iptable:将所有流量从 swlan0 路由到 tun0 设备

tag-icon tag-icon vpn iptables routing-table mobile-hotspot
iptable:将所有流量从 swlan0 路由到 tun0 设备

我有一个安装了 VPN 应用程序的 rooted Android 设备,我想通过 VPN(tun0)路由来自移动热点(swlan0)的所有流量。

我运行了在 github 上找到的这个脚本(5 年前)来更新 Android rooted 设备上的 iptables,但是我通过 swlan0 连接的其他设备(ip 192.168.43.181/24 网关 192.168.43.112)没有获得通过 VPN 路由的流量。

查看路由,我没有看到任何 swlan0 路由。android 脚本是否过时了,缺少在表 61 中添加 swlan0 设备的路由?有没有提示可能出了什么问题和/或如何修复?

#回显 $wifiIP

192.168.1

#回显 $wifi

1

# Inital variable setup
tethering=0

# Setup iptables before forwarding VPN
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE

# Check if WIFI is tethered, if so forward VPN 
wifi=$(dumpsys wifi | grep curState=StartedState | wc -l)
wifiIP=$(ifconfig wlan0 2>/dev/null | grep "inet addr" | cut -d":" -f2 | cut -d' ' -f1 | cut -d'.' -f1-3)

if [[ "$wifi" -gt 0 ]];
 then
 ip rule add from "$wifiIP".0/24 lookup 61
 touch /storage/emulated/0/vpn-hotspot.lock
 nohup sh -c 'while [[ -f /storage/emulated/0/vpn-hotspot.lock ]]; do ip route add default dev tun0 scope link table 61; sleep 180; done;' </dev/null >/dev/null 2>&1 &
 echo $! > /storage/emulated/0/vpn-hotspot.pid
 ip route add "$wifiIP".0/24 dev wlan0 scope link table 61
 ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
 wifiTethered=1
 tethering=1
 echo "Set up VPN on WIFI successfully"
 else
 wifiTethered=0
 echo "Not tethering on WIFI"
fi

#ifconfig

lo        Link encap:UNSPEC
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope: Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 TX bytes:0

tun0      Link encap:UNSPEC
          inet addr:10.2.0.2  P-t-P:10.2.0.2  Mask:255.255.255.255
          inet6 addr: fe80::ceed:722f:7718:ef59/64 Scope: Link
          UP POINTOPOINT RUNNING  MTU:1280  Metric:1
          RX packets:4059 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3252 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:3255334 TX bytes:360377

wlan0     Link encap:UNSPEC
          inet addr:192.168.1.153  Bcast:192.168.1.255  Mask:255.25
5.255.0
          inet6 addr: 2804:30c:1b11:100:68c2:f3ff:fe28:fb4e/64 Scop
e: Global
          inet6 addr: fd4b:c3dd:1793:0:1803:3567:3317:a215/64 Scope
: Global
          inet6 addr: 2804:30c:1b11:100:1803:3567:3317:a215/64 Scop
e: Global
          inet6 addr: fe80::68c2:f3ff:fe28:fb4e/64 Scope: Link
          inet6 addr: fd4b:c3dd:1793:0:68c2:f3ff:fe28:fb4e/64 Scope
: Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:420883 errors:0 dropped:3 overruns:0 frame:0
          TX packets:141806 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000
          RX bytes:516850927 TX bytes:18288110

swlan0    Link encap:UNSPEC
          inet addr:192.168.43.112  Bcast:192.168.43.255  Mask:255.
255.255.0
          inet6 addr: fe80::cca5:d5ff:fe10:1171/64 Scope: Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50844 errors:0 dropped:0 overruns:0 frame:0
          TX packets:103745 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000
          RX bytes:3666610 TX bytes:127952229

