我需要通过 Wireguard 隧道转发来自 VPS 的端口,但允许 IP 数量有限。此隧道不接受 0.0.0.0/0,只接受 10.xxx/24。因此,我不仅需要 DNAT,还需要 SNAT 来更改源 IP,以便允许数据包进入隧道。
您能提供一个 iptables 代码片段吗?或者任何其他转发流量的方法。
DNAT 不起作用:Wireguard 隧道后面的目标主机不接收数据包(使用 python3 -m http.server 和 tcpdump 测试)。
当我使用 iptables 通过以下任一方式阻止传入流量时:
- iptables -A INPUT -j REJECT
或者
- iptables -P INPUT DROP
它超时了,什么也没说,只是完成拉动。(需要 1 分钟)。
我当前的配置:
*filter
:INPUT ACCEPT [29875:3958669]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [263459:37321297]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o pterodactyl0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o pterodactyl0 -j DOCKER
-A FORWARD -i pterodactyl0 ! -o pterodactyl0 -j ACCEPT
-A FORWARD -i pterodactyl0 -o pterodactyl0 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i pterodactyl0 ! -o pterodactyl0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o pterodactyl0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
*nat
:PREROUTING ACCEPT [1352:194638]
:INPUT ACCEPT [891:120286]
:OUTPUT ACCEPT [1048:62993]
:POSTROUTING ACCEPT [1048:62993]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o pterodactyl0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i pterodactyl0 -j RETURN
COMMIT
当我将策略保留为接受或不拒绝不需要的流量时,docker 的工作速度显着加快,并且似乎不会超时:
[Pterodactyl Daemon]: Pulling Docker container image, this could take a few minutes to complete...
---this information doesn't show up when I have closed ports---
Pulling from pterodactyl/yolks
Status: Image is up to date for ghcr.io/pterodactyl/yolks:java_17
Digest: sha256:2dc464502b22a0c64edbc10a347d9f72b4581640be487b5eb750785d26ccad04
---this information doesn't show up when I have closed ports---
[Pterodactyl Daemon]: Finished pulling Docker container image
那么我做错了什么或者有什么需要改进的地方吗?(我是新手,我以前使用过firewalld,它工作得很好,但不能满足我的需求)。
我需要限制 debian 机器上的流量,例如使用 IP 表。具体来说,服务器有3个主要网络接口,eth0、wlan0和tun0。
eth0 是普通以太网连接,机器使用它连接到互联网 wlan0 是 wifi 热点,即其他设备通过此接口连接到机器 tun0 是 IPSec VPN,它“通过”eth0 连接到我现在需要的外部 VPN 服务器限制通过 wifi(即通过 wlan0)连接到计算机的设备访问互联网的所有流量。不幸的是,外部 VPN 服务器没有固定的 IP 地址。
因此,我的计划是允许来自 wlan0 的流量仅转发到 tun0,但绝不转发到 eth0。据我了解,这应该会导致所有不通过 VPN 连接路由的流量被丢弃,并且无法访问互联网。同时服务器本身可以正常访问互联网。
这是否可能,或者是否会首先干扰 VPN 连接的建立?
我的想法有点像使用 iptables:
iptables -A OUTPUT -j DROP -i wlan0 -o eth0 -p all
iptables -A INPUT -j DROP -i eth0 -o wlan0 -p all
我还考虑以一种方式指定路由,即来自 wlan0 的流量只能通过 tun0 转发,并且不存在其他选项。
哪种做法更合理?
我将旧的 iptables v1.4.7 与 fail2ban 结合使用。然而,我在日志中看到“已经被禁止”的消息,并且无法弄清楚为什么它们仍然到达我的服务器并且没有被 f2b -ASTERISK部分阻止,如下所示。您是否看到以下内容乍一看不起作用的任何原因?我检查了其他答案,但他们没有透露任何信息。这是输出:
[root@server bin]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
f2b-ASTERISK udp -- anywhere anywhere udp dpt:sip
DROP udp -- anywhere anywhere udp dpt:sip STRING match "friendly-scanner" ALGO name bm TO 65535
DROP udp -- anywhere anywhere udp dpt:sip STRING match "VaxSIPUserAgent" ALGO name bm TO 65535
DROP udp -- anywhere anywhere udp dpt:sip STRING match "VaxIPUserAgent" ALGO name bm TO 65535
DROP udp -- anywhere anywhere udp dpt:sip STRING match "sundayddr" ALGO name bm TO 65535
DROP udp -- anywhere anywhere udp dpt:sip STRING match "sipsak" ALGO name bm TO 65535
DROP udp -- anywhere anywhere udp dpt:sip STRING match "sipvicious" ALGO name bm TO 65535
DROP udp -- anywhere anywhere udp dpt:sip STRING match "iWar" ALGO name bm TO 65535
...
