我有一个非常简单的 Wireguard 配置。客户端被分配了10.7.0.0/24地址,流量从主接口转发出去,最后数据包从“192.168.1.0/24”上的主接口进行 SNAT。除了最后一步之外,一切似乎都正常,我甚至无法LOG在 POSTROUTING 表中触发规则。
192.168.1.185ping的 TRACE 输出10.7.0.2如下:
kernel: [ 524.154478] TRACE: raw:PREROUTING:policy:2 IN=wg0 OUT= MAC= SRC=10.7.0.2 DST=192.168.1.185 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7783 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=542
kernel: [ 524.154502] TRACE: filter:FORWARD:rule:1 IN=wg0 OUT=ens192 MAC= SRC=10.7.0.2 DST=192.168.1.185 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7783 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=542
kernel: [ 524.154507] IN=wg0 OUT=ens192 MAC= SRC=10.7.0.2 DST=192.168.1.185 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7783 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=542
kernel: [ 524.154512] TRACE: filter:FORWARD:rule:3 IN=wg0 OUT=ens192 MAC= SRC=10.7.0.2 DST=192.168.1.185 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7783 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=542
我看到 中的 LOG 规则filter:FORWARD:rule:1已正确触发,并且数据包已到达filter:FORWARD:rule:3。这很合理。
Chain FORWARD (policy ACCEPT 92 packets, 4848 bytes)
pkts bytes target prot opt in out source destination
4 240 LOG icmp -- * * 0.0.0.0/0 192.168.1.185 LOG flags 0 level 4
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
430 28493 ACCEPT all -- * * 10.7.0.0/24 0.0.0.0/0
我不明白的是,为什么在这之后没有触发 POSTROUTING 规则。甚至没有触发 LOG 规则。这是为什么?
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG icmp -- * * 0.0.0.0/0 192.168.1.185 LOG flags 0 level 4
0 0 SNAT all -- * * 10.7.0.0/24 !10.7.0.0/24 to:192.168.1.124
更新:iptables
以下是完整的 iptables 规则:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [26:2369]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to-source 192.168.1.124
COMMIT
# Completed on Thu May 18 00:16:56 2023
# Generated by iptables-save v1.6.1 on Thu May 18 00:16:56 2023
*filter
:INPUT ACCEPT [3598:452715]
:FORWARD ACCEPT [12:720]
:OUTPUT ACCEPT [2685:370730]
[240:33000] -A INPUT -p udp -m udp --dport 52160 -j ACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[228:15470] -A FORWARD -s 10.7.0.0/24 -j ACCEPT
COMMIT
NF表
sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
更新:开始工作了,但是为什么呢?
我查看了其他 iptables 规则,然后一切都开始正常工作。iptables-save 如下。目前我有两个理论:
- nat 表仅用于查找“新”连接,不确定如何将连接视为新连接或非新连接
- 通过列出“mangle”规则,它创建了表并改变了系统的行为?
# Generated by iptables-save v1.6.1 on Thu May 18 00:48:19 2023
*raw
:PREROUTING ACCEPT [6532:813762]
:OUTPUT ACCEPT [4430:674431]
COMMIT
# Completed on Thu May 18 00:48:19 2023
# Generated by iptables-save v1.6.1 on Thu May 18 00:48:19 2023
*mangle
:PREROUTING ACCEPT [12837:1592394]
:INPUT ACCEPT [11726:1478490]
:FORWARD ACCEPT [1111:113904]
:OUTPUT ACCEPT [8651:1277974]
:POSTROUTING ACCEPT [9762:1391878]
COMMIT
# Completed on Thu May 18 00:48:19 2023
# Generated by iptables-save v1.6.1 on Thu May 18 00:48:19 2023
*nat
:PREROUTING ACCEPT [1678:159704]
:INPUT ACCEPT [1932:186621]
:OUTPUT ACCEPT [4667:280576]
:POSTROUTING ACCEPT [4674:280996]
[110:7552] -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to-source 192.168.1.124
COMMIT
# Completed on Thu May 18 00:48:19 2023
# Generated by iptables-save v1.6.1 on Thu May 18 00:48:19 2023
*filter
:INPUT ACCEPT [19546:2623783]
:FORWARD ACCEPT [502:28104]
:OUTPUT ACCEPT [15543:2246022]
[1835:264832] -A INPUT -p udp -m udp --dport 52160 -j ACCEPT
[1136:122259] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[533:36117] -A FORWARD -s 10.7.0.0/24 -j ACCEPT
COMMIT
# Completed on Thu May 18 00:48:19 2023