解密后的 ipsec 包无法被 tproxy 接收

tag-icon tag-icon linux iptables ipsec strongswan
解密后的 ipsec 包无法被 tproxy 接收

我的centos6机器ip地址是192.168.56.10(eth0)。我已经安装了strongswan和一个类似v2ray的tproxy,带有iptables:

iptables:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:SECGW_IN - [0:0]
-A PREROUTING -j SECGW_IN
-A SECGW_IN -d 127.0.0.1/32 -j RETURN
-A SECGW_IN -d 224.0.0.0/4 -j RETURN
-A SECGW_IN -d 255.255.255.255/32 -j RETURN
-A SECGW_IN -d 192.168.0.0/16 -j RETURN
-A SECGW_IN -d 172.16.0.0/12 -j RETURN
-A SECGW_IN -d 10.0.0.0/8 -j RETURN
-A SECGW_IN -j LOG
-A SECGW_IN -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
-A SECGW_IN -p tcp -j TPROXY --on-port 44380 --tproxy-mark 1
-A SECGW_IN -p udp -j TPROXY --on-port 44380 --tproxy-mark 1
-A SECGW_IN -j DROP
COMMIT

路由表:

[root@proxy logs]# ip rule
0:  from all lookup local
200:    from all fwmark 0x1 lookup 200
201:    from all iif lo lookup 201
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default
[root@proxy logs]# ip route show table 200
local default dev lo  scope host
[root@proxy logs]#

v2ray 作为 tproxy 服务器,配置文件:

[root@proxy logs]# cat /etc/v2ray/config.json
{
  "log": {
    "loglevel": "debug",
    "access": "/tmp/access.log",
    "error": "/tmp/error.log"
  },
  "inbounds": [
    {
      "tag":"transparent",
      "port": 44380,
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      }
    }
  ],
  "outbounds": [{
    "protocol": "freedom",
    "settings": {}
  },{
    "protocol": "blackhole",
    "settings": {},
    "tag": "blocked"
  }],
  "routing": {
    "rules": [
      {
        "type": "field",
        "ip": ["geoip:private"],
        "outboundTag": "blocked"
      }
    ]
  }
}

ipsec配置文件

config setup
        cachecrls=yes
        uniqueids=never
        charondebug = "all"

conn %default
        ikelifetime=86400s
        keylife=86400s
        keyingtries=%forever
        keyexchange=ikev1
        authby=secret
        left=192.168.56.10
        leftid=192.168.56.10
        rightid=192.168.66.10
        right=192.168.66.10
        auto=start
        type=tunnel
        leftauth=secret
        rightauth=secret
        ike=aes256-md5-modp1024
        esp=aes256-md5


conn lan2public
    leftsubnet=0.0.0.0/0
    rightsubnet=192.168.66.0/24
    type=tunnel

ipsec 隧道安装成功

[root@proxy logs]# strongswan status
Security Associations (1 up, 0 connecting):
  lan2public[1]: ESTABLISHED 64 minutes ago, 192.168.56.10[192.168.56.10]...192.168.66.10[192.168.66.10]
  lan2public{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 33c16d9f_i 5c3b6118_o
  lan2public{1}:   0.0.0.0/0 === 192.168.66.0/24

当我使用另一台机器(ip: 192.168.56.25,gw:192.168.56.10)在 192.168.56.10 上执行 curl 8.8.8.8 时,v2ray 收到了包(v2ray 的日志中有一些信息),这是正确的。我可以通过 iptables 在 /var/log/message 中看到日志:

May 26 09:06:45 proxy kernel: IN=eth0 OUT= MAC=08:00:27:0b:e3:62:08:00:27:10:ce:7b:08:00 SRC=192.168.56.25 DST=8.8.8.8 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=18010 DF PROTO=TCP SPT=59163 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0

当我使用另一台机器(ip:192.168.66.25,gw:192.168.66.10)时,这台机器将使用 ipsec 到 192.168.56.10,在 192.168.56.10 上,经过 ipsec 解密后,数据包写入 ipsec0 接口,然后进入预路由,我可以通过 iptables 日志看到它:

May 26 10:51:52 proxy kernel: IN=ipsec0 OUT= MAC= SRC=192.168.66.25 DST=8.8.8.8 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24898 DF PROTO=TCP SPT=51379 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

区别在于没有 MAC 地址。我看不到 v2ray 的日志。可能是 v2ray sockets 没有返回 syn_ack?

谁能解释一下。我很想得到一些帮助。我怎么了。非常感谢。

相关内容