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2346 flags:0x17/0x02 limit: avg 1/min burst 3
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2346 flags:0x17/0x02
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP all -f 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4569
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x17/0x02 limit: avg 100/sec burst 100
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x17/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5666
...
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-ASTERISK (1 references)
target prot opt source destination
DROP all -- ip16.ip-54-37-90.eu anywhere
DROP all -- 207.231.108.225 anywhere
...
fail2ban.log:
2023-04-23 09:50:30,881 fail2ban.actions [26615]: NOTICE [asterisk-iptables] 207.231.108.225 already banned
当我检查 ip 时,它列在 f2b-ASTERISK 中:
[root@server bin]# iptables -L -n | grep "193.32.162.159"
DROP all -- 207.231.108.225 0.0.0.0/0
我有一台带有公共 ip ( ) 的服务器142.0.0.142。此服务器托管 KVM 虚拟机 ( 192.168.100.10) 并将 HTTP/S 流量重定向到此 VM。我按照这些说明配置了“基于 NAT 的自定义网络”。当我使用公共 ip142.0.0.142执行 HTTP 请求时,它工作正常并且流量被重定向到 VM。但是,当我使用公共 ip 从主机或来宾执行 HTTP 请求时,连接失败。
以下是内容/etc/iptables/rules.v4:
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# DHCP packets sent to VMs have no checksum (due to a longstanding bug).
-A POSTROUTING -o virbr10 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Modify the destination address of packets received on ports 80 and 443.
-A PREROUTING -d 142.0.0.142/32 -p tcp -m tcp --syn -m multiport --dports 80,443 -j DNAT --to-destination 192.168.100.10
# Do not masquerade to these reserved address blocks.
-A POSTROUTING -s 192.168.100.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.100.0/24 -d 255.255.255.255/32 -j RETURN
# Masquerade all packets going from VMs to the LAN/Internet.
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow basic INPUT traffic.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# Accept SSH connections.
-A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -j ACCEPT
# Accept DNS (port 53) and DHCP (port 67) packets from VMs.
-A INPUT -i virbr10 -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
-A INPUT -i virbr10 -p tcp -m tcp -m multiport --dports 53,67 -j ACCEPT
# Reject everything else.
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-port-unreachable
# Allow established traffic to the private subnet.
-A FORWARD -d 192.168.100.0/24 -o virbr10 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow outbound traffic from the private subnet.
-A FORWARD -s 192.168.100.0/24 -i virbr10 -j ACCEPT
# Allow traffic between virtual machines.
-A FORWARD -i virbr10 -o virbr10 -j ACCEPT
# Allow packets that have been forwarded to particular ports on the VM.
-A FORWARD -d 192.168.100.10/32 -o virbr10 -p tcp -m tcp --syn -m conntrack --ctstate NEW -m multiport --dports 80,443 -j ACCEPT
