我遵循了许多指南,了解如何将我的 Linux 桌面(使用 KDE 和网络管理器)连接到路由器的 WAN,以便共享我的 wifi 互联网连接。我有 2 张 wifi 卡。我还有一个主板以太网和一个 USB 以太网。
当前设置:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
altname enp9s0
inet 10.42.0.1/24 brd 10.42.0.255 scope global noprefixroute eth3
valid_lft forever preferred_lft forever
inet6 fe80::dfa0:b499:5011:7137/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
altname enp10s0u4
inet 192.168.0.205/24 brd 192.168.0.255 scope global dynamic noprefixroute eth4
valid_lft 5559sec preferred_lft 5559sec
inet6 fe80::ca35:b706:3221:389a/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: wlan5: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
altname wlp7s0
5: wlan3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
altname wlp8s0
inet 192.168.1.130/24 brd 192.168.1.255 scope global noprefixroute wlan3
valid_lft forever preferred_lft forever
inet6 fe80::9b34:b8cc:c0d4:7e24/64 scope link noprefixroute
valid_lft forever preferred_lft forever
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
7: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
因此,我的 eth3 为路由器提供 ip 地址。而 wlan3 和 wlan5 提供互联网。我已尝试为路由器 WAN 使用 DHCP 以及 STATIC,如下所示:
ip: 10.42.0.2
subnet: 255.255.255.0
default gateway: 10.42.0.1
dns: 10.42.0.1
目前,路由器上有一个绿色的互联网符号,网络界面显示互联网已连接。我通过创建一个新连接、限制到设备 eth3 和 ipv4 方法“共享给其他计算机”来实现这一点。
所以路由器似乎很顺利。但是当我从手机连接到路由器时,我得到的 IP 地址是 192.168.0.119,但没有互联网(这是一部三星 s20,它询问我是否要连接,因为没有互联网连接,我说是的,仅此一次)
当我在手机上使用 IP 工具并对 google.com 进行跟踪路由时,它显示 192.168.0.1,然后显示 10.42.0.1,然后停止。
我已经添加了 iptables 命令以及用于 ipv4 数据包转发的内核选项。我的手机无法通过路由器连接到互联网。
我不介意一步步了解如何查看数据包并查看 IP 标头是什么以及它们应该是什么。我觉得每个人都忽略了这些细节,只是告诉人们一些不容易解决的解决方案。
如果你想查看我的 iptables:
root: ~> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.42.0.0/24 anywhere
LIBVIRT_INP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.42.0.0/24 anywhere
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_OUT all -- anywhere anywhere
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain LIBVIRT_FWI (1 references)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
target prot opt source destination
ACCEPT all -- 192.168.122.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain LIBVIRT_INP (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:bootpc
编辑: @Peregrino69 我不想与“普通”路由器交互的原因是速度问题。我正在使用 VR 虚拟机(GPU 直通)设置,需要将自己的路由器直接连接到我的电脑,这样当我将 Quest 2 连接到路由器时,我将获得虚拟桌面和天空盒(电影)的适当速度。但是当我将 Quest 2 连接到我自己的路由器时,我也希望有互联网连接。此外,这可能不太受重视,我需要了解这些事情。我并不单纯想让它工作。我需要知道它为什么工作或不工作。
编辑3 这是我的最新信息:当前设置已更新
eth3 从我的计算机连接到 wan,并通过网络管理器连接“共享给其他计算机”
路由器上没有我能看到的任何 NAT 内容。这是一个 TP Link。您可以在这里看到我所拥有的内容:https://www.amazon.com/gp/product/B07N1L5HX1
它已启用 UPnP,但该页面上未显示任何内容。
wlan3 从我的 wifi 卡连接到路由器 LAN 192.168.1.0/24 我将 wlan3 设置为 /23 而不是 /24,因为我试图让它与连接到我连接的路由器的任何设备处于同一网络上。这是另一个问题。我刚刚通过 /24 连接了 wlan3 我暂时断开了 wlan5 和 eth4 的连接
系统控制:
root: ~> sysctl net.ipv4
...
net.ipv4.conf.default.forwarding = 1
...
net.ipv4.conf.eth3.forwarding = 1
...
