如何使用 iptables/ufw 通过 wireguard vpn 转发各个端口上的流量

tag-icon tag-icon ubuntu iptables proxy wireguard
如何使用 iptables/ufw 通过 wireguard vpn 转发各个端口上的流量

我有两台运行 ubuntu 22.04 的机器,我们将它们称为服务器和代理。代理是一个具有静态公共 IP 的 vps,服务器在 nat 后面运行。我想将代理上某些端口上的所有流量路由到服务器。

现在,代理和服务器都是位于同一本地网络上的虚拟盒虚拟机,因为我先在这些虚拟机上测试了我的 ansible playbook 的部署,然后才实际部署到实际生产服务器和代理 vps,而它们不会位于同一本地网络上。

我已经在两者之间设置了一个 wireguard vpn,并且两者都可以互相 ping 通,如果我从代理 curl 服务器的 vpn 地址,我会得到正确的 html 响应,并且在代理上设置 nginx(这不是预期的最终解决方案,因为我想路由其他非 http/https 的服务)允许我通过 proxy_pass 到 vpn ip 并再次获得正确的 html 响应。

但我无法使用 iptables/ufw 设置转发。这是我的 wireguard 配置,其中包括接口启动时的 iptables 路由规则。

代理人:

[Interface]
# Proxy with static ip
Address = 10.250.0.1/32
ListenPort = 23456
PrivateKey = {private key}
# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# port forwarding
PreUp = iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.250.0.2
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.250.0.2
PreUp = iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.250.0.2
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.250.0.2
      
[Peer]
# main_server behind nat
PublicKey = {pub key}
AllowedIPs = 10.250.0.2/32

服务器:

[Interface]
Address = 10.250.0.2/32
ListenPort = 23456
PrivateKey = {priv key}

[Peer]
PublicKey = {pub key}
Endpoint = {proxy server ip}:23456
AllowedIPs = 10.250.0.0/16
PersistentKeepalive = 25

运行sudo iptables-save -c 返回以下内容

# Completed on Wed Aug 24 17:01:57 2022
# Generated by iptables-save v1.8.7 on Wed Aug 24 17:01:57 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.250.0.2
[4:208] -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.250.0.2
COMMIT

[4:208]每次我尝试通过 Web 浏览器访问代理时,数据包和字节数都会增加

ip -br link; ip -4 -br address; ip -4 route; ip -4 rule代理上的输出

#ip -br link
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
enp0s3           UP             02:54:94:87:80:ef <BROADCAST,MULTICAST,UP,LOWER_UP>
enp0s8           UP             30:29:a0:55:d8:7a <BROADCAST,MULTICAST,UP,LOWER_UP>
wg0              UNKNOWN        <POINTOPOINT,NOARP,UP,LOWER_UP>
#ip -4 -br address
lo               UNKNOWN        127.0.0.1/8
enp0s3           UP             10.0.2.15/24 metric 100
enp0s8           UP             192.168.1.16/24
wg0              UNKNOWN        10.250.0.1/32
#ip -4 route
default via 10.0.2.2 dev enp0s3 proto dhcp src 10.0.2.15 metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
10.0.2.2 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.0.2.3 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.250.0.2 dev wg0 scope link
192.168.1.0/24 dev enp0s8 proto kernel scope link src 192.168.1.16
#ip -4 rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

并在服务器上

#ip -br link
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
enp0s3           UP             02:54:94:87:80:ef <BROADCAST,MULTICAST,UP,LOWER_UP>
enp0s8           UP             ea:f0:86:64:9e:3b <BROADCAST,MULTICAST,UP,LOWER_UP>
docker0          DOWN           02:42:d2:03:f2:d2 <NO-CARRIER,BROADCAST,MULTICAST,UP>
br-43f8704a8cf1  UP             02:42:69:c4:10:d4 <BROADCAST,MULTICAST,UP,LOWER_UP>
br-888a874e1802  UP             02:42:a5:d4:12:a8 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth482896b@if9  UP             72:fe:4a:76:e6:16 <BROADCAST,MULTICAST,UP,LOWER_UP>
vetha620638@if11 UP             7a:46:41:6a:c3:b4 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth6a64f9a@if15 UP             0e:07:7f:44:da:60 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth140bc79@if17 UP             16:4c:99:ee:ac:b0 <BROADCAST,MULTICAST,UP,LOWER_UP>
vethd577326@if19 UP             de:f7:3f:a3:20:57 <BROADCAST,MULTICAST,UP,LOWER_UP>
vethe90974c@if21 UP             de:66:ab:4a:86:06 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth25c1529@if23 UP             3e:a1:dd:52:00:6a <BROADCAST,MULTICAST,UP,LOWER_UP>
wg0              UNKNOWN        <POINTOPOINT,NOARP,UP,LOWER_UP>
vethb11654e@if26 UP             a6:7d:f2:d9:a3:0c <BROADCAST,MULTICAST,UP,LOWER_UP>
vethf77e636@if28 UP             fa:d8:ad:9b:83:22 <BROADCAST,MULTICAST,UP,LOWER_UP>
vethc24f3aa@if30 UP             2a:c6:ee:41:93:c2 <BROADCAST,MULTICAST,UP,LOWER_UP>
veth807726c@if34 UP             42:ea:b7:0f:bd:67 <BROADCAST,MULTICAST,UP,LOWER_UP>
#ip -4 -br address
lo               UNKNOWN        127.0.0.1/8
enp0s3           UP             10.0.2.15/24 metric 100
enp0s8           UP             192.168.1.15/24
docker0          DOWN           172.17.0.1/16
br-43f8704a8cf1  UP             10.0.0.1/16
br-888a874e1802  UP             10.1.0.1/16
wg0              UNKNOWN        10.250.0.2/32
#ip -4 route
default via 10.0.2.2 dev enp0s3 proto dhcp src 10.0.2.15 metric 100
10.0.0.0/16 dev br-43f8704a8cf1 proto kernel scope link src 10.0.0.1
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
10.0.2.2 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.0.2.3 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
10.1.0.0/16 dev br-888a874e1802 proto kernel scope link src 10.1.0.1
10.250.0.0/16 dev wg0 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev enp0s8 proto kernel scope link src 192.168.1.15
#ip -4 rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

相关内容