# Reject everything else.
-A FORWARD -i virbr10 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o virbr10 -j REJECT --reject-with icmp-port-unreachable
COMMIT
由于我的供应商没有给我一个公共 IPv4 地址,我使用 VPS 结合 Wireguard 隧道使我的家庭服务器可以从 Internet 访问(通过 Ipv4 和 Ipv6)。
在我的家庭服务器上,流量首先到达反向代理 (Traefik)。目前,我正在使用 rinetd 将 VPS 上端口 80/443 的传入流量转发到我的家庭服务器 (10.10.0.2) 的 Wireguard IP 地址。这可行,但问题是数据包的源 IP 始终是我的 VPS (10.10.0.1) 的 wireguard IP。这是 rinetd ( https://manpages.ubuntu.com/manpages/bionic/man8/rinetd.8.html )的已知限制。
计划:Internet <-> (ens192) VPS (wg1) <-> (wg1) homeserver
解决方案:
对于以后遇到此问题的任何人,这里是解决方案。
VPS 上的 iptables 配置:
iptables -I FORWARD -d 10.10.0.2 -p tcp -m conntrack --ctstate DNAT -j ACCEPT
iptables -I FORWARD -s 10.10.0.2 -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 80 -j DNAT --to-destination 10.10.0.2:80
iptables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 443 -j DNAT --to-destination 10.10.0.2:443
iptables -t nat -A POSTROUTING -o ens192 -j SNAT --to-source [VPS public IP]
ip6tables -I FORWARD -d fdb0:926d:918e::2 -p tcp -m conntrack --ctstate DNAT -j ACCEPT
ip6tables -I FORWARD -s fdb0:926d:918e::2 -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 80 -j DNAT --to-destination [fdb0:926d:918e::2]:80
ip6tables -t nat -I PREROUTING -p tcp -d [VPS public IP] -i ens192 --dport 443 -j DNAT --to-destination [fdb0:926d:918e::2]:443
ip6tables -t nat -A POSTROUTING -o ens192 -j SNAT --to-source [VPS public IP]
在家庭服务器上:配置路由:
ip -4 route add default dev wg1 table 4242
ip -6 route add default dev wg1 table 4242
ip -4 rule add pref 500 from 10.10.0.2 lookup 4242
ip -6 rule add pref 500 from fdb0:926d:918e::2 lookup 4242
并配置 wireguard allowedIPs 以允许所有 IP,本地(家庭)网络和我的 VPS 的公共 IPv4 和 IPv6 除外。
我有一个 iptables 预路由规则来将端口转发到另一台主机。这是规则:ipv4 nat PREROUTING 0 -m addrtype --dst-type LOCAL -p tcp --dport 445 -j DNAT --to-destination 192.168.123.103。
带有预路由规则的主机 A 的 ip 地址是192.168.123.1。将流量转发到的主机 B 的 IP 地址是192.168.123.103和192.168.123.11。
此规则适用于连接到 A 的其他主机,但它不适用于192.168.123.1:445从 B 发出请求。在 iptables 跟踪中,似乎有预路由但没有转发。值得注意的是,192.168.123.103:445直接在 B 上访问是可行的。
我检查了 sysctl 标志net.ipv4.ip_forward并net.ipv4.conf.all.forwarding正确设置为1.
日志:
Working:
trace id 3202082b ip raw PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip raw PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 522 bytes 29484 meta nftrace set 1 (verdict continue)
trace id 3202082b ip raw PREROUTING verdict continue
trace id 3202082b ip raw PREROUTING policy accept
trace id 3202082b inet firewalld mangle_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_ZONES (verdict jump mangle_PREROUTING_ZONES)
trace id 3202082b inet firewalld mangle_PREROUTING_ZONES rule goto mangle_PRE_trusted (verdict goto mangle_PRE_trusted)
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_pre (verdict jump mangle_PREROUTING_POLICIES_pre)
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_pre rule jump mangle_PRE_policy_allow-host-ipv6 (verdict jump mangle_PRE_policy_allow-host-ipv6)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_pre (verdict jump mangle_PRE_policy_allow-host-ipv6_pre)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_log (verdict jump mangle_PRE_policy_allow-host-ipv6_log)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_log verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_deny (verdict jump mangle_PRE_policy_allow-host-ipv6_deny)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_deny verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_allow (verdict jump mangle_PRE_policy_allow-host-ipv6_allow)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_allow verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_post (verdict jump mangle_PRE_policy_allow-host-ipv6_post)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_pre (verdict jump mangle_PRE_trusted_pre)
trace id 3202082b inet firewalld mangle_PRE_trusted_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_log (verdict jump mangle_PRE_trusted_log)
trace id 3202082b inet firewalld mangle_PRE_trusted_log verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_deny (verdict jump mangle_PRE_trusted_deny)
trace id 3202082b inet firewalld mangle_PRE_trusted_deny verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_allow (verdict jump mangle_PRE_trusted_allow)
trace id 3202082b inet firewalld mangle_PRE_trusted_allow verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_post (verdict jump mangle_PRE_trusted_post)
