我正在尝试将连接到我的 Ubuntu 盒(我将其称为“主机”)的设备(我将其称为“目标”)的流量路由到远程办公室的服务器。
主机使用 Racoon IPSec VPN,通过名为 的 NIC 进行连接efix。这将创建一个名为 的别名 IF efix:0,其 IP 地址为192.168.190.132。它能够访问服务器。
The link between host and target is an Ethernet link, using IP adresses 10.0.0.1 on IF eusb for the host and 10.0.0.2 on IF eth0 for the target.
I have setup the following routes and iptables entries:
On target:
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0 default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0On host:
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to 192.168.190.132 iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT
Using Wireshark to monitor an HTTP GET, I can see SYN packets from the target go all the way to the server, but the server's SYNACK packets stop at the host and are not forwarded to the target. Am I missing something here ? Isn't SNAT supposed to keep track of the connections ?
答案1
Your problem is likely that your forward rule is relying on the SNAT to have already happened for the return packets. When you say `iptables -A FORWARD -d 10.0.0.0/24", that relies on the traffic already having been changed via the NAT, which happens after the forwarding. When the initial packet comes in, it has the NATed IP address (192.168.190.32) as the destination.
Probably what you want are rules like this:
iptables -A forward -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A -i efix -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.190.132
The first rule allows traffic related to existing connections, like the return traffic from the SNATed connections from "host". The second accepts traffic from "host" (if I understand your layout, "host" passes traffic to your NATing firewall on it's "etho0" interface, right?). You may further want to limit that rule with "-d 192.168.190.0/24", depending on your exact needs.
The last rule is what you have already posted, which says to SNAT the traffic.