下列的这个例子:
sudo sysctl -w net.ipv4.conf.eth0.rp_filter=0
sudo sysctl -w net.ipv4.conf.tun0.rp_filter=0
sudo sysctl -w net.ipv4.conf.all.rp_filter=0
sudo sysctl -w net.ipv4.conf.default.rp_filter=0
sudo sysctl -w net.ipv4.conf.lo.rp_filter=0
sudo sysctl -w net.ipv4.conf.all.forwarding=1
sudo sysctl -w net.ipv4.conf.default.forwarding=1
sudo sysctl -w net.ipv4.conf.eth0.forwarding=1
sudo sysctl -w net.ipv4.conf.lo.forwarding=1
sudo sysctl -w net.ipv4.conf.tun0.forwarding=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.default.forwarding=1
sudo sysctl -w net.ipv6.conf.eth0.forwarding=1
sudo sysctl -w net.ipv6.conf.lo.forwarding=1
sudo sysctl -w net.ipv6.conf.tun0.forwarding=1
sudo sysctl -w net.ipv4.tcp_fwmark_accept=1
iptables -F
iptables -t mangle -F
iptables -t nat -F
ip route flush table 101
ip route flush cache
ip rule del fwmark 2 table 101
ip rule add fwmark 2 table 101
ip route add table 101 default via 192.168.0.1 dev eth0
ip route add table 101 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.102
iptables --table nat --append POSTROUTING -o eth0 -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2
但是,当我启动 OpenVPN,然后使用 ssh 登录到我的服务器并运行时last
,我看到的是我的 VPN 服务的 IP,而不是我的外部 IP。
我错过了什么?
操作系统:Ubuntu 16.10
答案1
回答我自己的问题:
iptables -F
iptables -t mangle -F
iptables -t nat -F
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/tun0/rp_filter
ip route flush table 101
ip rule add fwmark 2 table 101
ip route add default via 192.168.0.1 table 101
ip route flush cache
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 2
简而言之,ip route flush cache
应该紧跟在最后一个ip route add
命令之后,对于 iptables 来说,OUTPUT
应该使用 chain 而不是PREROUTING
。