我的布局是:
我的目标是从 eth0 通过 enp45s0 和 wlo1 ping 互联网。以下命令在 ubuntu 18.04、22.04 中运行良好,但在 20.04 中无效(无法 ping google.com、DNS 等互联网)。
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo iptables --table nat --append POSTROUTING --out-interface wlo1 -j MASQUERADE
$ sudo iptables --append FORWARD --in-interface enp45s0 -j ACCEPT
我不能使用上面的命令,而是必须使用下面的命令才能使其在 20.04 中工作。
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -F
sudo iptables -F -t nat
sudo iptables -A FORWARD -o wlo1 -i enp45s0 -s 192.168.1.10/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE
有人能帮助我理解为什么我必须做出这些改变吗?
嗨,Doug Smythies,
我目前没有 18.04 和 22.04 环境,所以我们可以关注第一组命令在 20.04 中不起作用的原因。请检查下面的默认 iptable 设置。
------------------------------------------------------------------
$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 357 packets, 265671 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 49 packets, 4116 bytes)
pkts bytes target prot opt in out source destination
49 4116 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
49 4116 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 370 packets, 36494 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/ 0
49 4116 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
49 4116 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
------------------------------------------------------------------
sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 57 packets, 4958 bytes)
pkts bytes target prot opt in out source destination
1 254 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 1 packets, 254 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 68 packets, 5655 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 68 packets, 5655 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
------------------------------------------------------------------
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.223.114 0.0.0.0 UG 600 0 0 wlo1
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp45s0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp45s0
192.168.223.0 0.0.0.0 255.255.255.0 U 600 0 0 wlo1
------------------------------------------------------------------