我有一个界面WG0,由连接到服务器的 machineA 上运行的 WireGuard 客户端生成的 WireGuard 接口。一切按预期运行。
我路由来自WG0到eth3- 机器 A 上的 LAN 接口 - 使用 netfilter (iptables/ip6tables)。机器 B(连接到eth3,减去与某些网站的连接,例如 duckduckgo.com。
从机器A我可以执行以下操作:
> wget https://duckduckgo.com
--2020-11-17 17:24:30-- https://duckduckgo.com/
Resolving duckduckgo.com (duckduckgo.com)... 52.142.124.215
Connecting to duckduckgo.com (duckduckgo.com)|52.142.124.215|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5763 (5.6K) [text/html]
Saving to: ‘index.html’
但是从 machineB 我得到:
> wget https://duckduckgo.com
--2020-11-17 18:25:35-- https://duckduckgo.com/
Resolving duckduckgo.com (duckduckgo.com)... 52.142.124.215
Connecting to duckduckgo.com (duckduckgo.com)|52.142.124.215|:443... connected.
仅此而已。DNS 似乎不是问题所在。我的 netfilter 中的 *filter 策略有:
:OUTPUT ACCEPT [0:0]
所以我不认为被阻止的是出站流量。
另一个例子是 Jitsi - 来自 machineA:
> wget https://meet.jit.si
--2020-11-17 17:39:49-- https://meet.jit.si/
Resolving meet.jit.si (meet.jit.si)... 2a05:d014:fc7:5402:5179:fc03:7ea9:eceb, 2a05:d014:fc7:5401:eb50:330e:f554:5477, 76.223.28.75, ...
Connecting to meet.jit.si (meet.jit.si)|2a05:d014:fc7:5402:5179:fc03:7ea9:eceb|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
index.html [ <=> ] 50.43K --.-KB/s in 0.04s
2020-11-17 17:39:49 (1.19 MB/s) - ‘index.html’ saved [51639]
来自机器B:
> wget https://meet.jit.si
--2020-11-17 18:40:07-- https://meet.jit.si/
Resolving meet.jit.si (meet.jit.si)... 13.248.156.98, 76.223.28.75, 2a05:d014:fc7:5401:eb50:330e:f554:5477, ...
Connecting to meet.jit.si (meet.jit.si)|13.248.156.98|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
index.html: Permission denied
Cannot write to ‘index.html’ (Success).
我不明白为什么我应该在机器B上设置‘权限被拒绝’。
我在这里不寻求明确的答案,只是想帮助确定研究领域。有人知道还有什么可以研究的地方吗?