Debian 7 上 IP 从一个接口转发到另一个接口

Debian 7 上 IP 从一个接口转发到另一个接口

背景

我运行的 Debian 7 有以下界面

wlan3 == Internet connection  85.5.48.64/24
wlan2 == act as an AP (hostapd) 192.168.5.1/24

我在终端上运行以下设置

sudo iptables -t nat -A POSTROUTING -o wlan3 -j MASQUERADE
sudo iptables -A FORWARD -i wlan3 -o wlan2 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan2 -o wlan3 -j ACCEPT

问题

wlan2接口无法访问互联网。

root@arm:/etc# ping -I wlan2 google.com
PING google.com (173.194.34.78) from 192.168.5.1 wlan2: 56(84) bytes of data.
From 192.168.5.1 icmp_seq=1 Destination Host Unreachable
From 192.168.5.1 icmp_seq=2 Destination Host Unreachable
From 192.168.5.1 icmp_seq=3 Destination Host Unreachable

谁能告诉我这是什么问题以及如何解决?

相关设置和输出

root@arm:/etc# uname -a
Linux arm 3.14.4-armv7-x6 #1 SMP Tue May 20 15:29:16 CEST 2014 armv7l GNU/Linux

root@arm:/etc# sysctl -p
net.ipv4.tcp_syncookies = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.rp_filter = 0
sysctl: cannot stat /proc/sys/net/ipv4/conf/eth1/rp_filter: No such file or directory
net.ipv4.conf.lo.rp_filter = 0

root@arm:/etc# ip route
default via 85.5.48.1 dev wlan3 
85.5.48.0/24 dev wlan3  proto kernel  scope link  src 85.5.48.110 
192.168.5.0/24 dev wlan2  proto kernel  scope link  src 192.168.5.1 

root@arm:/etc# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         supercore.backb 0.0.0.0         UG    0      0        0 wlan3
85.5.48.0       *               255.255.255.0   U     0      0        0 wlan3
192.168.5.0     *               255.255.255.0   U     0      0        0 wlan2

root@arm:/etc# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

 root@arm:/etc# cat /etc/network/interfaces 
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

auto wlan2
iface wlan2 inet static
    address 192.168.5.1
    network 192.168.5.0
    netmask 255.255.255.0

auto wlan3

root@arm:/etc# iptables-save
# Generated by iptables-save v1.4.14 on Wed Jun  4 08:39:05 2014
*nat
:PREROUTING ACCEPT [2634:425297]
:INPUT ACCEPT [1992:263181]
:OUTPUT ACCEPT [7:488]
:POSTROUTING ACCEPT [1:84]
-A POSTROUTING -o wlan3 -j MASQUERADE
-A POSTROUTING -o wlan3 -j MASQUERADE
-A POSTROUTING -o wlan3 -j MASQUERADE
COMMIT
# Completed on Wed Jun  4 08:39:05 2014
# Generated by iptables-save v1.4.14 on Wed Jun  4 08:39:05 2014
*filter
:INPUT ACCEPT [4705:642335]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [31:4015]
-A FORWARD -i wlan3 -o wlan2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan2 -o wlan3 -j ACCEPT
-A FORWARD -i wlan2 -o wlan3 -j ACCEPT
-A FORWARD -i wlan3 -o wlan2 -j ACCEPT
-A FORWARD -i wlan2 -o wlan3 -j ACCEPT
-A FORWARD -i wlan3 -o wlan2 -j ACCEPT
-A FORWARD -i wlan2 -o wlan3 -j ACCEPT
-A FORWARD -i wlan3 -o wlan2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan2 -o wlan3 -j ACCEPT
-A FORWARD -i wlan3 -o wlan2 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jun  4 08:39:05 2014

root@arm:/etc# ifconfig 
br0       Link encap:Ethernet  HWaddr 42:42:30:df:a0:d0  
          inet6 addr: fe80::4042:30ff:fedf:86d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:106 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:31581 (30.8 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:560 (560.0 B)  TX bytes:560 (560.0 B)

mon.wlan2 Link encap:UNSPEC  HWaddr 64-01-02-18-03-6B-00-00-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24415 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5163458 (4.9 MiB)  TX bytes:0 (0.0 B)

wlan2     Link encap:Ethernet  HWaddr 64:02:47:a8:24:80  
          inet addr:192.168.5.1  Bcast:192.168.5.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3210 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3236 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:166955 (163.0 KiB)  TX bytes:230200 (224.8 KiB)

wlan3     Link encap:Ethernet  HWaddr 64:02:47:14:18:be  
          inet addr:85.5.64.110  Bcast:85.5.64.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:40520 errors:0 dropped:0 overruns:0 frame:0
          TX packets:218 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5549564 (5.2 MiB)  TX bytes:27413 (26.7 KiB)

root@arm:/etc# cat /etc/hostapd.conf 
interface=wlan2
driver=nl80211
ssid=test_network
hw_mode=g
channel=1
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
macaddr_acl=0
auth_algs=1
wpa=2
wpa_passphrase=mypassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP

root@arm:/etc# cat /etc/dhcp/dhcpd.conf 
option domain-name "mydomain.org";
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.5.0 netmask 255.255.255.0 {
  range 192.168.5.10 192.168.5.20;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.5.255;
option domain-name-servers 192.168.5.1;
  option routers 192.168.5.1;
option domain-name-servers 8.8.4.4;
}

