iptables fwmark 不起作用,总是从默认表路由

tag-icon tag-icon iptables
iptables fwmark 不起作用,总是从默认表路由

mangle 表:

Chain OUTPUT (policy ACCEPT 9427K packets, 26G bytes)
 pkts bytes target     prot opt in     out     source               destination          
  19M   48G CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xff00000
 7717  435K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00000 statistic mode random probability 0.50000000000 MARK xset 0x8100000/0xff00000
 7609  428K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00000 MARK xset 0x8000000/0xff00000          
  19M   48G MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK xset 0xa0000000/0xf0000000
  19M   48G CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff00000

nat 表:

Chain POSTROUTING (policy ACCEPT 1552 packets, 85467 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   104 MASQUERADE  all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type LOCAL
    4   208 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0       
461K   26M MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0              ADDRTYPE match src-type LOCAL

ip 规则:

0:  from all lookup local 
100:    from 192.168.0.0/24 lookup 9999 
198:    from ip1 lookup 10001 
199:    from ip2 lookup 10000 
200:    from all fwmark 0x8000000/0xff00000 lookup 10000 
200:    from all fwmark 0x8100000/0xff00000 lookup 10001 
32766:  from all lookup main 
32767:  from all lookup default

知识产权

default dev ppp1 scope link 
default dev ppp0 scope link 
default via 192.168.0.1 dev eth0 
x.x.x.0/25 dev ppp0 proto kernel scope link src ip1 
x.x.x.0/25 dev ppp1 proto kernel scope link src ip2 
169.254.0.0/16 dev eth0 scope link metric 1002 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.107

ip r 显示表 10000:

default via x.x.x.1 dev ppp0

ip路由获取ip3:

ip3 dev ppp1 src x.x.x.x uid 0 
    cache

猫/etc/sysctl.conf:

net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.ip_forward = 1

它总是从默认路由表进行路由,而不是 ppp0、ppp1、ppp0、ppp1。有什么想法吗?

答案1

您应该开始确保您的路由表正在运行:

ip rule add to 1.1.1.1 table 10000
ping -c 3 1.1.1.1
ip rule del to 1.1.1.1 table 10000
ip rule add to 1.1.1.1 table 10001
ping -c 3 1.1.1.1
ip rule del to 1.1.1.1 table 10001

如果不是,您可能需要x.x.x.0/25 dev ppp0 proto kernel scope link src ip1在表 10000 和x.x.x.0/25 dev ppp1 proto kernel scope link src ip2表 10002 中添加。

如果是,您可以检查您的规则是否正确:

ip route get 223.5.5.5 mark 0x10000
ip route get 223.5.5.5 mark 0x10001

如果不是,您可能需要更改规则直到它能够符合标记。

如果是,则您使用 netfilter 进行的标记可能不正确,您必须进行修改直到得到您想要的标记。

相关内容