我配置了一个基于 Debian 的 DIY 路由器,没有 DHCP 和 DNS 服务器。
我的问题: 当我打开路由器并启动系统时,客户端上的 Internet 连接可用 4-5 秒(Win10 客户端上的 Internet 图标变为活动状态),然后断开,只有在我重新启动 nftables 后才可用。如何在不重新启动 nftables 的情况下永久启用 Internet 连接?
我对 Linux 和 nftables 还很陌生,非常感谢您的支持!PS:我决定不使用 OpenWRT 和 pfsense,因为我也想部署和学习 podman 技术。
#!/usr/sbin/nft -f
flush ruleset
define carbon_LAN=eno2
define WiFi_LAN=eno1
define myWAN=enp2s0f1
table inet filter {
chain input {
type filter hook input priority 0;
# "drop invalid packets"
iif $myWAN ct state invalid drop
# "allow local packets"
iif {$carbon_LAN,$WiFi_LAN} accept
# "allow established wan packets"
iif $myWAN ct state {established, related} counter accept
# "allow communication between LANs subnets"
iif $carbon_LAN oif $WiFi_LAN accept
iif $WiFi_LAN oif $carbon_LAN accept
# "drop the rest of the packets"
iif $myWAN drop
}
chain forward {
type filter hook forward priority 0;
# "drop invalid packets"
iif $myWAN ct state invalid drop
# "allow wan est, relat"
iif $myWAN oif {$carbon_LAN,$WiFi_LAN} ct state {established, related} counter accept
# "allow lan to wan"
iif {$carbon_LAN,$WiFi_LAN} oif $myWAN counter accept
# "drop the rest of the packets"
iif $myWAN drop
}
chain output {
type filter hook output priority 0;
# "allow traffic from all LANs to WAN"
oif $myWAN accept
# "allow communication between LANs"
iif $carbon_LAN oif $WiFi_LAN accept
iif $WiFi_LAN oif $carbon_LAN accept
# "drop the rest of the packets"
oif $myWAN drop
}
}
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif $myWAN counter masquerade comment "masquerade"
}
}
我曾尝试将这些规则添加到输入链中,但没有成功
# allow tcp DNS
iif $myWAN tcp dport 53 accept
# allow udp DNS and DHCP
iif $myWAN udp dport {53,67,68} accept
# allow ICMP on the LAN
iif $myWAN ip protocol icmp accept
然后将其放入正向链中
# "forward DNS"
iif $myWAN oif {$carbon_LAN,$WiFi_LAN} tcp dport 53 accept
iif $myWAN oif {$carbon_LAN,$WiFi_LAN} udp dport 53 accept
答案1
使用 iifname/oifname 而不是 iif/oif 解决了该问题。