我有一个Openwrt路由器,有三个接口:
- 接口 br-lan:IP:172.16.21.1 在 LAN 网络中(172.16.21.0/24)。
- 接口 eth1:IP:172.16.22.2 一个可访问 Internet 的 WAN 网络(172.16.22.0/30)。
- 接口 qmimux0:IP:80.80.80.80 可访问互联网的移动连接。
我有带有 WAN 连接(eth1)的默认路由:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.22.1 0.0.0.0 UG 1 0 0 eth1
0.0.0.0 0.0.0.0 0.0.0.0 U 2 0 0 qmimux0
80.80.80.80 0.0.0.0 255.255.255.255 UH 2 0 0 qmimux0
172.16.21.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
172.16.22.0 0.0.0.0 255.255.255.252 U 1 0 0 eth1
我有几个用于 NAT 的 iptables 规则:
# iptables -t nat -v -L -n
Chain PREROUTING (policy ACCEPT 98 packets, 5677 bytes)
pkts bytes target prot opt in out source destination
149 8737 prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
65 4416 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_prerouting all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_mobile_prerouting all -- wwan0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
84 4321 zone_mobile_prerouting all -- qmimux0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 149 packets, 8737 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 561 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 8 packets, 561 bytes)
pkts bytes target prot opt in out source destination
8 561 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
0 0 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_postrouting all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_mobile_postrouting all -- * wwan0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_mobile_postrouting all -- * qmimux0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_mobile_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_mobile_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
0 0 SNAT tcp -- * * 172.16.21.0/24 172.16.21.1 tcp dpt:443 /* !fw3: HTTPS to ROUTER-INT (reflection) */ to:172.16.21.1
0 0 SNAT tcp -- * * 172.16.21.0/24 172.16.21.1 tcp dpt:443 /* !fw3: HTTPS to ROUTER-INT 4G (reflection) */ to:172.16.21.1
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
65 4416 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
0 0 DNAT tcp -- * * 172.16.21.0/24 172.16.22.2 tcp dpt:9443 /* !fw3: HTTPS to ROUTER-INT (reflection) */ to:172.16.21.1:443
0 0 DNAT tcp -- * * 172.16.21.0/24 80.80.80.80 tcp dpt:19443 /* !fw3: HTTPS to ROUTER-INT 4G (reflection) */ to:172.16.21.1:443
Chain zone_mobile_postrouting (2 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_mobile_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom mobile postrouting rule chain */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_mobile_prerouting (2 references)
pkts bytes target prot opt in out source destination
84 4321 prerouting_mobile_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom mobile prerouting rule chain */
51 3060 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:19443 /* !fw3: HTTPS to ROUTER-INT 4G */ to:172.16.21.1:443
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9443 /* !fw3: HTTPS to ROUTER-INT */ to:172.16.21.1:443
现在,我需要通过 qmimux0 接口路由来自同一接口的请求响应。例如,我收到一个到 qmimux0 公网 IP (80.80.80.80) 19443 端口的请求;该请求通过 iptables 到达 172.16.21.1 端口 443。响应通过 eth1 路由,因为它是默认路由。
我曾尝试使用 iptables 来标记数据包,但没有效果:
iptables -t mangle -A PREROUTING -i qmimux0 -j MARK --set-mark 1
ip rule add fwmark 1 table 100
ip route add default via 80.80.80.80 table 100
iptables -t nat -A POSTROUTING -o qmimux0 -m mark --mark 1 -j SNAT --to-source 80.80.80.80
tcpdump 显示了在传出连接中使用 eth1 的数据包:
16:04:20.969197 qmimux0 In IP 100.100.100.100.49263 > 80.80.80.80.17443: Flags [S], seq 3834440872, win 1024, options [mss 1410], length 0
16:04:20.975831 eth1 Out IP 80.80.80.80.17443 > 100.100.100.100.49263: Flags [S.], seq 3685592694, ack 3834440873, win 64240, options [mss 1460], length 0
16:04:21.996055 eth1 Out IP 80.80.80.80.17443 > 100.100.100.100.49263: Flags [S.], seq 3685592694, ack 3834440873, win 64240, options [mss 1460], length 0
我确实遗漏了一些东西,但我对网络的了解有限。有人能帮助我吗?
答案1
通过设置的标记-j MARK特定于数据包,因此如果您标记传入数据包,默认情况下这不会影响传出的响应。您需要设置联系标记——换句话说,将数据包标记存储在 conntrack 状态中(与处理 NAT 和“新建/已建立”相同,因此它同样适用于 UDP 和 TCP)。
在传入数据包上设置数据包标记后,添加一条附加规则来-j CONNMARK保存它:
-t mangle -A POSTROUTING -j CONNMARK --save-mark
然后,对于传出的数据包,您需要从 conntrack 中检索标记:
-t mangle -A PREROUTING -j CONNMARK --restore-mark
另一方面,你可能不需要手动 SNAT 规则,因为这个是由 conntrack 自动处理 - 如果原始数据包是 NAT 的,那么任何与 NAT 状态的“回复”匹配的数据包都会应用反向 NAT(实际上根本不会遵守规则-t nat)。