我所做的非常简单,我使用端口转发并在 POSTROUTING 链上启用伪装:
table inet nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
ip daddr 198.51.100.105 counter dnat to 10.8.0.105 comment "host.example.com"
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
counter masquerade
}
}
我的机器上有以下接口:
1: lo
2: ens18
3: ens19
4: wg0
路线是:
default via 203.0.113.1 dev ens18 onlink
10.8.0.0/24 dev wg0 proto kernel scope link src 10.8.0.1
198.51.100.0/24 dev ens19 proto kernel scope link src 198.51.100.3
203.0.113.0/24 dev ens18 proto kernel scope link src 203.0.113.134
规则是:
0: from all lookup local
32764: from all to 198.51.100.0/24 lookup subnets
32765: from 198.51.100.0/24 lookup subnets
32766: from all lookup main
32767: from all lookup default
的输出ip route get 198.51.100.105
是:
local 198.51.100.105 dev lo table local src 198.51.100.3 uid 0
cache <local>
的输出ip route show table subnets
:
default via 198.51.100.1 dev ens19
198.51.100.0/24 dev ens19 scope link src 198.51.100.3
现在,当我从外部 VPS 或家里的 DSL ping公共地址时,我可以验证不仅收到了 ICMP 数据包,而且还回复了:198.51.100.105
ICMP 请求
root@debian:~# tcpdump -i ens19 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens19, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:35:51.686208 IP 192.0.2.2 > 198.51.100.105: ICMP echo request, id 14855, seq 1, length 64
ICMP 回复
root@debian:~# tcpdump -i ens18 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens18, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:35:38.797502 IP 198.51.100.105 > 192.0.2.2: ICMP echo reply, id 5107, seq 1, length 64
但正如您所看到的,响应来自错误的接口。应该是ens19
,但是使用了ens18
,我不明白为什么。
为什么不遵守路线/规则?子网
198.51.100.0/24
没有任何关系ens18
,甚至是不同的VLAN。难道 nftables 不能为伪装的数据包强制使用不同的出站接口吗?
非常感谢您的帮助。
编辑: 的输出ip -br link; ip -4 -br addr; ip -4 route; ip rule; ip rule show table subnets
是:
ip -br link; ip -4 -br addr; ip -4 route; ip rule; ip rule show table subnets
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
ens18 UP a6:ea:02:1c:XX:XX <BROADCAST,MULTICAST,UP,LOWER_UP>
ens19 UP ac:71:fe:18:XX:XX <BROADCAST,MULTICAST,UP,LOWER_UP>
wg0 UNKNOWN <POINTOPOINT,NOARP,UP,LOWER_UP>
lo UNKNOWN 127.0.0.1/8
ens18 UP 203.0.113.134/24
ens19 UP 198.51.100.3/24 198.51.100.100/24 198.51.100.101/24 198.51.100.102/24 198.51.100.103/24 198.51.100.104/24 198.51.100.105/24
wg0 UNKNOWN 10.8.0.1/24
default via 203.0.113.1 dev ens18 onlink
10.8.0.0/24 dev wg0 proto kernel scope link src 10.8.0.1
198.51.100.0/24 dev ens19 proto kernel scope link src 198.51.100.3
203.0.113.0/24 dev ens18 proto kernel scope link src 203.0.113.134
0: from all lookup local
32764: from all to 198.51.100.0/24 lookup subnets
32765: from 198.51.100.0/24 lookup subnets
32766: from all lookup main
32767: from all lookup default
32764: from all to 198.51.100.0/24 lookup subnets
32765: from 198.51.100.0/24 lookup subnets
线卫
命令输出wg
:
interface: wg0
public key: XrSd2TftIpiL3zhXXX=
private key: (hidden)
listening port: 51820
peer: gZ89rFX6DvBtdeuYXXX=
endpoint: 233.252.0.0:39126
allowed ips: 10.8.0.0/24
latest handshake: 20 seconds ago
transfer: 3.42 MiB received, 4.08 MiB sent
命令输出systemctl status [email protected]
:
● [email protected] - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/[email protected]; enabled; preset: enabled)
Active: active (exited) since Sat 2023-08-05 23:42:48 CEST; 14h ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 690 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 690 (code=exited, status=0/SUCCESS)
CPU: 27ms
Aug 05 23:42:48 debian systemd[1]: Starting [email protected] - WireGuard via wg-quick(8) for wg0...
Aug 05 23:42:48 debian wg-quick[690]: [#] ip link add wg0 type wireguard
Aug 05 23:42:48 debian wg-quick[690]: [#] wg setconf wg0 /dev/fd/63
Aug 05 23:42:48 debian wg-quick[690]: [#] ip -4 address add 10.8.0.1/24 dev wg0
Aug 05 23:42:48 debian wg-quick[690]: [#] ip link set mtu 1420 up dev wg0
Aug 05 23:42:48 debian systemd[1]: Finished [email protected] - WireGuard via wg-quick(8) for wg0.
服务器:/etc/wireguard/wg0.conf
[Interface]
Address = 10.8.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = 8BspU4XXX=
[Peer]
PublicKey = gZ89rFX6DvBtdeuYXXX=
AllowedIPs = 10.8.0.0/24
Endpoint = 233.252.0.0:58642
对等点:/etc/wireguard/wg0.conf
[Interface]
# Client Private Key
PrivateKey = iO00+qQDXXX=
Address = 10.8.0.107/24
[Peer]
# Server Public Key
PublicKey = XrSd2TftIpiL3zhXXX=
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 25
Endpoint = 198.51.100.3:51820