IPtables 端口转发到主机 IP

IPtables 端口转发到主机 IP

curl我在 LXC 容器中安装了 WireGuard,虽然客户端可以正常连接(我可以看到端口和信息),但是当我尝试访问localhost[ 127.0.0.1] 或其 IP [ 192.168.1.180]时却无法连接:

# 10.7.0.2:6060 ⟷ 192.168.1.180:6060
  # Host IP:  192.168.1.180
  # IP:       10.7.0.2

# Resolves okay:
  curl -I 10.7.0.2:6060

# Response unreachable:
  curl -I 127.0.1:6060
  curl -I 192.168.1.180:6060

尽管该路线应允许以下内容,但我收到了来自 的回复10.7.0.2:6060192.168.1.180但没有收到来自127.0.0.1:6060[无法访问] 的回复:

  • 192.168.1.170 → ( 192.168.1.180:6060[LXC] → 10.7.0.2:6060[网络])

    • 192.168.1.170:网络PC(网关:192.168.1.1)
    • 192.168.1.180:LXC 容器虚拟机
    • 10.7.0.2:WireGuard 客户端电脑

    ip route list

    default via 192.168.1.1 dev eth0 proto static
    10.7.0.0/24 dev wg0 proto kernel scope link src 10.7.0.1
    192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.180
    


  • IPv4 转发处于活动状态:
    #sysctl net.ipv4.ip_forward
    net.ipv4.ip_forward = 1
    

  • WireGuard 配置:/etc/wireguard/wg0.conf
    • 服务器: [ wiretest]
      # ENDPOINT asd.demo.net
      [Interface]
      Address = 10.7.0.1/24
      PrivateKey = CI0heA/1InAo........
      ListenPort = 51820
      
      # BEGIN_PEER nodotest
      [Peer]
      PublicKey = y1t+k9cR06F7/y6ANJtEx.......
      PresharedKey = +Tya8VsxbB3i9hkIRf......
      AllowedIPs = 10.7.0.2/32
      # END_PEER nodotest
      
    • 客户: [ wiredocker]
      [Interface]
      Address = 10.0.0.2/24
      DNS = 8.8.8.8
      PrivateKey = +GLTuJnydedy2QMvTj5SGdr......
      
      [Peer]
      PublicKey = qlNPgT7Fwbjmexq09EVF........
      PresharedKey = +Tya8VsxbB3i9hkIR......
      AllowedIPs = 0.0.0.0/0, ::/0
      Endpoint = asd.demo.net:51820
      PersistentKeepalive = 25
      

  • IP 表:
    iptables              -A FORWARD      -i eth0                       -j ACCEPT
    iptables      -t nat  -A PREROUTING   -p tcp    --dport 6060:6060   -j DNAT --to-destination 10.7.0.2
    iptables  -w  -t nat  -A POSTROUTING  -o eth0                       -j MASQUERADE
    
    • iptables -L: (服务器)
      Chain INPUT (policy ACCEPT)
      target  prot  opt   source        destination
      ACCEPT  udp   --    anywhere      anywhere        udp dpt:51823
      
      Chain FORWARD (policy ACCEPT)
      target  prot  opt   source        destination
      ACCEPT  all   --    anywhere      anywhere        state RELATED,ESTABLISHED
      ACCEPT  all   --    10.7.0.0/24   anywhere
      
      Chain OUTPUT (policy ACCEPT)
      target  prot  opt   source        destination
      
    • iptables-save
      # Generated by iptables-save v1.8.7 on Sat Jul 17 12:19:27 2021
      *filter
      :INPUT ACCEPT [0:0]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      
      -A INPUT -p udp -m udp --dport 51823 -j ACCEPT
      -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -s 10.7.0.0/24 -j ACCEPT
      
      COMMIT
      # Completed on Sat Jul 17 12:19:27 2021
      
      # Generated by iptables-save v1.8.7 on Sat Jul 17 12:19:27 2021
      *nat
      :PREROUTING ACCEPT [0:0]
      :INPUT ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      :POSTROUTING ACCEPT [0:0]
      
      -A  PREROUTING  -i  eth0 -p tcp     -m tcp          --dport 6060  -j DNAT --to-destination 10.7.0.2:6060
      -A  PREROUTING  -i  eth0 -p tcp     -m tcp          --dport 1010  -j DNAT --to-destination 10.7.0.2:6060
      -A  PREROUTING  -i  eth0 -p tcp     -m tcp          --dport 1010  -j DNAT --to-destination 10.7.0.2:6060
      -A  POSTROUTING -s  10.7.0.0/24   ! -d 10.7.0.0/24                -j SNAT --to-source      192.168.1.183
      
      COMMIT
      # Completed on Sat Jul 17 12:19:27 2021
      

相关内容