我有一个 Debian Jessie 盒子,地址是 192.168.1.5,连接到路由器(地址是 192.168.1.1),运行 OpenVPN 客户端(实际上是使用此设置。唯一不同的是,由于路由器的原因,Pi 的 eth0 IP 是静态的,即 Pi 使用路由器的 DHCP)。
当 LAN 客户端设置为使用 192.168.1.5 作为网关时,它们就会按预期使用 VPN。
我需要的是让 192.168.1.128/25 内的 LAN 客户端将其所有流量重定向到 192.168.1.5,即使当他们的 IP 由路由器的 DHCP 设置时网关变为 192.168.1.1。换句话说,192.168.1.128/25 内的客户端应该像其网关是 192.168.1.5 一样工作。
路由器需要进行哪些iptables设置route add才能实现此目的(路由器运行的是 Tomato 3.4-138)?这些是路由器设置:
iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
WANPREROUTING all -- 0.0.0.0/0 wan_ip
upnp all -- 0.0.0.0/0 wan_ip
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 192.168.1.0/24 192.168.1.0/24 to:192.168.1.1
SNAT all -- 172.16.1.0/24 172.16.1.0/24 to:172.16.1.1
Chain WANPREROUTING (1 references)
target prot opt source destination
DNAT icmp -- 0.0.0.0/0 0.0.0.0/0 to:192.168.1.1
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.1:443
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 to:192.168.1.5:22
DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:192.168.1.4
Chain pupnp (0 references)
target prot opt source destination
Chain upnp (1 references)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:55355 to:192.168.1.130:55355
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:55355 to:192.168.1.130:55355
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5353 to:192.168.1.48:5353
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 to:192.168.1.48:4500
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy DROP)
target prot opt source destination
all -- anywhere anywhere account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
all -- anywhere anywhere account: network/netmask: 172.16.1.0/255.255.255.0 name: lan1
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
wanin all -- anywhere anywhere
wanout all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
upnp all -- anywhere anywhere
ACCEPT all -- anywhere SIP-Device
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain shlimit (1 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name: shlimit side: source
DROP all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
Chain upnp (1 references)
target prot opt source destination
ACCEPT udp -- anywhere client-1 udp dpt:55355
ACCEPT tcp -- anywhere client-1 tcp dpt:55355
ACCEPT udp -- anywhere client-2 udp dpt:mdns
ACCEPT udp -- anywhere client-2 udp dpt:4500
Chain wanin (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere *Pi* tcp dpt:ssh
Chain wanout (1 references)
target prot opt source destination
路线
(路由器位于 WAN 调制解调器后面)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
modem.ip.0.1 * 255.255.255.255 UH 0 0 0 vlan2
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
172.16.1.0 * 255.255.255.0 U 0 0 0 br1
modem.ip.0.0 * 255.255.224.0 U 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default modem.ip.0.1 0.0.0.0 UG 0 0 0 vlan2
答案1
覆盖 DHCP 提供的默认路由(/0)的快速方法是向 VPN 网关添加两个 /1 路由:
路由-n添加-net 0.0.0.0 192.168.1.5 128.0.0.0
路由-n添加-net 128.0.0.0 192.168.1.5 128.0.0.0
虽然 DHCP 提供的默认路由仍然存在,但由于前缀较短,/1 中的任何一个都将成为 IPv4 流量的首选。
我目前正在使用这个技巧作为概念验证;我仍然在线,并且表查询显示正在使用 /1 路由。
[nevin-mac-mini:~] root# route -n add -net 0.0.0.0 192.168.2.1 128.0.0.0 添加网络 0.0.0.0:网关 192.168.2.1 [nevin-mac-mini:~] root# route -n add -net 128.0.0.0 192.168.2.1 128.0.0.0 添加网络 128.0.0.0:网关 192.168.2.1
[nevin-mac-mini:~] root# netstat -rn 路由表 互联网: 目标网关标志 Refs 使用 Netif 过期 0/1 192.168.2.1 UGSc 3 0 en0 默认 192.168.2.1 UGSc 4 0 en0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 1 6576 lo0 128.0/1 192.168.2.1 UGSc 1 0 en0 ...
[nevin-mac-mini:~] root# 路由 -n 获取 200.200.200.200
路由至:200.200.200.200
目的地:128.0.0.0
掩码:128.0.0.0
网关:192.168.2.1
接口:en0
标志:
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu 过期
0 0 0 0 0 1500 0
[nevin-mac-mini:~] root#