除了`iprule`、`iproute`、`iptables`之外,还有什么可以影响linux中的路由和包过滤吗?

除了`iprule`、`iproute`、`iptables`之外,还有什么可以影响linux中的路由和包过滤吗?

最近我想在我的VPS上设置CF WARP客户端,但遇到了一个奇怪的问题。我不确定这是问这个问题的合适地方,如果不是,我很抱歉并删除它。

背景:

我安装了Cloudflare 官方 WARP 客户端在我的 VPS (Ubuntu 20.04) 上,但是一旦我连接到 Cloudflare WARP Network,SSH 就会断开连接(从我家到 VPS),并且再也不会连接。

在 VPS 上

$ warp-cli register
$ warp-cli set-mode warp
$ warp-cli connect
<<<<<<<< SSH Disconnect!

我尝试自己解决这个问题。

在WebView控制台中(因为我现在无法通过SSH连接到VPS,所以我必须使用VPS WebView控制台):

$ ip addr
1: lo ...
2: enp1s0 ...
3: CloudflareWARP ...

$ ip rule show
0: from all lookup local
32765: not from all fwmark 0x100cf lookup 65743
32766: from all lookup main 
32767: from all lookup default

0x100cf显然,除了一些带有标记的数据包供WARP客户端本身使用外,所有从VPS到其他站点的流量都已被WARP网络接管。这就是我的 SSH 断开连接的原因。

解决此类问题的标准方法(据我所知 VPN 客户端通常会断开 SSH,例如 WireGuard)是添加以下规则和路由:

$ ip route list table main default
default via 45.32.80.1 dev enp1s0 proto dhcp src 45.32.82.124 metric 100

$ ip rule add table 200 from 45.32.82.124
$ ip route add table 200 default via 45.32.80.1 dev enp1s0 proto dhcp src 45.32.82.124

45.32.82.124是我的VPS公共IP,也是45.32.80.1网关。

然后

$ ip rule show
0: from all lookup local
32764: from 45.32.82.124 lookup 200
32765: not from all fwmark 0x100cf lookup 65743
32766: from all lookup main 
32767: from all lookup default

不幸的是,SSH 仍然无法连接。这让我很惊讶,因为在相同的设置下,如果我使用 WireGuard 而不是 WARP 客户端,SSH 可以连接。

WireGuard 和 WARP 客户端的设置差别不大。

以下是 WireGuard 设置:

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
    link/ether 56:00:04:6b:06:1a brd ff:ff:ff:ff:ff:ff
    inet 107.191.58.220/24 brd 107.191.58.255 scope global dynamic enp1s0
       valid_lft 71276sec preferred_lft 71276sec
    inet6 fe80::5400:4ff:fe6b:61a/64 scope link
       valid_lft forever preferred_lft forever
3: wgclient: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 172.16.0.2/32 scope global wgclient
       valid_lft forever preferred_lft forever
    inet6 2606:4700:110:8cbe:b4b0:fa54:9af:e32d/128 scope global
       valid_lft forever preferred_lft forever
$ ip rule show
0:      from all lookup local
32763:  from 107.191.58.220 lookup 200
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
$ ip route show table local
broadcast 107.191.58.0 dev enp1s0 proto kernel scope link src 107.191.58.220
local 107.191.58.220 dev enp1s0 proto kernel scope host src 107.191.58.220
broadcast 107.191.58.255 dev enp1s0 proto kernel scope link src 107.191.58.220
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 172.16.0.2 dev wgclient proto kernel scope host src 172.16.0.2

$ ip route show table main
default via 107.191.58.1 dev enp1s0 proto dhcp src 107.191.58.220 metric 100
107.191.58.0/24 dev enp1s0 proto kernel scope link src 107.191.58.220
169.254.169.254 via 107.191.58.1 dev enp1s0 proto dhcp src 107.191.58.220 metric 100

$ ip route show table 51820
default via wgclient scope link

$ ip route show table 200
default via 107.191.58.1 dev enp1s0

以下是WARP设置:

