我在我的第二个(内部)路由器上设置了一个 Tomato USB。外部路由器只是将 VPN 流量转发给它,它充当 VPN 服务器。我可以连接到 VPN 服务器和我的局域网,但我失去了互联网连接。
我知道原因:我没有通过网关路由 VPN 流量。我四处搜索,发现我需要做的是:
iptables -I FORWARD -i tun0 -o eth0 \
-s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 \
-s 10.8.0.0/24 -j MASQUERADE
虽然在我的例子中,我必须将 tun0 更改为 tun21,将 eth0 更改为 br0。但是,我拥有的 TomatoUSB 版本会产生此错误:
iptables v1.3.8: Couldn't load match `conntrack':File not found
据我所知,这是一个旧的 iptables 版本。那么,我如何通过 TomatoUSB 路由器路由和伪装我的 VPN 流量?
路线-n
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 vlan2
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
10.8.0.0 10.8.0.2 255.255.0.0 UG 0 0 0 tun21
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 vlan2
iptables --列表
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:1194
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:1194
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
all -- anywhere anywhere account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
wanin all -- anywhere anywhere
wanout all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain shlimit (1 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: shlimit side: source
DROP all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
Chain wanin (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere athena.utopia tcp dpts:5999:x11-1
ACCEPT udp -- anywhere athena.utopia udp dpts:5999:x11-1
ACCEPT tcp -- anywhere athena.utopia tcp dpt:3022
ACCEPT udp -- anywhere athena.utopia udp dpt:3022
Chain wanout (1 references)
target prot opt source destination
iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 24 packets, 1296 bytes)
pkts bytes target prot opt in out source destination
14 588 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
40 13755 WANPREROUTING all -- * * 0.0.0.0/0 192.168.0.4
0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.1.0/24
Chain POSTROUTING (policy ACCEPT 8 packets, 576 bytes)
pkts bytes target prot opt in out source destination
12 912 MASQUERADE all -- * vlan2 10.8.0.0/24 0.0.0.0/0
2 152 MASQUERADE all -- * vlan2 10.8.0.0/24 0.0.0.0/0
6781 490K MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * br0 192.168.1.0/24 192.168.1.0/24 to:192.168.1.1
0 0 MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 8 packets, 576 bytes)
pkts bytes target prot opt in out source destination
Chain WANPREROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5999:6001 to:192.168.1.130
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5999:6001 to:192.168.1.130
2 128 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.1.130:3022
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22 to:192.168.1.130:3022
答案1
我不确定我是否理解了你的问题,所以我不知道这三条 iptables 规则是否能解决这个问题。不过,就这三条规则而言本身就此而言,您实际上并不需要前两个,您可以用单一规则替换它们:
iptables -I FORWARD -j ACCEPT
第三条规则确实很重要,但幸运的是,你不需要模块conntrack。不过,我有点惊讶 Tomato 没有通用模块。
编辑:
查看您的路由表,我认为您的 WAN 接口(IE(与互联网通信,而不是与您的 LAN 通信)是vlan2。在这种情况下,您的第三个 iptables 规则应该是:
iptables -t nat -I POSTROUTING -o vlan2 -s 10.8.0.0/24 -j MASQUERADE
如果我错了,请将 WAN 接口名称替换为vlan2。