我有一个带有以下接口的 Linux 盒子:
eth0 Link encap:Ethernet HWaddr 14:da:e9:ef:75:7d
inet addr:176.9.85.182 Bcast:176.9.85.191 Mask:255.255.255.224
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.170.1.6 P-t-P:10.170.1.5 Mask:255.255.255.255
eth0是我的互联网连接,tun0显然是一个 VPN。现在我想将特定用户生成的所有流量路由到通过 VPN。因为这是我要解决的第一个真正的路由问题,所以我在谷歌上搜索了很多并阅读了这些:基于用户的路由,基于端口的路由,基本VPN路由 和部分拉克。到目前为止,我对此感到困惑:
# Mark all traffic from user
iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1002 -j MARK --set-mark 10
# Translate source address to VPN address
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# And just to be sure allow forwarding on tun0
-P FORWARD ACCEPT
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Route based on mark
ip rule add fwmark 10 priority 1000 table 10
# Route
ip route add default via 10.170.1.5 tun0 table 10
ip rule from 10.170.1.6/32 priority 1200 table 10
ip rule to 10.170.1.5/32 priority 1200 table 10
问题是,根据tcpdump工作SNAT,响应没有正确路由回进程,即使它们似乎具有正确的源地址。我已经启用ip_forwarding了echo 1 > /proc/sys/net/ipv4/ip_forward.我还缺少什么?
编辑:
设置sysctl -w net.ipv4.conf.tap0.rp_filter=2允许用户连接到互联网,但根据wget http://wtfismyip.com/textIP地址不是VPN而是我的正常公共地址。
谢谢,史蒂夫
15:22:17.713602 IP 10.170.1.6.42225 > google-public-dns-a.google.com.domain: 63046+ A? wtfismyip.com. (31)
15:22:17.713623 IP 10.170.1.6.42225 > google-public-dns-a.google.com.domain: 35494+ AAAA? wtfismyip.com. (31)
15:22:17.747989 IP google-public-dns-a.google.com.domain > 10.170.1.6.42225: 63046 1/0/0 A 54.200.182.206 (47)
15:22:17.854532 IP google-public-dns-a.google.com.domain > 10.170.1.6.42225: 35494 1/0/0 AAAA 2001:470:e8f8:1::1 (59)