我有一个充当路由器的 linux 盒子,有两个接口 · eth0 - 192.168.0.61 · as0t0 - 172.27.224.1
网络 192.168.2.0/24 可以通过 as0t0 访问,所以我有这样的路由:
[[email protected] ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 100 0 0 eth0
172.27.224.0 0.0.0.0 255.255.240.0 U 0 0 0 as0t0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 as0t0
我还有一个端口转发规则:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8123 -j DNAT --to-destination 192.168.2.245:8123
目前 192.168.0.0/24 的主机可以完美使用 192.168.2.245:8123 的 web 服务器,它在 WAN 的主机上不起作用。主路由器是 192.168.0.251,带有路由和端口转发。
数据包到达192.168.0.61 eth0,但是没有经过as0t0,不知道为什么。
例如,当主机 192.168.0.6 使用网络浏览器访问 192.168.0.61:8123 时,一切正常。
[[email protected] ~]# tcpdump -i eth0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:47:22.232044 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [SEW], seq 361471277, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:47:22.305155 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [S.], seq 226116772, ack 361471278, win 64240, options [mss 1258,nop,nop,sackOK,nop,wscale 7], length 0
16:47:22.305722 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [.], ack 1, win 1027, length 0
16:47:22.305868 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [P.], seq 1:601, ack 1, win 1027, length 600
16:47:22.446997 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [.], ack 601, win 501, length 0
16:47:22.447020 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [P.], seq 1:170, ack 601, win 501, length 169
16:47:22.447035 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [P.], seq 170:230, ack 601, win 501, length 60
16:47:22.447484 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [.], ack 230, win 1026, length 0
16:47:22.537873 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [P.], seq 601:1431, ack 230, win 1026, length 830
16:47:22.646742 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [.], ack 1431, win 501, length 0
16:47:22.646762 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [P.], seq 230:400, ack 1431, win 501, length 170
16:47:22.646777 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [P.], seq 400:570, ack 1431, win 501, length 170
16:47:22.647193 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [.], ack 570, win 1024, length 0
...
[[email protected] ~]# tcpdump -i as0t0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on as0t0, link-type RAW (Raw IP), capture size 262144 bytes
16:47:22.232111 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [SEW], seq 361471277, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:47:22.305136 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [S.], seq 226116772, ack 361471278, win 64240, options [mss 1258,nop,nop,sackOK,nop,wscale 7], length 0
16:47:22.305863 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 1, win 1027, length 0
16:47:22.305872 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [P.], seq 1:601, ack 1, win 1027, length 600
16:47:22.446980 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [.], ack 601, win 501, length 0
16:47:22.447013 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 1:170, ack 601, win 501, length 169
16:47:22.447030 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 170:230, ack 601, win 501, length 60
16:47:22.447495 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 230, win 1026, length 0
16:47:22.537892 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [P.], seq 601:1431, ack 230, win 1026, length 830
16:47:22.646728 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [.], ack 1431, win 501, length 0
16:47:22.646755 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 230:400, ack 1431, win 501, length 170
16:47:22.646771 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 400:570, ack 1431, win 501, length 170
16:47:22.647207 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 570, win 1024, length 0
[email protected]:~ $ sudo tcpdump -i tun0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
16:47:22.283238 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [SEW], seq 361471277, win 64240, options [mss 1258,nop,wscale 8,nop,nop,sackOK], length 0
16:47:22.283327 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [S.], seq 226116772, ack 361471278, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:47:22.375692 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 1, win 1027, length 0
16:47:22.375946 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [P.], seq 1:601, ack 1, win 1027, length 600
16:47:22.375988 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [.], ack 601, win 501, length 0
16:47:22.383365 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 1:170, ack 601, win 501, length 169
16:47:22.383586 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 170:230, ack 601, win 501, length 60
16:47:22.494391 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 230, win 1026, length 0
16:47:22.585272 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [P.], seq 601:1431, ack 230, win 1026, length 830
16:47:22.585325 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [.], ack 1431, win 501, length 0
16:47:22.593274 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 230:400, ack 1431, win 501, length 170
16:47:22.594160 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 400:570, ack 1431, win 501, length 170
16:47:22.693687 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 570, win 1024, length 0
但是,当请求来自互联网 192.168.0.61 时,会收到请求,但不会通过 as0t0 转发。例如:
[[email protected] ~]# tcpdump -i eth0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:51:55.079366 IP 185.157.131.172.54673 > 192.168.0.61.8123: Flags [S], seq 331949659, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:55.759341 IP 185.157.131.172.54674 > 192.168.0.61.8123: Flags [S], seq 459540767, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:55.785218 IP 185.157.131.172.54675 > 192.168.0.61.8123: Flags [S], seq 3837920396, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:56.037321 IP 185.157.131.172.54676 > 192.168.0.61.8123: Flags [S], seq 1212264514, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:56.095399 IP 185.157.131.172.54673 > 192.168.0.61.8123: Flags [S], seq 331949659, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:56.775268 IP 185.157.131.172.54674 > 192.168.0.61.8123: Flags [S], seq 459540767, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:56.797301 IP 185.157.131.172.54675 > 192.168.0.61.8123: Flags [S], seq 3837920396, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:57.055209 IP 185.157.131.172.54676 > 192.168.0.61.8123: Flags [S], seq 1212264514, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:58.115261 IP 185.157.131.172.54673 > 192.168.0.61.8123: Flags [S], seq 331949659, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:58.799213 IP 185.157.131.172.54674 > 192.168.0.61.8123: Flags [S], seq 459540767, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:58.800187 IP 185.157.131.172.54675 > 192.168.0.61.8123: Flags [S], seq 3837920396, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:59.067247 IP 185.157.131.172.54676 > 192.168.0.61.8123: Flags [S], seq 1212264514, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
...
