为什么 iptables 从一个网络转发而不是另一个网络转发?

tag-icon tag-icon iptables openvpn
为什么 iptables 从一个网络转发而不是另一个网络转发?

我有 LAN(10.20.1.0/24)和 WLAN(172.16.20.0/24)流量通过Debian 9 系统上的ens32OpenVPN 到达并发往 10.21.0.1 。是从 LAN 转发,而不是从 WLAN 转发。tun0iptables

使用中的 TRACE 规则iptables,我通过 LAN 获得以下信息:

May 14 15:03:07 vpnsrv kernel: [2357925.893248] TRACE: raw:PREROUTING:policy:2 IN=ens32 OUT= MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893288] TRACE: nat:PREROUTING:policy:2 IN=ens32 OUT= MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893317] TRACE: filter:FORWARD:rule:1 IN=ens32 OUT=tun0 MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893347] TRACE: filter:ufw-before-logging-forward:return:1 IN=ens32 OUT=tun0 MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893365] TRACE: filter:FORWARD:rule:2 IN=ens32 OUT=tun0 MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893388] TRACE: filter:ufw-before-forward:rule:8 IN=ens32 OUT=tun0 MAC=... SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000) 
May 14 15:03:07 vpnsrv kernel: [2357925.893404] TRACE: nat:POSTROUTING:policy:3 IN= OUT=tun0 SRC=10.20.1.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=57269 DPT=22 SEQ=3284245311 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E55489B0000000004020000)

但只有第一部分通过 WLAN 传输:

May 14 15:08:44 vpnsrv kernel: [2358263.328390] TRACE: raw:PREROUTING:policy:2 IN=ens32 OUT= MAC=... SRC=172.16.20.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=57342 DPT=22 SEQ=3290971808 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E5A69C30000000004020000)
May 14 15:08:44 vpnsrv kernel: [2358263.328430] TRACE: nat:PREROUTING:policy:2 IN=ens32 OUT= MAC=... SRC=172.16.20.12 DST=10.21.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=57342 DPT=22 SEQ=3290971808 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303050101080A0E5A69C30000000004020000)

相关过滤规则为:

-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A ufw-before-forward -i ens32 -o tun0 -j ACCEPT

为什么来自 WLAN 的流量无法转发?

答案1

您是否使用策略路由?如果是,显示规则和路由表可能与此相关。此外,请显示 172.16.20.0/24 网络的路由表条目,因为如果设置不正确,您可能会遇到 rp_filter

相关内容