tun/tap 接口无法访问互联网

tag-icon tag-icon networking iptables routing networkmanager route
tun/tap 接口无法访问互联网

我正在尝试设置 NAT:tap0带有 IP 伪装的 tun/tap 接口。

tap0但当默认路由通过时我无法访问互联网。您能帮我解决问题吗?

这些是我运行的命令,其中192.168.A.B是地址的占位符tap0

ip tuntap add mode tap tap0
ip addr add 192.168.A.B/24 dev tap0
ifconfig tap0 192.168.A.B up
ip route add default via 192.168.A.B
ip link set tap0 up`

这些是我的iptables规则,其中一些规则特定于另一个名为 someuser 的用户,而我在进行测试时是 root 用户(因此那些规则owner UID match someuser不相关):

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere localhost owner UID match someuser tcp dpt:krb524
ACCEPT udp -- anywhere localhost owner UID match someuser udp dpt:krb524
ACCEPT tcp -- anywhere localhost owner UID match someuser tcp dpt:upnotifyp
ACCEPT udp -- anywhere localhost owner UID match someuser udp dpt:upnotifyp
REJECT all -- anywhere anywhere owner UID match someuser reject-with icmp-port-unreachable

[root@localhost ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.A.0/24 anywhere
MASQUERADE all -- anywhere anywhere

此时,当 i 时ping imdb.com,主机无法访问。应该归咎于 MASQUERADE iptables 规则吗?

这是 的输出ip route,其中eth0带有地址的真实接口192.168.X.Y和我的网关是192.168.X.Z

[root@localhost ~]# ip route
default via 192.168.A.B dev tap0 linkdown
default via 192.168.X.Z dev eth0 proto dhcp src 192.168.X.Y metric 100
127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1 metric 30
192.168.X.0/24 dev eth0 proto kernel scope link src 192.168.X.Y metric 100
192.168.A.0/24 dev tap0 proto kernel scope link src 192.168.A.B metric 350 linkdown

尽管它说“linkdown”,但tap0似乎是这样:

[root@localhost ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> ...
...
tap0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.A.B netmask [255.255.255.0](https://255.255.255.0)  broadcast 192.168.A.255

ip addr show显示了 tap0 的情况:

tap0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000

这对于 eth0

<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000

现在,如果我执行以下操作,则 ping 有效

ip route delete default via 192.168.A.B

只是说一切都直接通过我的真实网关进行。

nmcli我可以尝试的事情:通过/ nmtuitap0和之间创建一座桥梁eth0。它能解决这个问题吗?如何解决?

相关内容