两个 libvirt VM 之间可以进行 iptables NAT 转发吗?

两个 libvirt VM 之间可以进行 iptables NAT 转发吗?

我正在使用两个带有 StrongSwan IKEv2 的 libvirt VM 构建测试 VPN 设置,但无法转发流量。我可以看到客户端使用 tcpdump 将流量发送到服务器,但服务器对此不做任何事情。

为了排除完全损坏的配置,我启动了一个 EC2 测试实例。所有虚拟机和 EC2 实例都运行 Rocky Linux 9.3。我在 EC2 测试实例上运行了与本地服务器虚拟机相同的 Ansible 剧本。EC2 实例能够毫无问题地转发流量。

这为什么不起作用?

服务器接口:

[root@server ~] # ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:ab:6d:28 brd ff:ff:ff:ff:ff:ff
    inet 192.168.124.46/24 brd 192.168.124.255 scope global dynamic noprefixroute enp1s0
       valid_lft 2044sec preferred_lft 2044sec
    inet6 fe80::5054:ff:feab:6d28/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

服务器iptables-save输出:

[root@server ~] # iptables-save

# Generated by iptables-save v1.8.8 (nf_tables) on Fri Feb  9 11:24:48 2024
*mangle
:PREROUTING ACCEPT [628:1708335]
:INPUT ACCEPT [594:1704345]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [566:81987]
:POSTROUTING ACCEPT [566:81987]
-A FORWARD -s 172.16.0.0/24 -o enp1s0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Feb  9 11:24:48 2024

# Generated by iptables-save v1.8.8 (nf_tables) on Fri Feb  9 11:24:48 2024
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Feb  9 11:24:48 2024

# Generated by iptables-save v1.8.8 (nf_tables) on Fri Feb  9 11:24:48 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [566:81987]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 172.16.0.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 172.16.0.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Fri Feb  9 11:24:48 2024

# Generated by iptables-save v1.8.8 (nf_tables) on Fri Feb  9 11:24:48 2024
*nat
:PREROUTING ACCEPT [66:14106]
:INPUT ACCEPT [22:8852]
:OUTPUT ACCEPT [4:304]
:POSTROUTING ACCEPT [4:304]
-A POSTROUTING -s 172.16.0.0/24 -o enp1s0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.16.0.0/24 -o enp1s0 -j MASQUERADE
COMMIT
# Completed on Fri Feb  9 11:24:48 2024

VPN 会话期间的客户端接口:

[root@client ~]# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:5b:1a:e1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.124.217/24 brd 192.168.124.255 scope global dynamic noprefixroute enp1s0
       valid_lft 2084sec preferred_lft 2084sec
    inet 172.16.0.2/32 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe5b:1ae1/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

来自服务器的 tcpdump 时间线(192.168.124.46):

(on client, run `charon-cmd --host 192.168.124.46 --identity dave --cert server.pem`; connects successfully)

11:16:17.565576 IP 192.168.124.217.35967 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: parent_sa ikev2_init[I]
11:16:17.565934 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.35967: NONESP-encap: isakmp: parent_sa ikev2_init[R]
11:16:17.566461 IP 192.168.124.217.35967 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: parent_sa ikev2_init[I]
11:16:17.566740 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.35967: NONESP-encap: isakmp: parent_sa ikev2_init[R]
11:16:17.567137 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:16:17.567441 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
11:16:17.568100 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:16:17.568167 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
11:16:18.921417 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:16:18.921651 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
11:16:18.921959 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:16:18.922016 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
11:16:18.922235 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:16:18.923167 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  ikev2_auth[R]

(on client, run `dig @1.1.1.1 CH TXT whoami.cloudflare.`; request just times out)

11:16:24.017772 IP 192.168.124.217 > 192.168.124.46: ESP(spi=0xc2944693,seq=0x1), length 120
11:16:29.017212 IP 192.168.124.217 > 192.168.124.46: ESP(spi=0xc2944693,seq=0x2), length 120

(on client, terminate charon-cmd)

11:16:31.240008 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  inf2[I]
11:16:31.240907 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  inf2[R]

来自客户端的 tcpdump 时间线(192.168.124.217):

(on client, run `charon-cmd --host 192.168.124.46 --identity dave --cert server.pem`; connects successfully)

11:16:17.563485 IP 192.168.124.217.35967 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: parent_sa ikev2_init[I]
11:16:17.563924 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.35967: NONESP-encap: isakmp: parent_sa ikev2_init[R]
11:16:17.564405 IP 192.168.124.217.35967 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: parent_sa ikev2_init[I]
11:16:17.564723 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.35967: NONESP-encap: isakmp: parent_sa ikev2_init[R]
11:16:17.565084 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:16:17.565427 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
11:16:17.566047 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:16:17.566150 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
11:16:18.919321 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:16:18.919649 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
11:16:18.919898 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:16:18.920004 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
11:16:18.920184 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:16:18.921151 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
11:16:19.033177 IP 192.168.124.217.mdns > 224.0.0.251.mdns: 0 [2q] [2n] ANY (QM)? 2.0.16.172.in-addr.arpa. ANY (QM)? client.local. (89)
11:16:19.283570 IP 192.168.124.217.mdns > 224.0.0.251.mdns: 0 [2q] [2n] ANY (QM)? 2.0.16.172.in-addr.arpa. ANY (QM)? client.local. (89)
11:16:19.534004 IP 192.168.124.217.mdns > 224.0.0.251.mdns: 0 [2q] [2n] ANY (QM)? 2.0.16.172.in-addr.arpa. ANY (QM)? client.local. (89)
11:16:19.734337 IP 192.168.124.217.mdns > 224.0.0.251.mdns: 0*- [0q] 3/0/0 (Cache flush) PTR client.local., (Cache flush) A 172.16.0.2, (Cache flush) A 192.168.124.217 (93)
11:16:20.795580 IP 192.168.124.217.mdns > 224.0.0.251.mdns: 0*- [0q] 3/0/0 (Cache flush) PTR client.local., (Cache flush) A 172.16.0.2, (Cache flush) A 192.168.124.217 (93)

(on client, run `dig @1.1.1.1 CH TXT whoami.cloudflare.`; request just times out)

11:16:22.857845 IP 192.168.124.217.mdns > 224.0.0.251.mdns: 0*- [0q] 3/0/0 (Cache flush) PTR client.local., (Cache flush) A 172.16.0.2, (Cache flush) A 192.168.124.217 (93)
11:16:24.015596 IP 192.168.124.217 > 192.168.124.46: ESP(spi=0xc2944693,seq=0x1), length 120
11:16:29.015083 IP 192.168.124.217 > 192.168.124.46: ESP(spi=0xc2944693,seq=0x2), length 120

(on client, terminate charon-cmd)

11:16:31.237922 IP 192.168.124.217.52793 > 192.168.124.46.ipsec-nat-t: NONESP-encap: isakmp: child_sa  inf2[I]
11:16:31.238903 IP 192.168.124.46.ipsec-nat-t > 192.168.124.217.52793: NONESP-encap: isakmp: child_sa  inf2[R]
11:16:31.238935 IP 192.168.124.217.mdns > 224.0.0.251.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR client.local., (Cache flush) A 172.16.0.2 (77)

(on client, retry dig command without vpn connected)

11:16:40.086784 IP 192.168.124.217.36140 > 1.1.1.1.domain: 2399+ [1au] TXT CHAOS? whoami.cloudflare. (58)
11:16:40.103724 IP 1.1.1.1.domain > 192.168.124.217.36140: 2399 1/0/1 CHAOS TXT "72.131.108.98" (72)

相关内容