我有两台 Linux 服务器。我想使用 GRE 隧道将所有互联网流量从 ClientBox 通过隧道路由到 GatewayBox,这样,对于互联网的其余部分,我的 ClientBox 看起来就是 GatewayBox,这样我就可以使用 GatewayBox 的外部 IP 来进行所有 ClientBox 的互联网使用。我在它们之间建立了一个 GRE 隧道(代理无法满足我的特定需求)。
我的 GRE 隧道正常工作!我可以 ping 两端。
现在我需要配置 GatewayBox,以便将这些传入连接从 ClientBox 路由到互联网并返回到 ClientBox。因此我运行了以下脚本:
#! /bin/bash
IPTABLES=/sbin/iptables
WANIF='ens3' # servers from this company use ens3 instead of eth0, it seems
LANIF='gre1' # both boxes have the gre tunnel set up as gre1
# enable ip forwarding in the kernel
echo 'Enabling Kernel IP forwarding...'
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
echo 'Flushing rules and deleting existing chains...'
$IPTABLES -F
$IPTABLES -X
# enable masquerading to allow LAN internet access
echo 'Enabling IP Masquerading and other rules...'
$IPTABLES -t nat -A POSTROUTING -o $LANIF -j MASQUERADE
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $WANIF -o $LANIF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $WANIF -j MASQUERADE
$IPTABLES -A FORWARD -i $WANIF -o $LANIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -j ACCEPT
echo 'Done.'
然后在 ClientBox 上执行:
$ curl whatismyip.com --interface gre1
我可以看到 GatewayBox 上的 FORWARD 数据包和 POSTROUTING 数据包数量不断增加。但 ClientBox 上的 curl 从未收到响应并最终超时。
因此,要么是流量没有在两个盒子之间成功路由回来,要么是流量根本无法到达互联网。为了查看是哪种情况,我设置了一个示例测试服务器和一个 PHP 文件,如果获得任何命中/流量,该文件就会写入文件。当我从 ClientBox 尝试 curl 命令时,它不会写入任何内容。但当我从笔记本电脑上测试它时,它会确认命中/流量。
因此流量永远无法进入互联网。
以下是 GatewayBox 的配置:(向下滚动)
# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:2f:e2:ce brd ff:ff:ff:ff:ff:ff
inet 95.179.179.240/23 brd 95.179.179.255 scope global dynamic ens3
valid_lft 79871sec preferred_lft 79871sec
inet6 fe80::5400:2ff:fe2f:e2ce/64 scope link
valid_lft forever preferred_lft forever
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre 95.179.179.240 peer 155.138.239.111
inet 10.10.10.2/24 scope global gre1
valid_lft forever preferred_lft forever
inet6 fe80::200:5efe:5fb3:b3f0/64 scope link
valid_lft forever preferred_lft forever
# ip route show
default via 95.179.178.1 dev ens3 proto dhcp metric 100
10.10.10.0/24 dev gre1 proto kernel scope link src 10.10.10.2
95.179.178.0/23 dev ens3 proto kernel scope link src 95.179.179.240
155.138.239.111 dev ens3 scope link
169.254.169.254 via 95.179.178.1 dev ens3 proto dhcp metric 100
# curl ipinfo.io --interface ens3
{
"ip": "95.179.179.240",
"hostname": "95.179.179.240.vultr.com",
"city": "Haarlem",
"region": "North Holland",
"country": "NL",
"loc": "52.3902,4.6568",
"org": "AS20473 Choopa, LLC",
"postal": "2031",
"timezone": "Europe/Amsterdam",
"readme": "https://ipinfo.io/missingauth"
}
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
MASQUERADE all -- anywhere anywhere
知道如何让它工作吗?