无法在维护源 IP 地址的同时对数据包进行 DNAT

无法在维护源 IP 地址的同时对数据包进行 DNAT

我有两台 Debian 机器,一台设置为代理,我将其称为 proxy1,另一台设置为路由器,我将其称为 router。我的目标是 DNAT 数据包从 proxy1 上的 WAN 通过 OpenVPN 隧道到达路由器。路由器和代理1都可以访问互联网并具有不同的WAN IP,它们是单独的机器。

我对 proxy1 有以下规则:

iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ip route add 10.0.0.2/32 dev tun0

当在 proxy1 和路由器上运行“tcpdump -s 0 -w tcpdump.log -i any”时,我可以看到数据包来自 WAN,DNAT 更改了 proxy1 上数据包的目的地,但在路由器上,数据包没有到达。

这个问题最奇怪的是,如果我将 MASQUERADE 规则更改为:

iptables -t nat -A POSTROUTING j MASQUERADE 

然后 DNAT 起作用,并且数据包在路由器上被看到。但伪装会改变数据包的源地址,因此路由器不知道最终的源IP。我不明白为什么当源地址修改为 10.0.1.2 时数据包会到达路由器,但当保留源地址时数据包不会到达路由器?

代理信息:

Debian GNU/Linux 8 (杰西)

内核版本:Linux 3.16.0-4-amd64 x86_64

代理IP:202.89.75.110

在 proxy1 上运行“ip route get 10.0.0.2”返回:

10.0.0.2 dev tun0  src 10.0.1.2
    cache

在 proxy1 上运行“ip link; ip -4 地址; ip -4 路由; ip -4 规则”的输出:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:16:3c:95:70:75 brd ff:ff:ff:ff:ff:ff
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
    link/none
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet x.x.x.x/25 brd x.x.x.127 scope global eth0
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.0.1.2/29 brd 10.0.1.7 scope global tun0
       valid_lft forever preferred_lft forever
default via x.x.x.1 dev eth0
10.0.0.2 dev tun0  scope link
10.0.1.0/29 dev tun0  proto kernel  scope link  src 10.0.1.2
x.x.x.0/25 dev eth0  proto kernel  scope link  src x.x.x.x
0:      from all lookup local
32765:  from all fwmark 0x65 lookup 101
32766:  from all lookup main
32767:  from all lookup default

以下是有关路由器的一些信息:

Debian GNU/Linux 10(破坏者)

内核版本:Linux 4.19.0-6-amd64 x86_64

路由器IP:71.115.98.227

在路由器上运行“ip link; ip -4 address; ip -4 Route; ip -4rule”的输出:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 70:85:c2:d5:84:96 brd ff:ff:ff:ff:ff:ff
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 70:85:c2:d5:84:94 brd ff:ff:ff:ff:ff:ff
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
    link/none
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global enp2s0
       valid_lft forever preferred_lft forever
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 71.115.98.227/21 brd 71.115.105.255 scope global dynamic eno1
       valid_lft 38916sec preferred_lft 38916sec
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.0.1.1/29 brd 10.0.1.7 scope global tun1
       valid_lft forever preferred_lft forever
default via 71.115.98.1 dev eno1
10.0.0.0/24 dev enp2s0 proto kernel scope link src 10.0.0.1
10.0.1.0/29 dev tun1 proto kernel scope link src 10.0.1.1
71.115.98.0/21 dev eno1 proto kernel scope link src 71.115.98.227
0:      from all lookup local
32765:  from all fwmark 0x65 lookup 101
32766:  from all lookup main
32767:  from all lookup default

路由器上“ip route list table 101”的输出:

default via 10.0.1.2 dev tun1

在路由器上,我有以下规则将这些数据包定向到服务器:

iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -P FORWARD ACCEPT

10.0.0.2 处的服务器位于路由器的 LAN 上。路由器上启用转发。路由器是 LAN 的网关。

cat /proc/sys/net/ipv4/ip_forward

返回 1

新的openvpn服务器配置如下:

dev tun1
port 1194
proto udp4
ifconfig 10.0.1.1 10.0.1.2
secret static_p1.key

proxy1 上新的 openvpn 客户端配置如下:

remote 71.115.98.227 1194 udp
dev tun0
ifconfig 10.0.1.2 10.0.1.1
script-security 2
route-up /etc/openvpn/proxyroute.sh
secret static_p1.key

相关内容