root@arm:/etc# hostapd -v
hostapd v2.2-devel

Wi-Fi 设备使用AR9271芯片组和ath9k_htc驱动程序

编辑:

root@arm:~#  tcpdump -i wlan2 -n icmp
[  569.446472] device wlan2 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan2, link-type EN10MB (Ethernet), capture size 65535 bytes
16:54:31.260589 IP 192.168.5.10 > 83.5.146.49: ICMP echo request, id 3867, seq 17, length 64
16:55:54.175933 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 1, length 64
16:55:55.185028 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 2, length 64
16:55:56.192626 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 3, length 64
16:55:57.200836 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 4, length 64
16:55:58.208679 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 5, length 64
16:55:59.216827 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 6, length 64
16:56:00.224792 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 7, length 64
16:56:01.232757 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 8, length 64
16:56:02.241485 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 9, length 64
16:56:03.249084 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 10, length 64
16:56:04.256561 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 11, length 64
16:56:05.264404 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 12, length 64
16:56:06.272613 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 13, length 64
16:56:07.281494 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 14, length 64
16:56:08.288482 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 15, length 64
16:56:09.296661 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 16, length 64
16:56:10.304534 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 17, length 64
^C
18 packets captured
18 packets received by filter
0 packets dropped[  687.418762] device wlan2 left promiscuous mode
 by kernel
root@arm:~#  tcpdump -i wlan3 -n icmp
[  699.226867] device wlan3 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan3, link-type EN10MB (Ethernet), capture size 65535 bytes
16:56:22.402374 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 29, length 64
16:56:23.408142 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 30, length 64
16:56:24.416259 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 31, length 64
16:56:25.424743 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 32, length 64
16:56:26.435974 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 33, length 64
16:56:27.439971 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 34, length 64
16:56:28.448028 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 35, length 64
16:56:29.456024 IP 192.168.5.10 > 8.8.8.8: ICMP echo request, id 3945, seq 36, length 64
^C
8 packets captured
8 packets received by filter
0 packets dropped [  706.608520] device wlan3 left promiscuous mode
by kernel
root@arm:~# 

答案1

这不是一个真正的答案,但有两个提示不适合评论格式:

  • 当您ping这样时,数据包不会穿过FORWARD链,而是直接穿过OUTPUT链,因此您实际上并没有测试防火墙设置 FWIW。

    由于同样的原因(虽然我不太确定),另一个可能出现的问题是由于数据包是在本地主机上生成的,而不是转发,伪装不适用于它,因此它在堆栈发送它时应该会被内核杀死wlan3——因为对于该网络,在私有子网中具有源地址的数据包将是“火星”的,并且路由器明确禁止发送此类数据包不管怎样,即使这个数据包被发送,它也会85.5.48.1因为同样的原因被网关杀死。

    为了证明或反驳这一假设,请tcpdump在传出接口上使用:

    1. 跑步

       # tcpdump -i wlan3 -n icmp
      
    2. 像前面一样进行 ping 操作,查看是否会在线路上看到任何 ICMP 回显请求,如果是,则查看它们的 IP 标头中包含哪些地址。

  • 您的防火墙设置已将其链的策略FORWARD设置为ACCEPT。如果这对于您的设置没有问题,则没有必要向该链添加显式规则,因为无论如何一切都是允许的。

    另一方面,您可以考虑将该策略设置为DROP。大多数设置都有针对INPUTFORWARD设置为的策略DROP,然后仅允许明确类型的流量。

    但请注意,在您使转发正常工作时,没有规则(有ACCEPT策略)是可以的。之后,请考虑收紧设置。

答案2

我首先要删除你的两个 FORWARD 表规则

sudo iptables -A FORWARD -i wlan3 -o wlan2 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan2 -o wlan3 -j ACCEPT

只需保留简单的 NAT 规则

sudo iptables -t nat -A POSTROUTING -o wlan3 -j MASQUERADE

现在让我们开始工作;之后我们可以想出更好的规则来保护 wlan3 网络

答案3

在这样的问题中很容易忽略一些东西,但这正是引起我注意的:

/etc/网络/接口,您尚未为 定义默认网关wlan2。 的默认网关wlan2应与 IP 地址本身相同,因为转发框将是路由器。

auto wlan2
iface wlan2 inet static
    address 192.168.5.1
    network 192.168.5.0
    netmask 255.255.255.0
    gateway 192.168.5.1

编辑:我刚刚注意到wlan3在 的输出中也没有网关ip route。之前没注意到。wlan3还必须通过 DHCP 或手动配置网关。此网关将是该网络的路由器,这不是我们在这里讨论的框。

您能否检查以下操作是否有效?

ping -I wlan3 google.com

如果没有的话,说明你的盒子没有正确配置为访问互联网,因此 NAT 也无法工作。

答案4

从您显示的内容来看,没有问题,因为互联网已连接到wlan3预期

ping -I wlan2 google.com

将不起作用,这取决于 ping 的版本,-I要么意味着将数据包从特定接口发送出去,要么使用接口地址作为源地址。

相关内容