trace id 3202082b inet firewalld mangle_PRE_trusted_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_post (verdict jump mangle_PREROUTING_POLICIES_post)
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING policy accept
trace id 3202082b ip nat PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip nat PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 3018 bytes 180952 dnat to 192.168.123.103 (verdict accept)
trace id 3202082b inet firewalld filter_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld filter_PREROUTING verdict continue
trace id 3202082b inet firewalld filter_PREROUTING policy accept
trace id 3202082b ip mangle FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip mangle FORWARD verdict continue
trace id 3202082b ip mangle FORWARD policy accept
trace id 3202082b ip filter FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip filter FORWARD verdict continue
trace id 3202082b ip filter FORWARD policy accept
trace id 3202082b inet firewalld filter_FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld filter_FORWARD rule ct status dnat accept (verdict accept)
Not working:
trace id fea3c476 ip raw PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 ip raw PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 96 bytes 5732 meta nftrace set 1 (verdict continue)
trace id fea3c476 ip raw PREROUTING verdict continue
trace id fea3c476 ip raw PREROUTING policy accept
trace id fea3c476 inet firewalld mangle_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip protocol tcp ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_ZONES (verdict jump mangle_PREROUTING_ZONES)
trace id fea3c476 inet firewalld mangle_PREROUTING_ZONES rule goto mangle_PRE_trusted (verdict goto mangle_PRE_trusted)
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_pre (verdict jump mangle_PREROUTING_POLICIES_pre)
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_pre rule jump mangle_PRE_policy_allow-host-ipv6 (verdict jump mangle_PRE_policy_allow-host-ipv6)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_pre (verdict jump mangle_PRE_policy_allow-host-ipv6_pre)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_log (verdict jump mangle_PRE_policy_allow-host-ipv6_log)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_log verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_deny (verdict jump mangle_PRE_policy_allow-host-ipv6_deny)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_deny verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_allow (verdict jump mangle_PRE_policy_allow-host-ipv6_allow)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_allow verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_post (verdict jump mangle_PRE_policy_allow-host-ipv6_post)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_pre (verdict jump mangle_PRE_trusted_pre)
trace id fea3c476 inet firewalld mangle_PRE_trusted_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_log (verdict jump mangle_PRE_trusted_log)
trace id fea3c476 inet firewalld mangle_PRE_trusted_log verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_deny (verdict jump mangle_PRE_trusted_deny)
trace id fea3c476 inet firewalld mangle_PRE_trusted_deny verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_allow (verdict jump mangle_PRE_trusted_allow)
trace id fea3c476 inet firewalld mangle_PRE_trusted_allow verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_post (verdict jump mangle_PRE_trusted_post)
trace id fea3c476 inet firewalld mangle_PRE_trusted_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_post (verdict jump mangle_PREROUTING_POLICIES_post)
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING policy accept
trace id fea3c476 ip nat PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 ip nat PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 2881 bytes 172708 dnat to 192.168.123.103 (verdict accept)
trace id fea3c476 inet firewalld filter_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip protocol tcp ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 inet firewalld filter_PREROUTING verdict continue
trace id fea3c476 inet firewalld filter_PREROUTING policy accept
ip地址:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 0a:e0:af:c6:00:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute enp6s0
valid_lft 39944sec preferred_lft 39944sec
3: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:54:6b:5e brd ff:ff:ff:ff:ff:ff
