DIY 最小安装 Debian nftables 路由不起作用

Question

我已经通过以下配置解决了我的问题

/etc/网络/接口

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface init7_WAN
allow-hotplug enp2s0f1
iface enp2s0f1 inet dhcp

# The interface Carbon_LAN
allow-hotplug eno2
iface eno2 inet static
address 192.168.100.190
netmask 255.255.255.0
broadcast 192.168.100.255
network 192.168.100.0

# The interface WiFi_LAN
allow-hotplug eno1
iface eno1 inet static
address 192.168.101.190
netmask 255.255.255.0
broadcast 192.168.101.255
network 192.168.101.0

/etc/sysctl

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

/etc/nftables.conf

# --- /etc/nftables.conf
#!/usr/sbin/nft -f
#local = eno2
#wan = enp2s0f1
#
#
flush ruleset
 
table inet filter {
chain input {
type filter hook input priority 0;
iif eno2 accept comment "allow local packets"
iif enp2s0f1 ct state {established, related} counter accept comment "allow esablished wan packets"
iif enp2s0f1 drop
}
chain forward {
type filter hook forward priority 0;
iif enp2s0f1 oif eno2 ct state {established, related} counter accept comment "allow wan est, relat"
iif eno2 oif enp2s0f1 counter accept comment "allow lan to wan"
iif enp2s0f1 ip daddr 192.168.100.190 tcp dport {https} counter accept comment "forward https"
iif enp2s0f1 drop
}
chain output {
type filter hook output priority 0;
}
}
 
table nat {
chain output {
type nat hook output priority -100;
}
chain prerouting {
type nat hook prerouting priority -100;
iif enp2s0f1 tcp dport {https} counter dnat to 192.168.100.190 comment "forward https to 190"
}
chain postrouting {
type nat hook postrouting priority 100;
oif enp2s0f1 counter masquerade comment "masquerade"
}
}

Windows 10 客户端上的网络接口

IP-Address: 192.168.100.191
Subnet prefix length: 24
Gateway: 192.168.100.190
DNS1: 1.1.1.1
DNS0: 1.0.0.1

Answer 1

我已经通过以下配置解决了我的问题

/etc/网络/接口

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface init7_WAN
allow-hotplug enp2s0f1
iface enp2s0f1 inet dhcp

# The interface Carbon_LAN
allow-hotplug eno2
iface eno2 inet static
address 192.168.100.190
netmask 255.255.255.0
broadcast 192.168.100.255
network 192.168.100.0

# The interface WiFi_LAN
allow-hotplug eno1
iface eno1 inet static
address 192.168.101.190
netmask 255.255.255.0
broadcast 192.168.101.255
network 192.168.101.0

/etc/sysctl

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

/etc/nftables.conf

# --- /etc/nftables.conf
#!/usr/sbin/nft -f
#local = eno2
#wan = enp2s0f1
#
#
flush ruleset
 
table inet filter {
chain input {
type filter hook input priority 0;
iif eno2 accept comment "allow local packets"
iif enp2s0f1 ct state {established, related} counter accept comment "allow esablished wan packets"
iif enp2s0f1 drop
}
chain forward {
type filter hook forward priority 0;
iif enp2s0f1 oif eno2 ct state {established, related} counter accept comment "allow wan est, relat"
iif eno2 oif enp2s0f1 counter accept comment "allow lan to wan"
iif enp2s0f1 ip daddr 192.168.100.190 tcp dport {https} counter accept comment "forward https"
iif enp2s0f1 drop
}
chain output {
type filter hook output priority 0;
}
}
 
table nat {
chain output {
type nat hook output priority -100;
}
chain prerouting {
type nat hook prerouting priority -100;
iif enp2s0f1 tcp dport {https} counter dnat to 192.168.100.190 comment "forward https to 190"
}
chain postrouting {
type nat hook postrouting priority 100;
oif enp2s0f1 counter masquerade comment "masquerade"
}
}

Windows 10 客户端上的网络接口

IP-Address: 192.168.100.191
Subnet prefix length: 24
Gateway: 192.168.100.190
DNS1: 1.1.1.1
DNS0: 1.0.0.1

DIY 最小安装 Debian nftables 路由不起作用

答案1

相关内容