我有一个如下图所示的家庭网络设置(请原谅画得不好)。VM1是一个 VPN“路由器”,它将所有流量重定向VMBR1到WG(wireguard)接口。我已成功将 iptables 配置为在 SSH 从我的家庭网络 ( 192.168.0.0/24) 进入VM1或VM2( 192.168.1.0/24) 时跳转主机。这是 iptables 配置VM1:
# forward traffics from eth1 to wg interface
iptables -t nat -A POSTROUTING -o wg -j MASQUERADE
iptables -A FORWARD -i eth1 -o wg -j ACCEPT
# SSH jumping from home network to VM1/VM2
iptables -t nat -A PREROUTING -d 192.168.0.0/24 -p tcp --dport 2222 -i eth0 -j DNAT --to-destination 192.168.1.101:22
到目前为止,它只是单向 SSH,这意味着我无法从 VM2 ( 192.168.1.101) 到家庭设备(例如192.168.0.132)进行 SSH。我尝试将其添加到最顶部,但仍然无法 SSH
iptables -t nat -A PREROUTING -s 192.168.1.101/32 -p tcp --dport 2222 -i eth1 -j DNAT --to-destination 192.168.0.132:22
ipVM1 的输出
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether <REDACTED> brd ff:ff:ff:ff:ff:ff
altname enp0s0
inet 192.168.0.101/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::84de:7bff:feff:6731/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether <REDACTED> brd ff:ff:ff:ff:ff:ff
altname enp1s1
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::e455:aeff:fe62:7cc1/64 scope link
valid_lft forever preferred_lft forever
4: wg: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.X.X.X/32 scope global sg
valid_lft forever preferred_lft forever
inet6 fd7d:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/128 scope global
valid_lft forever preferred_lft forever
$ ip ru
0: from all lookup local
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0xca6c lookup 51820
32766: from all lookup main
32767: from all lookup default
$ ip r show table all
default dev wg table 51820 scope link
default via 192.168.0.1 dev eth0 proto static
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.101
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
local 10.X.X.X dev wg table local proto kernel scope host src 10.X.X.X
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.0.101 dev eth0 table local proto kernel scope host src 192.168.0.101
broadcast 192.168.0.255 dev eth0 table local proto kernel scope link src 192.168.0.101
local 192.168.1.1 dev eth1 table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.1
default dev wg table 51820 metric 1024 pref medium
::1 dev lo proto kernel metric 256 pref medium
fd7d:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX dev wg proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fd7d:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX dev wg table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
local fe80::84de:7bff:feff:6731 dev eth0 table local proto kernel metric 0 pref medium
local fe80::e455:aeff:fe62:7cc1 dev eth1 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg table local proto kernel metric 256 pref medium
知道如何解决这个问题吗?提前致谢。
编辑:我的设置基于此图,这应该显示不同的子网。
