我希望有人能帮助我在本地桥接网络上使用 NAT 设置 Softether,以及帮助设置 ip 表规则。我有 2 个网络接口和 Ubuntu 18.04 LTS。我希望确保我可以通过 softether VPN 软件访问充当网关和 VPN 集线器的服务器。
答案1
首先,确保您正在使用 Softether 的本地桥接功能,并利用 tap 接口。这将比标准桥接更快,并允许您以不会破坏其他客户端的方式设置 DHCP。:-)
为了易于使用,我将我的 TAP 接口命名为“soft”,但请记住调整您的 netplan 规则,如下所示:在下面的规则中,我使用 enp0s7 作为 WAN,使用 enp3s0f0 作为 LAN 接口。
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
enp0s7:
dhcp4: true
optional: false
enp3s0f0:
addresses: [192.168.254.1/24]
nameservers:
addresses: [9.9.9.9,192.168.1.254]
search: [vinceworks.com]
dhcp4: false
optional: true
tap_soft:
addresses: [192.168.253.1/24]
dhcp4: false
optional: true
version: 2
您还需要在 /etc/dhcp/dhcpd.conf 文件中调整您的 DHCP 规则:
subnet 192.168.254.0 netmask 255.255.255.0 {
range 192.168.254.100 192.168.254.150;
# broadcast-address needs to be .255 to cover all the address range
option broadcast-address 192.168.254.255;
option routers 192.168.254.1;
}
subnet 192.168.253.0 netmask 255.255.255.0 {
range 192.168.253.30 192.168.253.42;
# broadcast-address needs to be .255 to cover all the address ranges
option broadcast-address 192.168.253.255;
option routers 192.168.253.1;
}
以下是您应在启动时设置的 iptables 规则:
# Default policy to drop all incoming packets.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow forwarding at the highest levels!
sudo sysctl -w net.ipv4.ip_forward=1
# Accept incoming packets from localhost and the LAN interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp3s0f0 -j ACCEPT
# Accept incoming packets from tap_soft
iptables -A INPUT -i tap_soft -j ACCEPT
# Accept incoming packets from the WAN if the router initiated the
#connection
iptables -A INPUT -i enp0s7 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT
# Forward LAN packets to the WAN.
iptables -A FORWARD -i enp3s0f0 -o enp0s7 -j ACCEPT
# Forward packets Between the LAN and WAN to VPN
iptables -A FORWARD -i tap_soft -o enp0s7 -j ACCEPT
iptables -A FORWARD -i tap_soft -o enp3s0f0 -j ACCEPT
# Forward WAN packets to the LAN if the LAN initiated the connection.
iptables -A FORWARD -i enp0s7 -o enp3s0f0 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp0s7 -o tap_soft -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT
# NAT traffic going out the WAN interface.
iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE
#Sleep for a little bit to allow the VPN interface to come up
sleep 30
#Restart the DHCP server to begin serving for the new interface
systemctl restart isc-dhcp-server