我正在使用 Iptables 通过 HAproxy 将 https 流量从 Internet 路由到内部网络。Iptables NAt 规则如下:
iptables -i eth0 -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.0.0.7
iptables -i eth0 -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.7
iptables -t nat -A POSTROUTING -j MASQUERADE
10.0.0.0/24 是 Wireguard VPN(服务器的 IP 是 10.0.0.1,haproxy 的 IP 是 10.0.0.7)
然后我想查看 HAproxy 中记录的原始 IP,但我只能看到 VPN 服务器的 IP:
# tail -f /var/log/haproxy
Jul 14 18:27:02 localhost haproxy[13304]: 10.0.0.1:57539 [14/Jul/2021:18:27:02.199] fe-frontend-https~ fe-frontend-https/<NOSRV> -1/-1/-1/-1/0 503 99 - - SC-- 1/1/0/0/0 0/0 "GET /.env HTTP/1.1
我如何以透明的方式代理流量,以便 HAproxy 可以记录原始外部 IP?
谢谢
編輯:
所有 Iptables 规则:
# iptables -L --line-numbers -v
Chain INPUT (policy ACCEPT 757M packets, 641G bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- virbr10 any anywhere anywhere udp dpt:domain
2 0 0 ACCEPT tcp -- virbr10 any anywhere anywhere tcp dpt:domain
3 83841 27M ACCEPT udp -- virbr10 any anywhere anywhere udp dpt:bootps
4 0 0 ACCEPT tcp -- virbr10 any anywhere anywhere tcp dpt:67
5 12 1008 ACCEPT icmp -- any any 10.0.0.0/8 anywhere icmp echo-request
6 0 0 ACCEPT icmp -- any any 10.0.0.0/8 anywhere icmp echo-reply
Chain FORWARD (policy ACCEPT 482M packets, 578G bytes)
num pkts bytes target prot opt in out source destination
1 589M 441G ACCEPT all -- any virbr10 anywhere 192.168.100.0/24 ctstate RELATED,ESTABLISHED
2 744M 637G ACCEPT all -- virbr10 any 192.168.100.0/24 anywhere
3 0 0 ACCEPT all -- virbr10 virbr10 anywhere anywhere
4 0 0 REJECT all -- any virbr10 anywhere anywhere reject-with icmp-port-unreachable
5 296 11864 REJECT all -- virbr10 any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 753M packets, 664G bytes)
num pkts bytes target prot opt in out source destination
1 83839 28M ACCEPT udp -- any virbr10 anywhere anywhere udp dpt:bootpc
# iptables -L -n -t nat -v
Chain PREROUTING (policy ACCEPT 31M packets, 1964M bytes)
pkts bytes target prot opt in out source destination
23743 1296K DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.7
3935 182K DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.7
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 9549 packets, 531K bytes)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 192.168.100.0/24 255.255.255.255
4660 280K MASQUERADE tcp -- * * 192.168.100.0/24 !192.168.100.0/24 masq ports: 1024-65535
7729 704K MASQUERADE udp -- * * 192.168.100.0/24 !192.168.100.0/24 masq ports: 1024-65535
2 168 MASQUERADE all -- * * 192.168.100.0/24 !192.168.100.0/24
0 0 RETURN all -- * * 192.168.100.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.100.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.100.0/24 !192.168.100.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.100.0/24 !192.168.100.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.100.0/24 !192.168.100.0/24
19M 1143M MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 20209 packets, 2137K bytes)
pkts bytes target prot opt in out source destination
(大部分是 libvirt 的默认 NAT 规则)
答案1
您指定的 MASQUERADE 规则太宽泛。您已指定伪装通过以下方式离开此主机的所有流量任何接口,因此所有流量都会被 NAT 并且其源地址会被重写,尽管这是不必要的,并且在这种情况下也是不可取的。
(并且由于某种原因,该规则出现了三次。)
伪装应仅应用于离开边缘前往互联网的流量,因此您应在伪装规则中指定出口接口(具有您的全局 IP 地址)。例如:
iptables -t nat -o eth0 -A POSTROUTING -j MASQUERADE
应删除其他错误的伪装规则。