我希望主机 1 使用主机 2 作为远程主机 3 的网关。
我已经在网上寻找解决方案,但它似乎对我不起作用。 VPN客户端软件ike(shrewSoft VPN)才是最重要的。
------ local network -------
host 1 - eth0 - 192.168.0.20 (hostname: fred)
host 2 - eth0 - 192.168.0.95 (hostname: toronto)
tap0 - 172.16.1.20 (VPN tunnel)
----- remote network -------
host 3 - eth0 - 10.1.28.200
。
[root(tip)@fred ~]# ip route; echo; ip addr;
10.1.28.200 via 192.168.0.95 dev eth0
172.16.0.0/24 via 192.168.0.254 dev eth0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.20
169.254.0.0/16 dev eth0 scope link
default via 192.168.0.254 dev eth0
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether e0:69:95:c3:32:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.20/24 brd 192.168.0.255 scope global eth0
inet6 fe80::e269:95ff:fec3:325b/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
。
[root(prod1)@toronto ~]# ip route
149.135.71.84 via 192.168.0.254 dev eth0 proto static
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.95
169.254.0.0/16 dev eth0 scope link metric 1002
default via 172.16.1.5 dev tap0 proto static
default via 192.168.0.254 dev eth0
。
[root(prod1)@toronto ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b7:c5:ce brd ff:ff:ff:ff:ff:ff
inet 192.168.0.95/24 brd 192.168.0.255 scope global eth0
inet6 fe80::20c:29ff:feb7:c5ce/64 scope link
valid_lft forever preferred_lft forever
8: tap0: <BROADCAST,UP,LOWER_UP> mtu 1380 qdisc pfifo_fast state UNKNOWN qlen 500
link/ether 62:6b:37:53:c2:fb brd ff:ff:ff:ff:ff:ff
inet 172.16.1.5/32 brd 172.16.1.5 scope global tap0
inet6 fe80::606b:37ff:fe53:c2fb/64 scope link
valid_lft forever preferred_lft forever
。
[root(prod1)@toronto ~]# iptables -vnL
Chain INPUT (policy ACCEPT 67983 packets, 14M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 2032 packets, 90240 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 tap0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 52284 packets, 12M bytes)
pkts bytes target prot opt in out source destination
。
[root(prod1)@toronto ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 1099 packets, 186K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 511 packets, 30765 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * tap0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 510 packets, 30705 bytes)
pkts bytes target prot opt in out source destination
[root(prod1)@toronto ~]#
编辑我还应该提到我已经允许在 Linux 中转发数据包
echo 1 > /proc/sys/net/ipv4/ip_forward
更新2
当它是tap0时我意识到我正在输入tap0。我已经做了上面的更改。现在我可以看到iptables -t nat -vnL显示数据包正在通过,并tcpdump显示所有数据包,但 tcpdump 没有显示它们返回。我认为 MASQUERADE 会自动自动进行 SNAT/DNAT 吗?