我有一个可以访问192.168.4.0/24局域网的 ipsec 隧道。它工作正常,我可以毫无问题地访问另一端的主机:
# from fw and lan hosts:
# ping 192.168.4.44
PING 192.168.4.44 (192.168.4.44) 56(84) bytes of data.
64 bytes from 192.168.4.44: icmp_req=1 ttl=127 time=4.41 ms
但是当我尝试将 Shorewall 上的端口从公共 IP 地址转发到隧道另一端的主机时,它不会路由流量:
# from wan side:
# telnet x.x.x.x 33901
telnet: Unable to connect to remote host: No route to host
tcpdump在防火墙上捕获执行 telnet (wan) 的 IP:
# tcpdump -n -i eth0.20 host 37.15.173.52
10:09:48.312840 IP [fw_public_ip] > 37.15.173.52: ICMP host [fw_public_ip] unreachable, length 68
为什么 shorewall 可以正确路由来自 fw 和 lan 端的流量,但不能路由来自 wan 的流量?
----shorewall配置 ----
相关routes条目:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
DNAT:info wan vpn:192.168.4.44:3389 tcp 33901 - [fw_public_ip]
相关zones条目:
#ZONE TYPE
wan ipv4
vpn ipv4
相关hosts条目:
#ZONE HOSTS OPTIONS
vpn eth0.20:192.168.4.0/24,[ipsec_host_ip] ipsec
相关tunnels条目:
#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec wan [ipsec_host_ip]
相关interfaces条目:
#ZONE INTERFACE BROADCAST OPTIONS
wan eth0.20 detect dhcp,routefilter
相关masq条目:
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0.20 0.0.0.0/0 [fw_public_ip]