我正在尝试遵循:https://superuser.com/a/1262250/41337但我无法让它发挥作用。
我愿意:
interface=eth0
down() {
ip netns delete myvpn
ip link delete vpn0
iptables -D INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -D POSTROUTING -s 10.200.200.0/24 -o $interface -j MASQUERADE
}
up() {
ip netns add myvpn
ip netns exec myvpn ip addr add 127.0.0.1/8 dev lo
ip netns exec myvpn ip link set lo up
ip link add vpn0 type veth peer name vpn1
ip link set vpn0 up
ip link set vpn1 netns myvpn up
ip addr add 10.200.200.1/24 dev vpn0
ip netns exec myvpn ip addr add 10.200.200.2/24 dev vpn1
ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o $interface -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
mkdir -p /etc/netns/myvpn
echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf
ip netns exec myvpn ping 8.8.8.8
}
down
up
在另一个终端我运行:
$ sudo tcpdump -ni any host 8.8.8.8
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
22:49:44.817183 vpn0 In IP 10.200.200.2 > 8.8.8.8: ICMP echo request, id 18314, seq 1, length 64
22:49:45.822772 vpn0 In IP 10.200.200.2 > 8.8.8.8: ICMP echo request, id 18314, seq 2, length 64
22:49:46.842785 vpn0 In IP 10.200.200.2 > 8.8.8.8: ICMP echo request, id 18314, seq 3, length 64
这让我相信缺少一个步骤:网络流量不会在 eth0 上流出。
这些都有效:
ip netns exec myvpn ping 10.200.200.1
ip netns exec myvpn ping 10.200.200.2
ping 10.200.200.2
这失败了:
ping 10.200.200.1
答案1
这个命令...
ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
...应该失败:
Error: Nexthop has invalid gateway.
因为你从未设置过接口vpn1 up(所以10.200.200.1无法访问)。您应该在分配地址后立即执行此操作:
ip netns exec myvpn ip addr add 10.200.200.2/24 dev vpn1
ip netns exec myvpn ip link set vpn1 up
以下脚本对我有用。这与您的脚本几乎相同,但有以下更改:
- 我已经添加了
ip set link up前面提到的缺少的命令 - 我已将所有实例替换
ip netns exec myvpn ip ...为ip -n myvpn ... - 我利用了这个
netns论点ip link add
#!/bin/bash
interface=eth0
down() {
ip netns delete myvpn
ip link delete vpn0
iptables -D INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -D POSTROUTING -s 10.200.200.0/24 -o $interface -j MASQUERADE
}
up() {
ip netns add myvpn
ip -n myvpn addr add 127.0.0.1/8 dev lo
ip -n myvpn link set lo up
ip link add vpn0 type veth peer name vpn1 netns myvpn
ip link set vpn0 up
ip addr add 10.200.200.1/24 dev vpn0
ip -n myvpn addr add 10.200.200.2/24 dev vpn1
ip -n myvpn link set vpn1 up
ip -n myvpn route add default via 10.200.200.1 dev vpn1
iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o $interface -j MASQUERADE
ip netns exec myvpn ping -c 10 8.8.8.8
}
sysctl -q net.ipv4.ip_forward=1
down
trap down EXIT
up
在我的系统上运行此脚本会产生:
Cannot remove namespace file "/var/run/netns/myvpn": No such file or directory
Cannot find device "vpn0"
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=9.80 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=12.3 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=15.8 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=9.06 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=116 time=12.5 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=116 time=15.2 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=116 time=8.27 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=116 time=11.3 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=116 time=14.8 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=116 time=7.21 ms
--- 8.8.8.8 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9012ms
rtt min/avg/max/mdev = 7.211/11.621/15.819/2.871 ms