:/

#iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N block_all_dns
-N block_allow_table
-N block_block_table
-N block_tcp_ports
-N block_udp_ports
-N bw_FORWARD
-N bw_INPUT
-N bw_OUTPUT
-N bw_VIDEOCALL_IN
-N bw_VIDEOCALL_OUT
-N bw_costly_shared
-N bw_data_saver
-N bw_global_alert
-N bw_happy_box
-N bw_penalty_box
-N bw_videocall_box
-N firewall_f
-N firewall_r
-N fw_FORWARD
-N fw_INPUT
-N fw_OUTPUT
-N input_dos
-N oem_fwd
-N oem_out
-N st_OUTPUT
-N st_clear_caught
-N st_clear_detect
-N st_penalty_log
-N st_penalty_reject
-N tetherctrl_FORWARD
-N tetherctrl_counters
-A INPUT -j bw_INPUT
-A INPUT -j fw_INPUT
-A INPUT -j input_dos
-A INPUT -j bw_VIDEOCALL_IN
-A INPUT -j bw_VIDEOCALL_OUT
-A INPUT -j bw_videocall_box
-A INPUT -j firewall_f
-A FORWARD -j ACCEPT
-A OUTPUT -j oem_out
-A OUTPUT -j fw_OUTPUT
-A OUTPUT -j st_OUTPUT
-A OUTPUT -j bw_OUTPUT
-A OUTPUT -j bw_VIDEOCALL_IN
-A OUTPUT -j bw_VIDEOCALL_OUT
-A OUTPUT -j bw_videocall_box
-A OUTPUT -j firewall_f
-A bw_INPUT -j bw_global_alert
-A bw_INPUT -p esp -j RETURN
-A bw_INPUT -m mark --mark 0x100000/0x100000 -j RETURN
-A bw_INPUT -j MARK --set-xmark 0x100000/0x100000
-A bw_OUTPUT -j bw_global_alert
-A bw_costly_shared -j bw_penalty_box
-A bw_data_saver -j RETURN
-A bw_global_alert -m quota2 ! --name globalAlert  --quota 2097152
-A bw_happy_box -m bpf --object-pinned /sys/fs/bpf/netd_shared/prog
_netd_skfilter_allowlist_xtbpf -j RETURN
-A bw_happy_box -j bw_data_saver
-A bw_penalty_box -m bpf --object-pinned /sys/fs/bpf/netd_shared/pr
og_netd_skfilter_denylist_xtbpf -j REJECT --reject-with icmp-port-u
nreachable
-A bw_penalty_box -j bw_happy_box
-A firewall_f -o tun+ -m bpf --object-pinned /sys/fs/bpf/prog_ss_ne
td_skfilter_mobilefw_xtbpf -j firewall_r
-A firewall_f -o rmnet+ -m bpf --object-pinned /sys/fs/bpf/prog_ss_
netd_skfilter_mobilefw_xtbpf -j firewall_r
-A firewall_f -o wlan+ -m bpf --object-pinned /sys/fs/bpf/prog_ss_n
etd_skfilter_wlanfw_xtbpf -j firewall_r
-A firewall_r -j REJECT --reject-with icmp-port-unreachable
-A input_dos -p tcp -m conntrack --ctstate NEW -m limit --limit 50/
sec --limit-burst 50 -j ACCEPT
-A input_dos -p tcp -m conntrack --ctstate NEW -j DROP
-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT
 --reject-with icmp-port-unreachable
-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN
-A st_clear_detect -p tcp -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x
3c@0x0&0xffff0000=0x16030000&&0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x4&0xf
f0000=0x10000" -j CONNMARK --set-xmark 0x1000000/0x1000000
-A st_clear_detect -p udp -m u32 --u32 "0x0>>0x16&0x3c@0x8&0xffff00
00=0x16fe0000&&0x0>>0x16&0x3c@0x14&0xff0000=0x10000" -j CONNMARK --
set-xmark 0x1000000/0x1000000
-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN
-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32
 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0&0x0=0x0" -j st_clear_caught
-A st_clear_detect -p udp -j st_clear_caught
-A st_penalty_log -j CONNMARK --set-xmark 0x1000000/0x1000000
-A st_penalty_log -j NFLOG
-A st_penalty_reject -j CONNMARK --set-xmark 0x2000000/0x2000000
-A st_penalty_reject -j NFLOG
-A st_penalty_reject -j REJECT --reject-with icmp-port-unreachable
-A tetherctrl_FORWARD -j DROP
-A tetherctrl_counters -i swlan0 -o wlan0 -j RETURN
-A tetherctrl_counters -i wlan0 -o swlan0 -j RETURN
:/ #

