相同的 iptables NAT 命令在 ubuntu 18.04 和 22.04 中有效,但在 20.04 中无效

相同的 iptables NAT 命令在 ubuntu 18.04 和 22.04 中有效,但在 20.04 中无效

我的布局是:

布局

我的目标是从 eth0 通过 enp45s0 和 wlo1 ping 互联网。以下命令在 ubuntu 18.04、22.04 中运行良好,但在 20.04 中无效(无法 ping google.com、DNS 等互联网)。

$ sudo sysctl net.ipv4.ip_forward=1  
$ sudo iptables --table nat --append POSTROUTING --out-interface wlo1 -j MASQUERADE   
$ sudo iptables --append FORWARD --in-interface enp45s0 -j ACCEPT

我不能使用上面的命令,而是必须使用下面的命令才能使其在 20.04 中工作。

sudo sysctl net.ipv4.ip_forward=1  
sudo iptables -F 
sudo iptables -F -t nat 
sudo iptables -A FORWARD -o wlo1 -i enp45s0 -s 192.168.1.10/24 -m conntrack --ctstate NEW -j ACCEPT 
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
sudo iptables -t nat -F POSTROUTING 
sudo iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE

有人能帮助我理解为什么我必须做出这些改变吗?

嗨,Doug Smythies,
我目前没有 18.04 和 22.04 环境,所以我们可以关注第一组命令在 20.04 中不起作用的原因。请检查下面的默认 iptable 设置。

------------------------------------------------------------------
$ sudo iptables -xvnL
 Chain INPUT (policy ACCEPT 357 packets, 265671 bytes)
     pkts      bytes target     prot opt in     out     source               destination
 
 Chain FORWARD (policy DROP 49 packets, 4116 bytes)
     pkts      bytes target     prot opt in     out     source               destination
       49     4116 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       49     4116 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0        0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0                 ctstate RELATED,ESTABLISHED
        0        0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
        0        0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
        0        0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
 
 Chain OUTPUT (policy ACCEPT 370 packets, 36494 bytes)
     pkts      bytes target     prot opt in     out     source               destination
 
 Chain DOCKER (1 references)
     pkts      bytes target     prot opt in     out     source               destination
 
 Chain DOCKER-ISOLATION-STAGE-1 (1 references)
     pkts      bytes target     prot opt in     out     source               destination
        0        0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/ 0
       49     4116 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
 
 Chain DOCKER-ISOLATION-STAGE-2 (1 references)
     pkts      bytes target     prot opt in     out     source               destination
        0        0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
        0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
 
 Chain DOCKER-USER (1 references)
     pkts      bytes target     prot opt in     out     source               destination
       49     4116 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
------------------------------------------------------------------
sudo iptables -t nat -xvnL
 Chain PREROUTING (policy ACCEPT 57 packets, 4958 bytes)
     pkts      bytes target     prot opt in     out     source               destination
        1      254 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
 
 Chain INPUT (policy ACCEPT 1 packets, 254 bytes)
     pkts      bytes target     prot opt in     out     source               destination
 
 Chain OUTPUT (policy ACCEPT 68 packets, 5655 bytes)
     pkts      bytes target     prot opt in     out     source               destination
        0        0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
 
 Chain POSTROUTING (policy ACCEPT 68 packets, 5655 bytes)
     pkts      bytes target     prot opt in     out     source               destination
        0        0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
 
 Chain DOCKER (2 references)
     pkts      bytes target     prot opt in     out     source               destination
        0        0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
------------------------------------------------------------------
$ route -n
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
 0.0.0.0         192.168.223.114 0.0.0.0         UG    600    0        0 wlo1
 169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp45s0
 172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
 192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 enp45s0
 192.168.223.0   0.0.0.0         255.255.255.0   U     600    0        0 wlo1
------------------------------------------------------------------

相关内容