根据 tcpdump,来自 VPN 客户端的初始数据包将其源地址转换并发送到目的地,并且响应数据包到达,但该响应数据包刚刚丢失。我什至这样做了firewall-cmd --set-log-denied=all,但是这个数据包丢失了,没有任何日志消息。
之前我在 CentOS7 上有我的 OpenVPN 服务器,没有防火墙,并为客户端启用了互联网访问,如下所示:
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
# localhost:~ # iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 10 packets, 751 bytes)
pkts bytes target prot opt in out source destination
3 180 MASQUERADE all -- * eth0 10.8.1.0/24 0.0.0.0/0
迁移到 OpenSUSE Tumbleweed 后,我花了 4 个小时尝试使用firewalld 配置相同的内容,但放弃了,停止了firewalld 并尝试使用相同的 iptables 命令,但它仍然不起作用 - 响应数据包被默默丢弃。
10.8.1.1 tun0 # VPN server
172.31.1.100 eth0 # WAN
_
localhost:~ # systemctl stop firewalld
localhost:~ # nft list ruleset
localhost:~ # iptables -t nat -I POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
localhost:~ # nft list ruleset
localhost:~ # iptables-save
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*mangle
:PREROUTING ACCEPT [8078:12476730]
:INPUT ACCEPT [7999:12471990]
:FORWARD ACCEPT [29:1740]
:OUTPUT ACCEPT [7524:1618476]
:POSTROUTING ACCEPT [7553:1620216]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*raw
:PREROUTING ACCEPT [8078:12476730]
:OUTPUT ACCEPT [7524:1618476]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*security
:INPUT ACCEPT [7999:12471990]
:FORWARD ACCEPT [29:1740]
:OUTPUT ACCEPT [7524:1618476]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*filter
:INPUT ACCEPT [7999:12471990]
:FORWARD ACCEPT [29:1740]
:OUTPUT ACCEPT [7524:1618476]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
客户端尝试连接到 SMTP
localhost:~ # tcpdump -nn -i any "port 465 or icmp"
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
02:41:25.326501 tun0 In IP 10.8.1.32.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758001736 ecr 0,nop,wscale 7], length 0
02:41:25.326590 eth0 Out IP 172.31.1.100.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758001736 ecr 0,nop,wscale 7], length 0
02:41:25.363047 eth0 In IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105615202 ecr 1758001736,nop,wscale 8], length 0
02:41:26.280346 tun0 In IP 10.8.1.32.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758002755 ecr 0,nop,wscale 7], length 0
02:41:26.280400 eth0 Out IP 172.31.1.100.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758002755 ecr 0,nop,wscale 7], length 0
02:41:26.316940 eth0 In IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105616156 ecr 1758001736,nop,wscale 8], length 0
02:41:27.331029 eth0 In IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105617170 ecr 1758001736,nop,wscale 8], length 0
02:41:28.306349 tun0 In IP 10.8.1.32.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758004782 ecr 0,nop,wscale 7], length 0
02:41:28.306380 eth0 Out IP 172.31.1.100.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758004782 ecr 0,nop,wscale 7], length 0
02:41:28.342862 eth0 In IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105618182 ecr 1758001736,nop,wscale 8], length 0
02:41:30.403068 eth0 In IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105620242 ecr 1758001736,nop,wscale 8], length 0
^C
11 packets captured
13 packets received by filter
0 packets dropped by kernel
答案1
所以我决定重新启动,但在重新启动之前,我将运行时内核参数转储到一个文件中,然后重复设置iptables/sysctl,这次成功了!
比较 sysctl 输出后,我发现net.ipv4.conf.eth0.forwarding即使net.ipv4.ip_forward是 1,它也是 0。我不知道可以为单个网卡启用或禁用转发。看起来像是firewall-cmd为运行时内核参数设置了错误的值,并且firewall-cmd由于某种原因无法恢复它。