我想要一个 debian 系统作为具有 openvpn 流量的路由器,其中接口 x 上的所有流量都应转发到 openvpn 接口 y。
下面的图片展示了我的网络设置,大致可以正常工作: 网络设置
Iptables 规则(活动):
#!/bin/bash
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -o ens19 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i tun0 -o ens19 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -t nat -A PREROUTING -i ens19 -j ACCEPT
#iptables -A FORWARD -j ACCEPT
iptables -A FORWARD -i ens19 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o ens19 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -m state --state New,RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -i ens19 -j ACCEPT
#iptables -t nat -s 192.168.1.0/24 -A POSTROUTING -o tun0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -j MASQUERADE
iptables-save | sudo tee /etc/iptables/rules.v4
exit
转发规则:cat /etc/sysctl.conf | grep -v '#'
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.forwarding = 1
设置处于活动状态,但没有转发流量。
检查过
ping web.de -I ens18 # (Network interface with route to "normal" router.) -> Working
ping web.de -I ens19 # (Network interface with firewall-rule forwarding to tun0.) -> Not working, but getting ip information of "web.de"
ping web.de -I tun0 # (Network interface by openvpn.) -> Working
我的猜测:NAT 有效,但不能将 ens19 转发到 tun0。
我在这里和其他网站上找到并阅读了许多论坛,人们在那里讨论同样的想法。它们似乎对我不起作用。奇怪 :(
iptables-save
*filter
:INPUT ACCEPT [40976:12561334]
:FORWARD ACCEPT [32894:54259570]
:OUTPUT ACCEPT [32983:2879147]
-A INPUT -i tun0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens19 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o ens19 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Jan 9 ...
# Generated by iptables-save v1.8.7 on Tue Jan 9 ...
*nat
:PREROUTING ACCEPT [63033:10635529]
:INPUT ACCEPT [6276:710107]
:OUTPUT ACCEPT [1569:103282]
:POSTROUTING ACCEPT [1156:77777]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
我缺少什么才能让流量转发 ens19 -> tun0 正常工作?任何帮助都非常好。谢谢
ip link; ip -4 -br addr; ip route; ip rule