最新的 iptables:
root: ~> iptables-save
# Generated by iptables-save v1.8.7 on Fri Mar 31 01:37:38 2023
*nat
:PREROUTING ACCEPT [145211:42812440]
:INPUT ACCEPT [8987:591413]
:OUTPUT ACCEPT [13293:5054949]
:POSTROUTING ACCEPT [12459:4884182]
:DOCKER - [0:0]
:LIBVIRT_PRT - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o eth3 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Mar 31 01:37:38 2023
# Generated by iptables-save v1.8.7 on Fri Mar 31 01:37:38 2023
*mangle
:PREROUTING ACCEPT [1157190:19678443094]
:INPUT ACCEPT [948790:19513179556]
:FORWARD ACCEPT [162522:148255068]
:OUTPUT ACCEPT [867963:19370366770]
:POSTROUTING ACCEPT [1015528:19517495487]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Mar 31 01:37:38 2023
# Generated by iptables-save v1.8.7 on Fri Mar 31 01:37:38 2023
*raw
:PREROUTING ACCEPT [1686243:20749169464]
:OUTPUT ACCEPT [1182929:19427208163]
COMMIT
# Completed on Fri Mar 31 01:37:38 2023
# Generated by iptables-save v1.8.7 on Fri Mar 31 01:37:38 2023
*security
:INPUT ACCEPT [1266254:20518815090]
:FORWARD ACCEPT [168441:148709755]
:OUTPUT ACCEPT [1182929:19427208163]
COMMIT
# Completed on Fri Mar 31 01:37:38 2023
# Generated by iptables-save v1.8.7 on Fri Mar 31 01:37:38 2023
*filter
:INPUT ACCEPT [944745:19512471228]
:FORWARD DROP [15759:1324771]
:OUTPUT ACCEPT [867947:19370361522]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -s 10.42.0.0/24 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Fri Mar 31 01:37:38 2023
在手机上对 13.112.187.226 (即 w3schools.org)进行跟踪路由时使用 tcpdumps。只想访问一个简单的网页:
eth3:
root: ~> tcpdump -i eth3 -n udp -w ./eth3.txt
tcpdump: listening on eth3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C35 packets captured
37 packets received by filter
0 packets dropped by kernel
root: ~> tcpdump -r ./eth3.txt
reading from file ./eth3.txt, link-type EN10MB (Ethernet), snapshot length 262144
02:06:40.146709 IP 10.42.0.2.60589 > 10.42.0.1.domain: 2+ A? a.root-servers.net. (36)
02:06:40.146910 IP 10.42.0.1.domain > 10.42.0.2.60589: 2 1/0/0 A 198.41.0.4 (52)
02:06:40.859784 IP 10.42.0.2.canditv > 10.42.0.1.domain: 29431+ A? probes.probelytics.com. (40)
02:06:40.860235 IP 10.42.0.2.38287 > 10.42.0.1.domain: 14888+ A? probes.probelytics.com. (40)
02:06:42.219228 IP 10.42.0.2.40567 > 10.42.0.1.domain: 31+ A? time-b.nist.gov. (33)
02:06:42.219764 IP 10.42.0.2.48973 > 10.42.0.1.domain: 5494+ A? time-b.nist.gov. (33)
02:06:42.219764 IP 10.42.0.2.43738 > 10.42.0.1.domain: 31+ A? time-b.nist.gov. (33)
02:06:43.172699 IP 10.42.0.2.39751 > 10.42.0.1.domain: 58256+ A? live.com. (26)
02:06:43.172878 IP 10.42.0.1.domain > 10.42.0.2.39751: 58256 1/0/0 A 204.79.197.212 (42)
02:06:45.865474 IP 10.42.0.2.canditv > 10.42.0.1.domain: 29431+ A? probes.probelytics.com. (40)
02:06:45.897767 IP 10.42.0.1.domain > 10.42.0.2.canditv: 29431 2/2/12 A 172.67.147.19, A 104.21.10.243 (391)
02:06:45.897784 IP 10.42.0.1.domain > 10.42.0.2.38287: 14888 2/2/12 A 172.67.147.19, A 104.21.10.243 (391)
02:06:47.219375 IP 10.42.0.2.43248 > used-to-be-ntp.okstate.edu.ntp: NTPv3, Client, length 48
02:06:47.219716 IP 10.42.0.2.52038 > used-to-be-ntp.okstate.edu.ntp: NTPv3, Client, length 48
