TcpDump 显示 ICMP 回复但 PING 超时

tag-icon tag-icon iptables vpn routing
TcpDump 显示 ICMP 回复但 PING 超时

我正在尝试将特定用户帐户 (vpnnet) 的网络流量重定向到 OpenVPN 服务器。当拉取默认路由时,隧道工作正常,但我不想通过 VPN 路由所有流量,只想路由使用给定 UID 运行的进程。因此,我禁用了默认路由的自动拉取,并得出以下结论:

iptables -t mangle -A OUTPUT -m owner --uid-owner vpnnet -j MARK --set-mark 42
ip route add default via 10.1.1.1 table 42
ip rule add fwmark 42 table 42
iptables -t nat -A POSTROUTING -o tun0 -m mark --mark 42 -j SNAT --to-source 10.1.1.100

本地地址是10.1.1.10010.1.1.1是远程网关。

ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.1.1.100  netmask 255.255.255.0  destination 10.1.1.100
        inet6 ****::****::****::****::****  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 128  bytes 10032 (9.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 108  bytes 8832 (8.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ip route show
default via 172.31.1.1 dev eth0 proto dhcp metric 100
10.1.1.0/24 dev tun0 proto kernel scope link src 10.1.1.100 metric 50
172.31.1.0/24 dev eth0 proto kernel scope link src 172.31.1.100 metric 100
172.31.1.1 dev eth0 proto static scope link metric 100

ip route show table 42
default via 10.1.1.1 dev tun0

当以用户身份启动 shellvpnuser并 ping Google DNS 服务器时8.8.8.8,ping 有 100% 的数据包丢失。TcpDump 显示请求正在发出,并且回复正在正确的接口上传入:

tcpdump -nn -vv -i tun0
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
20:33:28.938772 ip: (tos 0x0, ttl 64, id 7713, offset 0, flags [DF], proto ICMP (1), length 84)
    10.1.1.100 > 8.8.8.8: ICMP echo request, id 5078, seq 1, length 64
20:33:29.029533 ip: (tos 0x48, ttl 115, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 10.1.1.100: ICMP echo reply, id 5078, seq 1, length 64
20:33:29.938962 ip: (tos 0x0, ttl 64, id 7790, offset 0, flags [DF], proto ICMP (1), length 84)
    10.1.1.100 > 8.8.8.8: ICMP echo request, id 5078, seq 2, length 64
20:33:30.029685 ip: (tos 0x48, ttl 115, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 10.1.1.100: ICMP echo reply, id 5078, seq 2, length 64
20:33:30.938838 ip: (tos 0x0, ttl 64, id 8152, offset 0, flags [DF], proto ICMP (1), length 84)
    10.1.1.100 > 8.8.8.8: ICMP echo request, id 5078, seq 3, length 64
20:33:31.029179 ip: (tos 0x48, ttl 115, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 10.1.1.100: ICMP echo reply, id 5078, seq 3, length 64

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11001ms

iptables 日志未显示任何丢弃的数据包。

操作系统是CentOS 7。

如果有人能给我指明正确的方向,我将非常感激。

答案1

为了回答我自己的问题并帮助其他遇到此问题的人...反向路径过滤启动并rp_filter丢弃了数据包,请参阅解释。解决方案是将接口的 rp_filter 值设置2tun0

相关内容