我有两台 Debian 机器,一台设置为代理,我将其称为 proxy1,另一台设置为路由器,我将其称为 router。我的目标是 DNAT 数据包从 proxy1 上的 WAN 通过 OpenVPN 隧道到达路由器。路由器和代理1都可以访问互联网并具有不同的WAN IP,它们是单独的机器。
我对 proxy1 有以下规则:
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ip route add 10.0.0.2/32 dev tun0
当在 proxy1 和路由器上运行“tcpdump -s 0 -w tcpdump.log -i any”时,我可以看到数据包来自 WAN,DNAT 更改了 proxy1 上数据包的目的地,但在路由器上,数据包没有到达。
这个问题最奇怪的是,如果我将 MASQUERADE 规则更改为:
iptables -t nat -A POSTROUTING j MASQUERADE
然后 DNAT 起作用,并且数据包在路由器上被看到。但伪装会改变数据包的源地址,因此路由器不知道最终的源IP。我不明白为什么当源地址修改为 10.0.1.2 时数据包会到达路由器,但当保留源地址时数据包不会到达路由器?
代理信息:
Debian GNU/Linux 8 (杰西)
内核版本:Linux 3.16.0-4-amd64 x86_64
代理IP:202.89.75.110
在 proxy1 上运行“ip route get 10.0.0.2”返回:
10.0.0.2 dev tun0 src 10.0.1.2
cache
在 proxy1 上运行“ip link; ip -4 地址; ip -4 路由; ip -4 规则”的输出:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 00:16:3c:95:70:75 brd ff:ff:ff:ff:ff:ff
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
link/none
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet x.x.x.x/25 brd x.x.x.127 scope global eth0
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
inet 10.0.1.2/29 brd 10.0.1.7 scope global tun0
valid_lft forever preferred_lft forever
default via x.x.x.1 dev eth0
10.0.0.2 dev tun0 scope link
10.0.1.0/29 dev tun0 proto kernel scope link src 10.0.1.2
x.x.x.0/25 dev eth0 proto kernel scope link src x.x.x.x
0: from all lookup local
32765: from all fwmark 0x65 lookup 101
32766: from all lookup main
32767: from all lookup default
以下是有关路由器的一些信息:
Debian GNU/Linux 10(破坏者)
内核版本:Linux 4.19.0-6-amd64 x86_64
路由器IP:71.115.98.227
在路由器上运行“ip link; ip -4 address; ip -4 Route; ip -4rule”的输出:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 70:85:c2:d5:84:96 brd ff:ff:ff:ff:ff:ff
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 70:85:c2:d5:84:94 brd ff:ff:ff:ff:ff:ff
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
link/none
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 10.0.0.1/24 brd 10.0.0.255 scope global enp2s0
valid_lft forever preferred_lft forever
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 71.115.98.227/21 brd 71.115.105.255 scope global dynamic eno1
valid_lft 38916sec preferred_lft 38916sec
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
inet 10.0.1.1/29 brd 10.0.1.7 scope global tun1
valid_lft forever preferred_lft forever
default via 71.115.98.1 dev eno1
10.0.0.0/24 dev enp2s0 proto kernel scope link src 10.0.0.1
10.0.1.0/29 dev tun1 proto kernel scope link src 10.0.1.1
71.115.98.0/21 dev eno1 proto kernel scope link src 71.115.98.227
0: from all lookup local
32765: from all fwmark 0x65 lookup 101
32766: from all lookup main
32767: from all lookup default
路由器上“ip route list table 101”的输出:
default via 10.0.1.2 dev tun1
在路由器上,我有以下规则将这些数据包定向到服务器:
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -P FORWARD ACCEPT
10.0.0.2 处的服务器位于路由器的 LAN 上。路由器上启用转发。路由器是 LAN 的网关。
cat /proc/sys/net/ipv4/ip_forward
返回 1
新的openvpn服务器配置如下:
dev tun1
port 1194
proto udp4
ifconfig 10.0.1.1 10.0.1.2
secret static_p1.key
proxy1 上新的 openvpn 客户端配置如下:
remote 71.115.98.227 1194 udp
dev tun0
ifconfig 10.0.1.2 10.0.1.1
script-security 2
route-up /etc/openvpn/proxyroute.sh
secret static_p1.key