inet 192.168.123.1/24 brd 192.168.123.255 scope global virbr1
valid_lft forever preferred_lft forever
ip路线:
default via 192.168.1.1 dev enp6s0 proto dhcp src 192.168.1.10 metric 100
192.168.1.0/24 dev enp6s0 proto kernel scope link src 192.168.1.10 metric 100
192.168.123.0/24 dev virbr1 proto kernel scope link src 192.168.123.1
Nft 列表规则集:
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
meta l4proto tcp counter packets 2283119 bytes 12047540484 jump f2b-sshd
}
chain f2b-sshd {
counter packets 2278196 bytes 12047096552 return
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto tcp fib daddr type local tcp dport 445 counter packets 3128 bytes 187556 dnat to 192.168.123.103
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
}
}
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "enp6s0" goto mangle_PRE_public
goto mangle_PRE_trusted
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
iifname "enp6s0" goto nat_PRE_public
goto nat_PRE_trusted
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
oifname "enp6s0" goto nat_POST_public
goto nat_POST_trusted
}
chain nat_POSTROUTING_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
jump filter_FORWARD_ZONES
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "enp6s0" goto filter_IN_public
goto filter_IN_trusted
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
}
chain filter_FORWARD_ZONES {
iifname "enp6s0" goto filter_FWD_public
goto filter_FWD_trusted
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_trusted {
jump filter_INPUT_POLICIES_pre
jump filter_IN_trusted_pre
jump filter_IN_trusted_log
jump filter_IN_trusted_deny
jump filter_IN_trusted_allow
jump filter_IN_trusted_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_trusted_pre {
}
chain filter_IN_trusted_log {
}
chain filter_IN_trusted_deny {
}
chain filter_IN_trusted_allow {
}
chain filter_IN_trusted_post {
}
chain nat_POST_trusted {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_trusted_pre
jump nat_POST_trusted_log
jump nat_POST_trusted_deny
jump nat_POST_trusted_allow
jump nat_POST_trusted_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_trusted_pre {
}
chain nat_POST_trusted_log {
}
chain nat_POST_trusted_deny {
}
chain nat_POST_trusted_allow {
}
chain nat_POST_trusted_post {
}
chain filter_FWD_trusted {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_trusted_pre
jump filter_FWD_trusted_log
jump filter_FWD_trusted_deny
jump filter_FWD_trusted_allow
jump filter_FWD_trusted_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_trusted_pre {
}
chain filter_FWD_trusted_log {
}
chain filter_FWD_trusted_deny {
}
chain filter_FWD_trusted_allow {
}
chain filter_FWD_trusted_post {
}
chain nat_PRE_trusted {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_trusted_pre
jump nat_PRE_trusted_log
jump nat_PRE_trusted_deny
jump nat_PRE_trusted_allow
jump nat_PRE_trusted_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_trusted_pre {
}
chain nat_PRE_trusted_log {
}
chain nat_PRE_trusted_deny {
}
chain nat_PRE_trusted_allow {
}
chain nat_PRE_trusted_post {
}
chain mangle_PRE_trusted {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_trusted_pre
jump mangle_PRE_trusted_log
jump mangle_PRE_trusted_deny
jump mangle_PRE_trusted_allow
jump mangle_PRE_trusted_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_trusted_pre {
}
chain mangle_PRE_trusted_log {
}
chain mangle_PRE_trusted_deny {
}
chain mangle_PRE_trusted_allow {
}
chain mangle_PRE_trusted_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_IN_public {
jump filter_INPUT_POLICIES_pre
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx type admin-prohibited
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain nat_POST_public {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
jump filter_FORWARD_POLICIES_post
reject with icmpx type admin-prohibited
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
oifname "enp6s0" accept
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
}
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
meta l4proto tcp fib daddr type local tcp dport 445 counter packets 974 bytes 53844 meta nftrace set 1
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
table ip mangle {
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
}
我已将 Ubuntu pc 配置为路由器,并且对具有多个输入接口的 DNAT 规则感到困惑。当我尝试 ping ISP-1 IP时,路由器从 external_p 应答,ISP-2 IP从 external_s 应答。但是当我打开ISP-1 IP :80 或ISP-2 IP :80 时,它会从 external_p 回答两个 IP。如何使用收到请求的接口配置它对 DNAT 的应答?
