.3.5 = win-box):
# cat /proc/net/nf_conntrack | grep 3389
ipv4 2 tcp 6 118 SYN_SENT src=4.79.142.206 dst=192.168.3.1 sport=43142 dport=3389 packets=6 bytes=264 [UNREPLIED] src=192.168.3.5 dst=4.79.142.206 sport=3389 dport=43142 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2
第二次更新
路由器上有tcpdump,似乎win-box正在发送RST数据包:
21:20:24.767792 IP shieldsup.grc.com.45349 > linux-box.myapt.lan.3389: S 19088743:19088743(0) win 8192
21:20:24.768038 IP shieldsup.grc.com.45349 > win-box.myapt.lan.3389: S 19088743:19088743(0) win 8192
21:20:24.770674 IP win-box.myapt.lan.3389 > shieldsup.grc.com.45349: R 721745706:721745706(0) ack 755785049 win 0
为什么Windows会这样做?