调试我的 NAT 设置

tag-icon tag-icon linux iptables masquerade
调试我的 NAT 设置

我正在尝试使用 Raspberry Pi3 将传入的流量转发到wlan0更远的上游eth0,但由于某些我无法理解的原因,它失败了。希望其他人可以发现问题。

Pi3状态:

# Interfaces
samveen@pi3:~$ ip -o -4 a
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever preferred_lft forever
2: eth0    inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0\       valid_lft forever preferred_lft forever
3: wlan0    inet 192.168.0.124/24 brd 192.168.0.255 scope global dynamic wlan0\       valid_lft 166572sec preferred_lft 166572sec

# Routes
samveen@pi3:~$ ip r
default via 10.0.0.5 dev eth0 proto static 
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.1 
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.124 
192.168.0.1 dev wlan0 proto dhcp scope link src 192.168.0.124 metric 600 

# iptables rules
samveen@pi3:~$ cat routing.sh 
#!/bin/bash -x
# Setup forwarding (with NAT) from wlan0 towards eth0
# https://raspberrypi.stackexchange.com/a/50073/124471
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT  

# Internet test
samveen@pi3:~$ curl --silent -I network-test.debian.org |egrep  '^H|X-Cl'
HTTP/1.1 200 OK
X-Clacks-Overhead: GNU Terry Pratchett

# add iptables tracing
samveen@pi3:~$ sudo iptables -t raw -A PREROUTING -p tcp --source 192.168.0.0/24 --dport 80 -j TRACE
samveen@pi3:~$ sudo iptables -t raw -A OUTPUT -p tcp --source 192.168.0.0/24 --dport 80 -j TRACE

为了检查出了什么问题,我wget -4 -O - http://google.com在下游主机(192.168.0.1)上运行以尝试跟踪数据包。

  • tcpdump问题主机上的传入数据包(未被转发):
# tcpdump of incoming packets
samveen@pi3:~$ sudo tcpdump -nvvvi wlan0 tcp and src host 192.168.0.1 and dst port 80
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:44:12.492367 IP (tos 0x0, ttl 64, id 49906, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x86c5 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182572917 ecr 0,nop,wscale 6], length 0
15:44:13.536363 IP (tos 0x0, ttl 64, id 49907, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x82b7 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182573955 ecr 0,nop,wscale 6], length 0
15:44:15.615949 IP (tos 0x0, ttl 64, id 49908, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x7a97 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182576035 ecr 0,nop,wscale 6], length 0
15:44:19.697021 IP (tos 0x0, ttl 64, id 49909, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x6aa7 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182580115 ecr 0,nop,wscale 6], length 0
15:44:27.935601 IP (tos 0x0, ttl 64, id 49910, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x4a77 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182588355 ecr 0,nop,wscale 6], length 0
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
  • 同时,tcpdump问题主机的输出接口没有给我任何数据包(我希望在这里看到传出的数据包)
samveen@pi3:~$ sudo tcpdump -nvvvi eth0 tcp and  dst port 80
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
  • 来自 dmesg 的跟踪日志:
[468794.617195] device eth0 entered promiscuous mode
[468798.441177] device wlan0 entered promiscuous mode
[468890.193285] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49906 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA1750000000001030306) 
[468890.193395] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49906 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA1750000000001030306) 
[468891.237300] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49907 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA5830000000001030306) 
[468891.237413] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49907 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA5830000000001030306) 
[468893.316857] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49908 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CADA30000000001030306) 
[468893.316958] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49908 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CADA30000000001030306) 
[468897.397941] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49909 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CBD930000000001030306) 
[468897.398056] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49909 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CBD930000000001030306) 
[468905.636557] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49910 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CDDC30000000001030306) 
[468905.636659] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49910 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CDDC30000000001030306) 
[468939.580532] device eth0 left promiscuous mode
[468941.338008] device wlan0 left promiscuous mode

在跟踪中,我期望看到一些带有 和 的日志行,FORWARDOUT=eth0我什么也没看到。我在这里做错了什么?

答案1

问题是我没有启用IPv4 Forwarding内核的配置:

samveen@pi3:~$ cat  /etc/sysctl.d/51-ipv4-forwarding.conf 
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
samveen@pi3:~$ sudo sysctl -p /etc/sysctl.d/51-ipv4-forwarding.conf 
net.ipv4.ip_forward = 1

这样,上面的一切都按预期进行。

相关内容