[[email protected]~]# tcpdump -i as0t0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on as0t0, link-type RAW (Raw IP), capture size 262144 bytes
[email protected]:~ $ sudo tcpdump -i tun0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
我不知道如何继续故障排除。任何想法?
谢谢
编辑1:
[[email protected] ~]# iptables-save -c
# Generated by iptables-save v1.4.21 on Tue Oct 19 16:14:28 2021
*mangle
:PREROUTING ACCEPT [47:10649]
:INPUT ACCEPT [560:148103]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [548:147705]
:POSTROUTING ACCEPT [548:147705]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
[533:144894] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
[2:251] -A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
[533:144894] -A AS0_MANGLE_PRE_REL_EST -j ACCEPT
[2:251] -A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
[2:251] -A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Tue Oct 19 16:14:28 2021
# Generated by iptables-save v1.4.21 on Tue Oct 19 16:14:28 2021
*raw
:PREROUTING ACCEPT [611:161750]
:OUTPUT ACCEPT [577:150493]
COMMIT
# Completed on Tue Oct 19 16:14:28 2021
# Generated by iptables-save v1.4.21 on Tue Oct 19 16:14:28 2021
*filter
:INPUT ACCEPT [7:1954]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [504:140983]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_U_OPENVPN_IN - [0:0]
:AS0_U_OPENVPN_OUT - [0:0]
:AS0_WEBACCEPT - [0:0]
[534:144934] -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
[13:780] -A INPUT -i lo -j AS0_ACCEPT
[0:0] -A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
[2:120] -A INPUT -d 192.168.0.61/32 -p tcp -m state --state NEW -m tcp --dport 1194 -j AS0_ACCEPT
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
[0:0] -A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
[0:0] -A FORWARD -o as0t+ -j AS0_OUT_S2C
[0:0] -A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
[549:145834] -A AS0_ACCEPT -j ACCEPT
[0:0] -A AS0_IN -d 172.27.224.1/32 -j ACCEPT
[0:0] -A AS0_IN -s 172.27.224.2/32 -j AS0_U_OPENVPN_IN
[0:0] -A AS0_IN -s 192.168.2.0/24 -j AS0_U_OPENVPN_IN
[0:0] -A AS0_IN -j AS0_IN_POST
[0:0] -A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
[0:0] -A AS0_IN_NAT -j ACCEPT
[0:0] -A AS0_IN_POST -d 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_IN_POST -o as0t+ -j AS0_OUT
[0:0] -A AS0_IN_POST -j DROP
[0:0] -A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
[0:0] -A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
[0:0] -A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
[0:0] -A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
[0:0] -A AS0_IN_PRE -j DROP
[0:0] -A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
[0:0] -A AS0_IN_ROUTE -j ACCEPT
[0:0] -A AS0_OUT -d 172.27.224.2/32 -j AS0_U_OPENVPN_OUT
[0:0] -A AS0_OUT -d 192.168.2.0/24 -j AS0_U_OPENVPN_OUT
[0:0] -A AS0_OUT -j AS0_OUT_POST
[0:0] -A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
[0:0] -A AS0_OUT_LOCAL -j ACCEPT
[0:0] -A AS0_OUT_POST -j DROP
[0:0] -A AS0_OUT_S2C -s 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_OUT_S2C -j AS0_OUT
[0:0] -A AS0_U_OPENVPN_IN -d 192.168.0.0/24 -j AS0_IN_ROUTE
[0:0] -A AS0_U_OPENVPN_IN -j AS0_IN_POST
[0:0] -A AS0_U_OPENVPN_OUT -s 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -s 192.168.2.0/24 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -s 172.27.224.0/20 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -j AS0_OUT_POST
[0:0] -A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Tue Oct 19 16:14:28 2021
# Generated by iptables-save v1.4.21 on Tue Oct 19 16:14:28 2021
*nat
:PREROUTING ACCEPT [36:10120]
:INPUT ACCEPT [14:2429]
:OUTPUT ACCEPT [18:1141]
:POSTROUTING ACCEPT [18:1141]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
[0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 1883 -j DNAT --to-destination 192.168.2.245:1883
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 1884 -j DNAT --to-destination 192.168.2.245:1884
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 8123 -j DNAT --to-destination 192.168.2.245:8123
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.2.245:22
[0:0] -A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
[0:0] -A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
[0:0] -A AS0_NAT -o eth0 -j SNAT --to-source 192.168.0.61
[0:0] -A AS0_NAT -j ACCEPT
[0:0] -A AS0_NAT_POST_REL_EST -j ACCEPT
[0:0] -A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
[0:0] -A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
[0:0] -A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
[0:0] -A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
[0:0] -A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
[0:0] -A AS0_NAT_PRE -j AS0_NAT
[0:0] -A AS0_NAT_PRE_REL_EST -j ACCEPT
[0:0] -A AS0_NAT_TEST -o as0t+ -j ACCEPT
[0:0] -A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
[0:0] -A AS0_NAT_TEST -d 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_NAT_TEST -d 192.168.2.0/24 -j ACCEPT
[0:0] -A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT
[0:0] -A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Tue Oct 19 16:14:28 202
编辑 2:正如@ab 建议的那样,我提供了有关网络布局的更多信息,因为有一个 openVPN 隧道(路由)可能会过滤一些数据包。openVPN 隧道表示为一条射线。
在示例中 192.168.0.6 可以通过隧道,但公共 ip (185.157.131.172) 不能。