02:06:47.452265 IP 10.42.0.2.27341 > 10.42.0.1.domain: 25678+ A? mtalk.google.com. (34)
02:06:47.452819 IP 10.42.0.2.53748 > 10.42.0.1.domain: 16638+ A? mtalk.google.com. (34)
02:06:47.719848 IP 10.42.0.2.45868 > time-nw.nist.gov.ntp: NTPv3, Client, length 48
02:06:47.720384 IP 10.42.0.2.58488 > time-nw.nist.gov.ntp: NTPv3, Client, length 48
02:06:48.220686 IP 10.42.0.2.49532 > ntp.alaska.edu.ntp: NTPv3, Client, length 48
02:06:48.221193 IP 10.42.0.2.54813 > ntp.alaska.edu.ntp: NTPv3, Client, length 48
02:06:48.721475 IP 10.42.0.2.47223 > 140.142.16.34.ntp: NTPv3, Client, length 48
02:06:48.721475 IP 10.42.0.2.34965 > 140.142.16.34.ntp: NTPv3, Client, length 48
02:06:49.221840 IP 10.42.0.2.56956 > india.colorado.edu.ntp: NTPv3, Client, length 48
02:06:49.221989 IP 10.42.0.2.34474 > india.colorado.edu.ntp: NTPv3, Client, length 48
02:06:49.722792 IP 10.42.0.2.55790 > 137.146.210.250.ntp: NTPv3, Client, length 48
02:06:49.722792 IP 10.42.0.2.46281 > 137.146.210.250.ntp: NTPv3, Client, length 48
02:06:50.223511 IP 10.42.0.2.37790 > sth1.ntp.se.ntp: NTPv3, Client, length 48
02:06:50.223693 IP 10.42.0.2.56904 > sth1.ntp.se.ntp: NTPv3, Client, length 48
02:06:50.724017 IP 10.42.0.2.53096 > tick.uh.edu.ntp: NTPv3, Client, length 48
02:06:50.724017 IP 10.42.0.2.40899 > tick.uh.edu.ntp: NTPv3, Client, length 48
02:06:51.224758 IP 10.42.0.2.57519 > this.has.not.been.ntp.server.time.nist.gov.since.2012.ntp: NTPv3, Client, length 48
02:06:51.224946 IP 10.42.0.2.39152 > this.has.not.been.ntp.server.time.nist.gov.since.2012.ntp: NTPv3, Client, length 48
02:06:51.617033 IP 10.42.0.1.59824 > 239.255.255.250.ssdp: UDP, length 173
02:06:51.725581 IP 10.42.0.2.44994 > a4.cs.umb.edu.ntp: NTPv3, Client, length 48
02:06:51.725582 IP 10.42.0.2.50268 > a4.cs.umb.edu.ntp: NTPv3, Client, length 48
WLAN3:
root: ~> tcpdump -i wlan3 -n udp -w ./wlan3.txt
tcpdump: listening on wlan3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C4 packets captured
5 packets received by filter
0 packets dropped by kernel
root: ~> tcpdump -r ./wlan3.txt
reading from file ./wlan3.txt, link-type EN10MB (Ethernet), snapshot length 262144
02:05:32.164673 IP DESKTOP-89BBSOL.db-lsp-disc > 255.255.255.255.db-lsp-disc: UDP, length 180
02:05:34.213746 IP 192.168.1.130.54474 > DeviceDHCP.Home.domain: 48304+ A? firebaseinstallations.googleapis.com. (54)
02:05:34.226650 IP DeviceDHCP.Home.domain > 192.168.1.130.54474: 48304 9/4/8 A 172.253.124.95, A 142.250.105.95, A 142.250.9.95, A 142.250.189.106, A 74.125.138.95, A 64.233.185.95, A 64.233.177.95, A 142.250.176.74, A 142.251.45.234 (456)
02:05:35.747694 IP ESP_DCE2AA.49154 > 255.255.255.255.6667: UDP, length 188
答案1
我认为它现在已能正常工作……我的意思是我可以访问互联网。我想知道它为何能正常工作。我会自己深入研究一下并尝试更新答案。
但这对我有用:
eth3 是主板以太网链接到路由器的 wan,方法为“共享给其他计算机”
wlan3 是 192.168.1.0/24 路由器的 wifi 卡,为计算机提供互联网
手机正在连接到 192.168.0.1 网络内的路由器
路由器具有问题中所列出的静态 IP。
iptables -A FORWARD -i eth3 -o wlan3 -j ACCEPT
iptables -A FORWARD -i wlan3 -o eth3 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan3 -j MASQUERADE
据我所知,我的所有 iptables 都与此连接有关,但真正需要的是第二个 iptables。我的意思是,我看过的一些教程中没有这个。