我对 iptables POSTROUTING 规则有疑问,似乎 SNAT 规则不会更改源 IP 地址。我想设置以下系统以通过 VPN 隧道路由来自 LAN 2 的所有流量。系统有两个路由表配置。
系统配置
+-----------------+
LAN 2 ----> |eth1 eth0 +-----> LAN 1 ---> Gateway ---> Internet
| tun1 |
+-------------|---+
`--------------- VPN tunnel ------>
iptables/路由配置
iptables
root@misio:~# iptables -n -L --line-numbers -v -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 122 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 122 bytes) num pkts bytes target prot opt in out source destination 1 0 0 SNAT all -- * * 192.168.124.0/24 0.0.0.0/0 to:192.168.124.1路由(两个路由表)
root@misio:~# ip route list default via 192.168.123.1 dev eth0 192.168.123.0/24 dev eth0 proto kernel scope link src 192.168.123.3 root@misio:~# ip route list table frankenjura default via 10.10.11.4 dev tun1 10.10.11.0/24 dev tun1 scope link 192.168.124.0/24 dev eth1 scope link root@misio:~# ip rule 0: from all lookup local 32761: from 192.168.124.0/24 lookup frankenjura 32762: from all to 192.168.124.0/24 lookup frankenjura 32766: from all lookup main 32767: from all lookup default
调查
输入(eth1)-系统正在从 LAN 2(192.168.124.17)中的主机接收数据包:
root@misio:~# tcpdump -n -i eth1 icmp and host 8.8.8.8 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 12:39:25.134315 IP 192.168.124.17 > 8.8.8.8: ICMP echo request, id 1, seq 1181, length 40 12:39:30.142011 IP 192.168.124.17 > 8.8.8.8: ICMP echo request, id 1, seq 1182, length 40输出(tun1)-数据包被路由到正确的接口(tun1),但源 IP 地址未改变:
root@misio:~# tcpdump -n -i tun1 icmp and host 8.8.8.8 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun1, link-type RAW (Raw IP), capture size 262144 bytes 12:40:20.140953 IP 192.168.124.17 > 8.8.8.8: ICMP echo request, id 1, seq 1192, length 40 12:40:25.148605 IP 192.168.124.17 > 8.8.8.8: ICMP echo request, id 1, seq 1193, length 40...但以下规则的数据包/字节数没有增加!
Chain POSTROUTING (policy ACCEPT 1 packets, 122 bytes) num pkts bytes target prot opt in out source destination 1 0 0 SNAT all -- * * 192.168.124.0/24 0.0.0.0/0 to:192.168.124.1
IP 表版本:1.4.21
您能帮忙吗?
编辑 2016-07-15
我设置了 iptables 日志记录所有链并了解到数据包根本不经过 NAT 表!
数据包经过: - raw (PREROUTING) - mangle (PREROUTING) - filter (FORWARD) - mangle (POSTROUTING)
Jul 15 12:36:04 misio kernel: [ 7913.969872] raw-PRE IN=eth1 OUT= MAC=00:1e:2a:49:9d:ad:00:17:a4:da:13:09:08:00 SRC=192.168.124.17 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7668 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1022
Jul 15 12:36:04 misio kernel: [ 7913.969894] mangle-PRE IN=eth1 OUT= MAC=00:1e:2a:49:9d:ad:00:17:a4:da:13:09:08:00 SRC=192.168.124.17 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7668 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1022
Jul 15 12:36:04 misio kernel: [ 7913.969908] filter-FW IN=eth1 OUT=tun1 MAC=00:1e:2a:49:9d:ad:00:17:a4:da:13:09:08:00 SRC=192.168.124.17 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7668 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1022
Jul 15 12:36:04 misio kernel: [ 7913.969914] mangle-POST IN= OUT=tun1 SRC=192.168.124.17 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7668 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1022
谨致问候,Grzegorz