我有一个有点不寻常的网络设置,我正在尝试启动它,但我似乎无法正确进行路由或过滤以使其工作。
我有一个客户端计算机子网,连接到一个已连接互联网的主机。此主机与服务器建立 OpenVPN 连接。我想要做的是让来自客户端子网的所有流量都通过 OpenVPN 服务器路由。(为了简单起见,我将讨论单个客户端,我相信如果我能让一个客户端运行,我就能让所有客户端运行)
---------------- ------------------------- --------------------
| client eth0 |-----| eth1 host tun0 |-----| tun0 server |
| 192.168.0.2 | | 192.168.0.1 10.0.0.2 | | 10.0.0.1 |
---------------- | ppp0 - internet | | eth0 - internet |
------------------------- --------------------
到目前为止,我已经设置了允许客户端通过主机与服务器通信的路由,因此 192.168.0.2 可以 ping 10.0.0.1,反之亦然。我已在客户端上设置了默认路由,将所有流量发送到 192.168.0.1,但是从客户端到任何互联网 IP 的跟踪路由显示它只能到达 192.168.0.1 并在那里停止。中间主机可以毫无问题地访问互联网或服务器。
客户端路由表:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
255.255.255.255 * 255.255.255.255 UH 0 0 0 eth0
10.0.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
中间主机路由表:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
255.255.255.255 * 255.255.255.255 UH 0 0 0 eth1
10.42.42.1 * 255.255.255.255 UH 0 0 0 tun0
10.42.42.0 10.42.42.1 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default * 0.0.0.0 U 0 0 0 ppp0
服务器路由表(匿名)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default xxx.xxx.xxx.1 0.0.0.0 UG 202 0 0 eth0
default servername 0.0.0.0 UG 204 0 0 tun0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.0.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.0.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun0
xxx.xxx.xxx.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
xxx.xxx.xxx.1 0.0.0.0 255.255.255.255 UH 100 0 0 eth0
中间主机iptables:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2719K 250M ACCEPT all -- eth1 any anywhere anywhere
32859 2697K ACCEPT all -- lo any anywhere anywhere
405K 37M ACCEPT all -- eth1 any anywhere anywhere
1398 134K ACCEPT all -- tun0 any anywhere anywhere
6420 900K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request ctstate NEW
2 360 UDP udp -- any any anywhere anywhere ctstate NEW
0 0 TCP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
2 360 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 36 packets, 2256 bytes)
pkts bytes target prot opt in out source destination
2 168 ACCEPT all -- eth1 tun0 anywhere anywhere
2 168 ACCEPT all -- tun0 eth1 anywhere anywhere
Chain OUTPUT (policy ACCEPT 1007K packets, 158M bytes)
pkts bytes target prot opt in out source destination
1021 113K ACCEPT all -- any eth1 anywhere anywhere state RELATED,ESTABLISHED
Chain TCP (1 references)
pkts bytes target prot opt in out source destination
Chain UDP (1 references)
pkts bytes target prot opt in out source destination
服务器 iptables:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
240K 19M ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- any any anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
1831K 432M ACCEPT all -- tun0 any anywhere anywhere
4043K 1404M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3928 212K ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
90 4516 ACCEPT tcp -- any any anywhere anywhere tcp dpt:urd
315 16852 ACCEPT tcp -- any any anywhere anywhere tcp dpt:submission
116 5848 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3s
3461 396K ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
4347 208K ACCEPT icmp -- any any anywhere anywhere icmp echo-request
1475K 462M DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36055 3583K ACCEPT all -- tun0 eth0 anywhere anywhere
16333 3770K ACCEPT all -- eth0 tun0 anywhere anywhere state RELATED,ESTABLISHED
4 304 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5678K 1392M ACCEPT all -- any any anywhere anywhere
现在“陷阱”:
- 中间主机是一个奇怪的运行 Ubuntu 的物联网设备。我拥有它的完全 root 访问权限,可以添加和删除路由,可以使用 iptables,但我无法执行安装内核模块或新应用程序之类的操作,因为主文件系统是只读的(不过我可以在启动时从可写的主目录运行脚本)。
- 中间主机“ppp0”是蜂窝数据连接,并且该设备与其他连接方式配合不佳,我也不想向我的提供商支付月费(这里的蜂窝费率是世界上最高的!),以便为其他设备建立到该站点的另一个蜂窝连接,所以改变这里的网络拓扑是不现实的。
总的来说,我怀疑我的真正问题是 iptables,但我不确定在哪里或是什么。
任何帮助将不胜感激!