#ip 路由显示表全部

default dev tun0 table tun0 proto static scope link
10.2.0.2 dev tun0 table tun0 proto static scope link
192.168.1.0/24 dev wlan0 table wlan0_local proto static scope link
10.2.0.2 dev tun0 table tun0_local proto static scope link
default dev tun0 table 61 scope link
192.168.1.0/24 dev wlan0 table 61 scope link
broadcast 255.255.255.255 dev wlan0 table 61 scope link
80.233.119.122 via 192.168.1.1 dev wlan0 table legacy_system proto
static
default via 192.168.1.1 dev wlan0 table wlan0 proto static
192.168.1.0/24 dev wlan0 table wlan0 proto static scope link
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.153
local 10.2.0.2 dev tun0 table local proto kernel scope host src 10.
2.0.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 12
7.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.
0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope lin
k src 127.0.0.1
broadcast 192.168.1.0 dev wlan0 table local proto kernel scope link
 src 192.168.1.153
local 192.168.1.153 dev wlan0 table local proto kernel scope host s
rc 192.168.1.153
broadcast 192.168.1.255 dev wlan0 table local proto kernel scope li
nk src 192.168.1.153
2000::/3 dev tun0 table tun0 proto static metric 1024 pref medium
fe80::/64 dev tun0 table tun0 proto kernel metric 256 pref medium
2804:30c:1b11:100::/64 dev wlan0 table wlan0_local proto static met
ric 1024 pref medium
fd4b:c3dd:1793::/64 dev wlan0 table wlan0_local proto static metric
 1024 pref medium
fe80::/64 dev wlan0 table wlan0_local proto static metric 1024 pref
 medium
2000::/3 dev tun0 table tun0_local proto static metric 1024 pref me
dium
2804:30c:1b11:100::/64 dev wlan0 table wlan0 proto kernel metric 25
6 expires 523472sec pref medium
2804:30c:1b11:100::/64 dev wlan0 table wlan0 proto static metric 10
24 pref medium
2804:30c:1b11:100::/56 via fe80::52eb:f8ff:fe19:f1d8 dev wlan0 tabl
e wlan0 proto ra metric 1024 expires 1669sec pref medium
fd4b:c3dd:1793::/64 dev wlan0 table wlan0 proto kernel metric 256 p
ref medium
fd4b:c3dd:1793::/64 dev wlan0 table wlan0 proto static metric 1024
pref medium
fd4b:c3dd:1793::/48 via fe80::52eb:f8ff:fe19:f1d8 dev wlan0 table w
lan0 proto ra metric 1024 expires 1669sec pref medium
fe80::/64 dev wlan0 table wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 table wlan0 proto static metric 1024 pref mediu
m
default via fe80::52eb:f8ff:fe19:f1d8 dev wlan0 table wlan0 proto r
a metric 1024 expires 1669sec mtu 1492 hoplimit 64 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2804:30c:1b11:100:1803:3567:3317:a215 dev wlan0 table local p
roto kernel metric 0 pref medium
local 2804:30c:1b11:100:68c2:f3ff:fe28:fb4e dev wlan0 table local p
roto kernel metric 0 pref medium
local fd4b:c3dd:1793:0:1803:3567:3317:a215 dev wlan0 table local pr
oto kernel metric 0 pref medium
local fd4b:c3dd:1793:0:68c2:f3ff:fe28:fb4e dev wlan0 table local pr
oto kernel metric 0 pref medium
local fe80::68c2:f3ff:fe28:fb4e dev wlan0 table local proto kernel
metric 0 pref medium
local fe80::ceed:722f:7718:ef59 dev tun0 table local proto kernel m
etric 0 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium

相关内容