我根据 Musclehead 的回答修改了我的 iptables这里这样我transmission-daemon就可以将传出流量发送到tun0(即 VPN)。
(提示:我的eth0叫做enp3s0。)
现在,如果我将一个 torrent 添加到下载我观察到流量中唯一增加的数字与链(即我的以太网端口)sudo iptables -L -v有关。这些数字与我从 VPN 获得的状态相加。INPUTenp3s0
这是否意味着我要下载到我原来的 WAN 地址而不是隧道?
我认为当我添加一个 torrent 时,有关下载的信息也会随之发送tun0,因此答案应该返回到该 IP 范围内。
正如您在此处看到的,我生成的两个输出仅相隔几秒,设备上的流量从1356M增加到。2201Menp3s0
$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2417 172K f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh
170K 17M ACCEPT all -- tun0 any anywhere anywhere
330K 1356M ACCEPT all -- enp3s0 any anywhere --THIS LINE anywhere
942 134K ACCEPT all -- lo any anywhere anywhere
...
Chain OUTPUT (policy ACCEPT 483K packets, 269M bytes)
pkts bytes target prot opt in out source destination
19 6545 ACCEPT tcp -- any enp3s0 anywhere 192.168.100.0/24 tcp spt:9091 owner GID match debian-transmission
0 0 ACCEPT udp -- any enp3s0 anywhere 192.168.100.0/24 udp spt:9091 owner GID match debian-transmission
229K 210M ACCEPT all -- any tun0 anywhere anywhere owner GID match debian-transmission
221 57168 ACCEPT all -- any lo anywhere anywhere owner GID match debian-transmission
92 5372 REJECT all -- any any anywhere anywhere owner GID match debian-transmission reject-with icmp-port-unreachable
...
几秒后第二个输出:
$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2431 173K f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh
170K 17M ACCEPT all -- tun0 any anywhere anywhere
384K 2201M ACCEPT all -- enp3s0 any anywhere --THIS LINE anywhere
942 134K ACCEPT all -- lo any anywhere anywhere
...
Chain OUTPUT (policy ACCEPT 536K packets, 272M bytes)
pkts bytes target prot opt in out source destination
19 6545 ACCEPT tcp -- any enp3s0 anywhere 192.168.100.0/24 tcp spt:9091 owner GID match debian-transmission
0 0 ACCEPT udp -- any enp3s0 anywhere 192.168.100.0/24 udp spt:9091 owner GID match debian-transmission
229K 210M ACCEPT all -- any tun0 anywhere anywhere owner GID match debian-transmission
221 57168 ACCEPT all -- any lo anywhere anywhere owner GID match debian-transmission
92 5372 REJECT all -- any any anywhere anywhere owner GID match debian-transmission reject-with icmp-port-unreachable
...
我还将添加我的路由表输出以便更好地理解:
$ ip route show table local
broadcast 10.8.8.0 dev tun0 proto kernel scope link src 10.8.8.5
local 10.8.8.5 dev tun0 proto kernel scope host src 10.8.8.5
broadcast 10.8.8.255 dev tun0 proto kernel scope link src 10.8.8.5
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.100.0 dev enp3s0 proto kernel scope link src 192.168.100.91
local 192.168.100.91 dev enp3s0 proto kernel scope host src 192.168.100.91
broadcast 192.168.100.255 dev enp3s0 proto kernel scope link src 192.168.100.91
答案1
我向 VPN 公司的人咨询,他们分析了以下输出。他们说这两个 IP(我更改了它们)都是 VPN IP,所以我的 VPN 没有泄漏,而且连接正确。ssh当然,它也传输了一些流量,因为我用它登录了 PC。
但他们发现奇怪的是,这个流量在我在问题中发布的链tun0中不可见。见下文。iptable
考虑到流量正在通过的事实enp3s0,这是正确的,因为来自的流量tun0被转发(加密)到以太网端口。
$ sudo tcpdump -i enp3s0 not src 84.17.47.59
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:35:14.533573 IP 192.168.100.91.ssh > 192.168.100.210.59004: Flags [P.], seq 835793677:835793865, ack 3278619125, win 318, options [nop,nop,TS val 19307620 ecr 4023390051], length 188
10:35:14.534084 IP 192.168.100.91.47524 > 203.179.83.129.openvpn: UDP, length 164
10:35:14.534399 IP 206.189.83.129.openvpn > 192.168.100.91.47524: UDP, length 468
此外,我的防火墙规则ufw缺少INPUT、FORWARD和OUTPUT链以及其他 ufw 特定的链。例如:
199 13931 ufw-after-output all -- any any anywhere anywhere
199 13931 ufw-after-logging-output all -- any any anywhere anywhere
199 13931 ufw-reject-output all -- any any anywhere anywhere
199 13931 ufw-track-output all -- any any anywhere anywhere
一旦我删除了包和设置,并清除了所有特定链,iptables然后从头开始设置所有内容,它就可以正常工作。现在也可以看见传入流量tun0。
回答这个问题:是的,传出的流量eth在通过隧道传输后最终将被转移到tun0。两个值应该相加。