nftables - 如何通过特定界面路由特定网站?

tag-icon tag-icon linux debian openvpn nftables
nftables - 如何通过特定界面路由特定网站?

我为我家搭建了自己的 Debian 10 路由器,主要是为了让它成为使用 openvpn 的永远在线 VPN 路由器,同时充当 DHCP 服务器,并使用 dnscrypt-proxy 加密 DNS。一段时间以来,一切都运行良好,直到我获得了 amazon prime 订阅,它会识别 vpn 并阻止我。让 amazon prime 正常工作的唯一方法是关闭 vpn,但我不想这样做。

有没有办法使用 nftables 防火墙绕过 VPN 将流量路由到 amazon prime(primevideo.com 或 13.32.45.99)?目前我只允许来自 LAN 的出站流量通过 vpn 退出,但一定有一种方法也可以允许通过 WAN 接口仅往返于此站点的流量。

VPN使用openvpn称为tun0。

来自 LAN 的互联网是通过 WAN1 接口(除非 VPN 已启动,当其通过 tun0 路由时)。

以下是 VPN 启动时 nftables 的脚本:

#!/bin/sh
nft flush ruleset
nft add table nat

nft add chain nat prerouting { type nat hook prerouting priority 0\; policy accept\;}
nft add rule nat prerouting udp dport 53 ip saddr 192.168.1.0/24 dnat 192.168.1.1:53

nft add chain nat postrouting { type nat hook postrouting priority 100\; policy accept\;}
nft add rule nat postrouting oifname tun0 masquerade

nft add table filter

nft add chain filter input { type filter hook input priority 0\; policy drop\;}
nft add rule filter input iif lo accept
nft add rule filter input tcp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter input udp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter input icmp type echo-request accept
nft add rule filter input icmp type time-exceeded accept
nft add rule filter input ct state related,established accept

nft add chain filter output { type filter hook output priority 0\; policy drop\;}
nft add rule filter output oif lo accept
nft add rule filter output tcp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter output udp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter output icmp type echo-request accept
nft add rule filter output icmp type time-exceeded accept
nft add rule filter output ct state new,related,established accept

nft add chain filter forward { type filter hook forward priority 0\; policy accept\;}
nft add rule filter forward ct state related,established accept

这是 NFT 规则集

table ip nat {
    chain prerouting {
        type nat hook prerouting priority 0; policy accept;
        udp dport domain ip saddr 192.168.1.0/24 dnat to 192.168.1.1:domain
    }

    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname "tun0" masquerade
    }
}
table ip filter {
    chain input {
        type filter hook input priority 0; policy drop;
        iif "lo" accept
        tcp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
        udp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
        icmp type echo-request accept
        icmp type time-exceeded accept
        ct state established,related accept
    }

    chain output {
        type filter hook output priority 0; policy drop;
        oif "lo" accept
        tcp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
        udp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
        icmp type echo-request accept
        icmp type time-exceeded accept
        ct state established,related,new accept
    }

    chain forward {
        type filter hook forward priority 0; policy accept;
        ct state established,related accept
    }
}

路由器是 Debian Buster。NFT 版本是 nftables v0.9.0(Fearless Fosdick)

任何帮助都将不胜感激。谢谢

相关内容