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 fd01:db8:1111::3/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fd01:db8:1111::2/128 scope global
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
    link/ether 56:00:04:6a:f8:84 brd ff:ff:ff:ff:ff:ff
    inet 45.32.82.124/22 brd 45.32.83.255 scope global dynamic enp1s0
       valid_lft 80142sec preferred_lft 80142sec
    inet6 fe80::5400:4ff:fe6a:f884/64 scope link
       valid_lft forever preferred_lft forever
62: CloudflareWARP: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc mq state UNKNOWN group default qlen 500
    link/none
    inet 172.16.0.2/32 scope global CloudflareWARP
       valid_lft forever preferred_lft forever
    inet6 2606:4700:110:85bb:76b8:7e7c:5e88:3230/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::7099:4d97:27a8:f1da/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
$ ip rule show
0:      from all lookup local
32764:  from 45.32.82.124 lookup 200
32765:  not from all fwmark 0x100cf lookup 65743
32766:  from all lookup main
32767:  from all lookup default
$ ip route show table local
broadcast 45.32.80.0 dev enp1s0 proto kernel scope link src 45.32.82.124
local 45.32.82.124 dev enp1s0 proto kernel scope host src 45.32.82.124
broadcast 45.32.83.255 dev enp1s0 proto kernel scope link src 45.32.82.124
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 172.16.0.2 dev CloudflareWARP proto kernel scope host src 172.16.0.2

$ ip route show table main
default via 45.32.80.1 dev enp1s0 proto dhcp src 45.32.82.124 metric 100
45.32.80.0/22 dev enp1s0 proto kernel scope link src 45.32.82.124
169.254.169.254 via 45.32.80.1 dev enp1s0 proto dhcp src 45.32.82.124 metric 100

$ ip route show table 65743
0.0.0.0/5 dev CloudflareWARP proto static scope link
8.0.0.0/7 dev CloudflareWARP proto static scope link
....
#### Almost all IPs

$ ip route show table 200
default via 45.32.80.1 dev enp1s0 proto dhcp src 45.32.82.124

请注意,我还尝试了一些其他设置:

  1. 像WireGuard一样添加32764: from all lookup main suppress_prefixlength 0到WARP设置中,但SSH仍然不起作用

  2. 当连接 SSH 时,在 VPS I 上tcpdump -i enp1s0,它可以记录 SSH 消息。所以入站流量应该没问题。

  3. 通过将sshd绑定到VPS公网IP 45.32.82.124/etc/ssh/sshd_config并重新启动sshd,但SSH仍然无法使用。

  4. 尝试过ip route get

    $ ip route get 8.8.8.8
    8.8.8.8 dev CloudflareWARP table 65743 src 172.16.0.2 uid 1001
    
    $ ip route get 8.8.8.8 from 45.32.82.124
    8.8.8.8 dev 45.32.82.124 via 45.32.80.1 dev enp1s0 table 200 uid 1001
    
  5. 尝试ping使用 enp1s0

    $ ping 8.8.8.8
    # This is OK, because it is using WARP Network
    
    $ ping -I enp1s0 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data
    ping: sendmesg: Operation not permitted
    #### Why? 
    #### It can work in WireGuard setting!
    
  6. 尝试 ping用标记

    # sudo ping -m 65743 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data
    ping: sendmesg: Operation not permitted
    #### Why? 
    #### It can work in WireGuard setting! (65743 is the decimal of the mark 0x100cf, it should go main table, right?)
    
  7. 即使我删除了规则32765: not from all fwmark 0x100cf lookup 65743,SSH仍然无法工作。

  8. iptables 没有变化。我检查了 Wireguard 的 iptables 和 WARP 设置是否相同。

  9. 使 SSH 工作的唯一方法是使用add-excluded-routeWARP 客户端:

    warp-cli add-excluded-route <My-Home-IP>
    

    该命令的作用是排除<My-Home-IP>表65743,因此它是微不足道的。但为什么我的表200没有效果呢?

问题:

我已将 WireGuard 和 WARP 设置配置为完全相同,但 SSH 可以在 WireGuard 设置中进行连接,而不是在 WARP 设置中进行连接。那么,除了ip ruleip route、之外iptables,是否还有其他因素可能会影响路由或数据包过滤,从而像 WARP 客户端那样阻止我的流量?

很感谢。

答案1

我不知道 Cloudflare WARP(所以我无法评估这里是否有以下问题),但回答你的问题:Linux 网络中确实有一些东西不仅影响“路由”,而且具有更高的优先级:

IPsec(或其在网络层使用的机制)

ip xfrm policy list
ip xfrm state list

一般来说,这应该有助于理解正在发生的事情:

ip route get 1.2.3.4 ipproto tcp dport 22

我猜您的策略路由对于新的本地启动的连接会失败,因为它们还没有地址from

您应该添加另一条规则:

ip rule add table 200 priority 30000 ipproto tcp dport 22

相关内容