ip rule show
0: from all lookup local
300: from <ISP-1 IP> lookup external_p
400: from <ISP-2 IP> lookup external_s
32766: from all lookup main
32767: from all lookup default
ip route
default via <ISP-1 GW> dev vlan_ext_p metric 100
default via <ISP-2 GW> dev vlan_ext_s metric 200
ip route show table external_p
default via <ISP-1 GW> dev vlan_ext_p proto static
ip route show table external_s
default via <ISP-2 GW> dev vlan_ext_s proto static
iptables-save
*nat
-A PREROUTING -i vlan_ext_p -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.4.2
-A PREROUTING -i vlan_ext_s -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.4.2
-A POSTROUTING -s 172.16.0.0/12 -o vlan_ext_p -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/12 -o vlan_ext_s -j MASQUERADE
COMMIT
*filter
-A FORWARD -d 172.17.4.2/32 -i vlan_ext_p -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -d 172.17.4.2/32 -i vlan_ext_s -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -s 172.16.0.0/12 -j ACCEPT
我有一个wireguard 服务器,可以控制对AWS 中服务器网络的访问。通过wireguard 连接的客户端的地址为10.11.0.{2-5}。我有 4 个客户端以完全访问权限访问 LAN - LAN 位于 10.1.255.255 上。这很好用。
现在我想添加一个只能访问少量服务器的客户端。
所以我在 wg0.conf 中添加了一些 PostUp 命令,并使用 iptables 将这个客户端限制在这些服务器上。
[注意我更喜欢使用 PostUp 命令而不是单独的 postup.sh 文件,因为它将自定义内容保存在一个地方。]
以下是 iptables 命令。客户端 10.11.0.{2,3,4,5} 应该能够访问所有内容。客户端 10.11.0.6 应该只能访问三个特定的 IP 地址。正在发生的事情是客户端 .6 仍然可以访问所有内容。
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.11.0.0/16
# Add a WIREGUARD_wg0 chain
PostUp = iptables -N WIREGUARD_wg0
PostUp = iptables -A FORWARD -j WIREGUARD_wg0
# Accept traffic from valid Wireguard client IP addresses
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.2,10.11.0.3,10.11.0.4,10.11.0.5 -i %i -j ACCEPT
# This client can only access these servers.
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.6 -i %i -d 10.1.1.101,10.1.1.151,10.1.0.101 -j ACCEPT
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.6 -i %i -j DROP
# Drop everything else coming through the Wireguard interface
PostUp = iptables -A WIREGUARD_wg0 -i %i -j DROP
# Return to FORWARD chain
PostUp = iptables -A WIREGUARD_wg0 -j RETURN
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE -s 10.11.0.0/16
# Flush and delete the WIREGUARD_wg0 chain
PostDown = iptables -D FORWARD -j WIREGUARD_wg0
PostDown = iptables -F WIREGUARD_wg0
PostDown = iptables -X WIREGUARD_wg0
这是之后的状态wg-quick down wg0:
/etc/wireguard# iptables-save -c
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:06:20 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[42:2688] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[122:7896] -A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Sep 3 21:06:20 2022
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:06:20 2022
*filter
:INPUT ACCEPT [33:3296]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:4668]
[4503:562848] -A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Sat Sep 3 21:06:20 2022
然后之后wg-quick up wg0:
/etc/wireguard# iptables-save -c
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:07:01 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[42:2688] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[122:7896] -A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Sep 3 21:07:01 2022
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:07:01 2022
*filter
:INPUT ACCEPT [15:1036]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:2920]
:WIREGUARD_wg0 - [0:0]
[4503:562848] -A FORWARD -i wg0 -j ACCEPT
[0:0] -A FORWARD -j WIREGUARD_wg0
[0:0] -A WIREGUARD_wg0 -s 10.11.0.2/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.3/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.4/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.5/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.1.101/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.1.151/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.0.101/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -i wg0 -j DROP
[0:0] -A WIREGUARD_wg0 -i wg0 -j DROP
[0:0] -A WIREGUARD_wg0 -j RETURN
COMMIT
# Completed on Sat Sep 3 21:07:01 2022
谁能建议我错过了什么?非常感谢。保罗。
这些规则能否缩短为单行:
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3050 -j DNAT --to-destination 192.168.1.3:3050
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3051 -j DNAT --to-destination 192.168.1.3:3051
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3052 -j DNAT --to-destination 192.168.1.3:3052
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3053 -j DNAT --to-destination 192.168.1.3:3053
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3054 -j DNAT --to-destination 192.168.1.3:3054
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3055 -j DNAT --to-destination 192.168.1.3:3055
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3056 -j DNAT --to-destination 192.168.1.3:3056