我正在尝试将我的网络连接到 IPSec VPN,为此我的连接需要来自给定的域。网络如下:
Internal network eth1:10.0.0.1/14 eth0:1.2.3.4
----------------------------------- MY GW -----------------+
|
|
192.168.178.4 4.5.6.7 |
SERVER ------------------- VPN GW -----------------+
我需要让 VPN 网络看到我来自 172.30.224.0/28,因此在我的网关上我添加了以下 iptables 规则:
iptables -t nat -A POSTROUTING -d 192.168.178.4 -j SNAT --to-source 172.30.224.1
然后,从我的内部网络,当我 ping 192.168.178.4 时,我会在 eth1 上收到请求,在 eth0 上收到响应:
# tcpdump -n -i eth1 host 192.168.178.4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
15:49:49.854809 IP 10.2.1.172 > 192.168.178.4: ICMP echo request, id 3472, seq 1, length 64
15:49:52.170758 IP 10.2.1.172 > 192.168.178.4: ICMP echo request, id 3479, seq 1, length 64
15:49:53.178692 IP 10.2.1.172 > 192.168.178.4: ICMP echo request, id 3479, seq 2, length 64
# tcpdump -n -i eth0 host 192.168.178.4
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:50:36.492856 IP 192.168.178.4 > 172.30.224.1: ICMP echo reply, id 3494, seq 1, length 64
15:50:37.465803 IP 192.168.178.4 > 172.30.224.1: ICMP echo reply, id 3494, seq 2, length 64
问题是我的回应从未传回我的主机(10.2.1.172在这种情况下)。
网关还配置为对内部网络到互联网进行 SNAT。
我肯定错过了什么,但我被困住了。任何帮助都将不胜感激。