无法使 Linux 路由器/iptables 伪装工作

希望有比我更聪明的人能帮我，因为我没有主意了……我们想在 openstack 中创建一个路由器，它将……将流量从一个网络路由到另一个网络。很简单。这是我到目前为止所做的。我读了很多帖子，觉得它不应该那么复杂，但我做不到。

LAN1 (172.150.88.xx) ­--> ROUTER ETH1 (172.150.88.2) || ETH0 (100.50.30.2) --> LAN2 (LOT OF OTHER NETWORKS)

我想要从 LAN1 (172.150.88.3) 中的主机访问 10.110.87.xx 网络中的主机，该主机可从 100.50.30.xx 网络访问（因此从路由器上的 ETH0 访问）。请注意，在 172.150.88.3 主机上已创建指向 172.150.88.2 的 10.110.87.xx 路由。

这是我在路由器上的规则/设置：

root@router ~ $ iptables --list -v --line-numbers -t nat
Chain PREROUTING (policy ACCEPT 10899 packets, 1408K bytes)
num pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 2773 packets, 530K bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3968 packets, 296K bytes)
num pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 233 packets, 16695 bytes)
num pkts bytes target prot opt in out source destination
1 3750 280K MASQUERADE all -- any eth0 anywhere anywhere

和

root@router ~ $ iptables --list -v --line-numbers
Chain INPUT (policy ACCEPT 200K packets, 24M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    84758  140M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 41 packets, 3444 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    24271 2038K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
2      132 10992 ACCEPT     all  --  eth1   eth0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 28417 packets, 3123K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     132K   88M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

以及一些系统设置：

echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
sysctl net.ipv4.ip_forward=1

目前，这是我们所拥有的最好的结果：如果我尝试从 172.150.88.68 在 10.110.87.yy 上已知的开放端口上进行 telnet，我可以看到以下内容：

root@router ~ $ tcpdump -nn -i eth1 host 10.110.87.152
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:11.399882 IP 172.150.88.68.40540 > 10.110.87.152.636: Flags [S], seq 3607855840, win 29200, options [mss 1460,sackOK,TS val 2274155265 ecr 0,nop,wscale 7], length 0
09:02:11.412705 IP 10.110.87.152.636 > 172.150.88.68.40540: Flags [S.], seq 299308172, ack 3607855841, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 48782380 ecr 2274155265], length 0
09:02:12.402613 IP 172.150.88.68.40540 > 10.110.87.152.636: Flags [S], seq 3607855840, win 29200, options [mss 1460,sackOK,TS val 2274156268 ecr 0,nop,wscale 7], length 0

和

root@router ~ $ tcpdump -nn -i eth0 host 10.110.87.152
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:20.415516 IP 10.110.87.152.636 > 100.50.30.2.40540: Flags [S.], seq 299308172, ack 3607855841, win 65535, options [mss 1460,nop,nop,sackOK], length 0

.. 我不太确定 tcpdump 在这里告诉我什么... 据我所知，流量从 ETH1 到目的地，10.110.87.152 主机回复。 但 172.150.88.xx 上的主机从未收到答复...

因此，如果有人能指出我做错的地方，我将非常感激。谢谢！