主页 / ubuntu / 问题 / 1300342
Accepted
bomben
Asked: 2020-12-16 08:20:25 +0800 CST

即使传出流量仅限于 tun0 上的 VPN,通过 enp3s0 (eth0) 下载种子是否正确?

  • 772

我根据此处Musclehead 的回答修改了我的 iptables,以便我transmission-daemon可以将传出流量发送到tun0(这是一个 VPN)。

(提示:我eth0的被称为enp3s0。)

现在,如果我添加一个 torrent下载并且我观察流量,sudo iptables -L -v唯一增加的数字与INPUT链相关enp3s0(这是我的以太网端口)。这些数字与我从 VPN 获得的状态相加。

这是否意味着我下载到我原来的 WAN 地址而不是隧道?

我认为当我添加一个 torrent 时,有关下载它的信息将被发送,tun0因此答案应该回到那个 IP 范围。

正如您在此处看到的,我生成的两个输出相隔几秒钟,设备上的流量从1356M到增加。2201Menp3s0

 $ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2417  172K f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh
 170K   17M ACCEPT     all  --  tun0   any     anywhere             anywhere            
 330K 1356M ACCEPT     all  --  enp3s0 any     anywhere --THIS LINE anywhere            
  942  134K ACCEPT     all  --  lo     any     anywhere             anywhere            

...          

Chain OUTPUT (policy ACCEPT 483K packets, 269M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   19  6545 ACCEPT     tcp  --  any    enp3s0  anywhere             192.168.100.0/24     tcp spt:9091 owner GID match debian-transmission
    0     0 ACCEPT     udp  --  any    enp3s0  anywhere             192.168.100.0/24     udp spt:9091 owner GID match debian-transmission
 229K  210M ACCEPT     all  --  any    tun0    anywhere             anywhere             owner GID match debian-transmission
  221 57168 ACCEPT     all  --  any    lo      anywhere             anywhere             owner GID match debian-transmission
   92  5372 REJECT     all  --  any    any     anywhere             anywhere             owner GID match debian-transmission reject-with icmp-port-unreachable

...

秒后的第二个输出:

$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2431  173K f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh
 170K   17M ACCEPT     all  --  tun0   any     anywhere             anywhere            
 384K 2201M ACCEPT     all  --  enp3s0 any     anywhere --THIS LINE anywhere            
  942  134K ACCEPT     all  --  lo     any     anywhere             anywhere            

...          

Chain OUTPUT (policy ACCEPT 536K packets, 272M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   19  6545 ACCEPT     tcp  --  any    enp3s0  anywhere             192.168.100.0/24     tcp spt:9091 owner GID match debian-transmission
    0     0 ACCEPT     udp  --  any    enp3s0  anywhere             192.168.100.0/24     udp spt:9091 owner GID match debian-transmission
 229K  210M ACCEPT     all  --  any    tun0    anywhere             anywhere             owner GID match debian-transmission
  221 57168 ACCEPT     all  --  any    lo      anywhere             anywhere             owner GID match debian-transmission
   92  5372 REJECT     all  --  any    any     anywhere             anywhere             owner GID match debian-transmission reject-with icmp-port-unreachable

...

我还将添加我的路由表输出以便更好地理解:

 $ ip route show table local
broadcast 10.8.8.0 dev tun0  proto kernel  scope link  src 10.8.8.5 
local 10.8.8.5 dev tun0  proto kernel  scope host  src 10.8.8.5 
broadcast 10.8.8.255 dev tun0  proto kernel  scope link  src 10.8.8.5 
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
broadcast 192.168.100.0 dev enp3s0  proto kernel  scope link  src 192.168.100.91 
local 192.168.100.91 dev enp3s0  proto kernel  scope host  src 192.168.100.91 
broadcast 192.168.100.255 dev enp3s0  proto kernel  scope link  src 192.168.100.91
networking iptables vpn transmission

1 个回答

  1. Best Answer

    我与 VPN 公司的人进行了核对,他们分析了以下输出。他们说这两个 IP(我更改了它们)都是 VPN IP,所以我的 VPN 没有泄漏但连接正确。当然,它也在传输一些ssh流量,因为我用它登录了 PC。

    但他们发现奇怪的是,我在问题中发布tun0的链中看不到这种流量。iptable见下文。

    关于流量通过的事实enp3s0,这是正确的,因为来自的流量tun0被转发(加密)到以太网端口。

     $ sudo tcpdump -i enp3s0 not src 84.17.47.59
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:35:14.533573 IP 192.168.100.91.ssh > 192.168.100.210.59004: Flags [P.], seq 835793677:835793865, ack 3278619125, win 318, options [nop,nop,TS val 19307620 ecr 4023390051], length 188
10:35:14.534084 IP 192.168.100.91.47524 > 203.179.83.129.openvpn: UDP, length 164
10:35:14.534399 IP 206.189.83.129.openvpn > 192.168.100.91.47524: UDP, length 468

    此外,我的防火墙规则从,和链以及其他特定于 ufw 的链ufw中丢失。像那些:INPUTFORWARDOUTPUT

      199 13931 ufw-after-output  all  --  any    any     anywhere             anywhere            
  199 13931 ufw-after-logging-output  all  --  any    any     anywhere             anywhere            
  199 13931 ufw-reject-output  all  --  any    any     anywhere             anywhere            
  199 13931 ufw-track-output  all  --  any    any     anywhere             anywhere

    一旦我删除了包和设置,并清除了所有特定的链iptables,然后从头开始设置所有内容,它就可以工作了。现在也可以看到传入的流量。tun0

    回答这个问题:是的,传出的流量最终会在被eth隧道化后转移到tun0。两个值应该加起来。

    • 0

相关问题