我正在努力以正确的方式设置 iptables/routing。
目标是: - 连接到 wifi-KK 的客户端的流量不使用隧道,而是通过 eth0 到达路由器 - 连接到 wifi-KK-VPN 的客户端的流量使用隧道
我认为这需要修改 iptables 并可能需要不同的路由以及覆盖从 openvpn 传递下来的路由。
任何帮助将不胜感激
我的网络设置如下:
路由器:192.168.0.1(Virgin 默认),wifi ssid 为 VMxxx
服务器:eth0:191.168.0.254(与路由器在同一网络中)wlan0:192.168.101.1(使用 VPN 安全连接的客户端的 Wi-Fi 网络)wlan0_0:191.168.102.1(用于常规连接的 Wi-Fi 网络)tun0:openvpn 隧道
(下面输出 ifconfig)
两个 WiFi 网络都运行 DHCP 服务器,如下所示:
subnet 192.168.101.0 netmask 255.255.255.0 {
range 192.168.101.10 192.168.101.50;
option broadcast-address 192.168.101.255;
option routers 192.168.101.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}
subnet 192.168.102.0 netmask 255.255.255.0 {
range 192.168.102.10 192.168.102.50;
option broadcast-address 192.168.102.255;
option routers 192.168.102.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local2";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}
Hostapd 在一个 NIC 上运行两个 ssid(输出如下)
Iptables:和路由:
root@odroidc1-001e06101641:~# cat /etc/iptables.ipv4.nat
#Generated by iptables-save v1.4.21 on Wed May 27 11:41:17 2015
*filter
:INPUT ACCEPT [9:496]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:1488]
-A FORWARD -s 192.168.101.0/24 -i wlan0 -o eth0 -m conntrack --ctstate NEW -m comment --comment "Block traffic from clients to eth0" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.101.0/24 -i wlan0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic from clients to tun0" -j ACCEPT
COMMIT
# Completed on Wed May 27 11:41:17 2015
# Generated by iptables-save v1.4.21 on Wed May 27 11:41:17 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -m comment --comment "Use VPN IP for eth0" -j MASQUERADE
-A POSTROUTING -o tun0 -m comment --comment "Use VPN IP for tun0" -j MASQUERADE
COMMIT
# Completed on Wed May 27 11:41:17 2015
root@odroidc1-001e06101641:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.10.100.9 128.0.0.0 UG 0 0 0 tun0
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
10.10.100.1 10.10.100.9 255.255.255.255 UGH 0 0 0 tun0
10.10.100.9 * 255.255.255.255 UH 0 0 0 tun0
91.109.241.36.s 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.10.100.9 128.0.0.0 UG 0 0 0 tun0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.101.0 * 255.255.255.0 U 0 0 0 wlan0
192.168.102.0 * 255.255.255.0 U 0 0 0 wlan0_0
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:1e:06:10:16:41
inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::21e:6ff:fe10:1641/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9584376 errors:0 dropped:0 overruns:0 frame:0
TX packets:6015092 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4173640561 (3.8 GiB) TX bytes:2116013071 (1.9 GiB)
Interrupt:40
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:163 errors:0 dropped:0 overruns:0 frame:0
TX packets:163 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:31514 (30.7 KiB) TX bytes:31514 (30.7 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.100.10 P-t-P:10.10.100.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:5141382 errors:0 dropped:0 overruns:0 frame:0
TX packets:4101062 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:205969325 (196.4 MiB) TX bytes:1000934406 (954.5 MiB)
wlan0 Link encap:Ethernet HWaddr 02:3a:35:d0:36:90
inet addr:192.168.101.1 Bcast:192.168.101.255 Mask:255.255.255.0
inet6 addr: fe80::3a:35ff:fed0:3690/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5947384 errors:0 dropped:0 overruns:0 frame:0
TX packets:7650191 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1402507838 (1.3 GiB) TX bytes:3212528188 (2.9 GiB)
wlan0_0 Link encap:Ethernet HWaddr 02:3a:35:d0:36:91
inet addr:192.168.102.1 Bcast:192.168.102.255 Mask:255.255.255.0
inet6 addr: fe80::3a:35ff:fed0:3691/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:588 errors:0 dropped:0 overruns:0 frame:0
TX packets:703 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:71131 (69.4 KiB) TX bytes:214448 (209.4 KiB)
hostapd:
root@odroidc1-001e06101641:~# cat /etc/hostapd/hostapd.conf
# interface
interface=wlan0
# new mac
bssid=02:3a:35:d0:36:90
# driver
driver=nl80211
# CTRL-Interface
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
# SSID
ssid=wifi-KK-VPN
# WLAN
country_code=KR
hw_mode=g
channel=1
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
preamble=1
# Logging
logger_syslog=-1
logger_syslog_level=3
logger_stdout=-1
logger_stdout_level=2
# passphrase
wpa_passphrase=
# WPA2
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
beacon_int=100
auth_algs=3
# 1=wpa, 2=wep, 3=both macaddr_acl=0
wmm_enabled=1
eap_reauth_period=360000000
#rsn_preauth=1
#rsn_preauth_interfaces=wlan0
wpa_group_rekey=600
wpa_ptk_rekey=600
wpa_gmk_rekey=86400
##### new wifi
bss=wlan0_0
ssid=wifi-KK
# WLAN
##country_code=KR
##hw_mode=g
##channel=1
##beacon_int=100
##dtim_period=2
##max_num_sta=255
##rts_threshold=2347
##fragm_threshold=2346
##preamble=1
# Logging
logger_syslog=-1
logger_syslog_level=3
logger_stdout=-1
logger_stdout_level=2
# passphrase
wpa_passphrase=
# WPA2
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
beacon_int=100
auth_algs=3
# 1=wpa, 2=wep, 3=both macaddr_acl=0
##wmm_enabled=1
##eap_reauth_period=360000000
#rsn_preauth=1
#rsn_preauth_interfaces=wlan0
##wpa_group_rekey=600
##wpa_ptk_rekey=600
##wpa_gmk_rekey=86400