Iptables
ip6tables snat 無法正常工作
我買了三台電腦,名字分別是:laptop、vds 和 home;
vds 是 openvpn 伺服器;home是openvpn客戶端。而且,我有一個 ipv6 網路 2a01:dead:beef::/64
vds 有地址
2a01:dead:beef::311
在tun0
家裡有地址
2a01:dead:beef::312
在tun0
筆記型電腦上有
2a01:beef:beef::666
地址en3
我想通過 vds 從筆記型電腦訪問家庭,所以我在 vds 上做得很薄:
在 vds 上我添加了一個額外的地址
2a01:dead:beef::2ea
,並且我已經制定了這些 iptables 規則:ip6tables -t nat -A PREROUTING -i eth0 -d 2a01:dead:beef::2ea -j DNAT --to-destination 2a01:dead:beef::312 ip6tables -t nat -A POSTROUTING -s 2a01:dead:beef::312 -o tun0 -j SNAT --to-source 2a01:dead:beef::2ea
我在 vds 上更改了路線:
vds:~/>ip -6 r 2a01:dead:beef::312 dev tun0 metric 1 2a01:dead:beef::/64 dev eth0 proto kernel metric 256 2a01:dead:beef::/64 dev tun0 proto kernel metric 256 fe80::/64 dev eth0 proto kernel metric 256 default via 2a01:dead:beef::1 dev eth0 metric 1024
並且,在我添加的 openvpn 伺服器配置中
push "route-ipv6 2000::/3"
所以 home
tun0
成為了預設的 ipv6 路由:home:~/>ip -6 r 2a01:dead:beef::/64 dev tun0 proto kernel metric 256 2000::/3 dev tun0 metric 1 fe80::/64 dev mlan0 proto kernel metric 256 fe80::/64 dev eth11 proto kernel metric 256 fe80::/64 dev tun0 proto kernel metric 256
現在,如果我從筆記型電腦 ping 2a01:dead:beef::2ea,DNAT 和 SNAT 工作正常,我得到了 ping:
laptop:~/>ping6 2a01:dead:beef::2ea PING6(56=40+8+8 bytes) 2a01:beef:beef::666 --> 2a01:dead:beef::2ea 16 bytes from 2a01:dead:beef::2ea, icmp_seq=0 hlim=55 time=108.618 ms 16 bytes from 2a01:dead:beef::2ea, icmp_seq=1 hlim=55 time=108.752 ms
但是,如果我從家裡 ping 我的筆記型電腦,我沒有得到 ping:
home:~/>ping6 2a01:beef:beef::666 PING 2a01:beef:beef::666 (2a01:beef:beef:0:0:0:0:666) 56 data bytes ^C --- 2a01:beef:beef::666 ping statistics --- 8 packets transmitted, 0 received, 100% packet loss, time 6999ms
我已經在筆記型電腦上啟動了 tcpdump,這是我所看到的:
laptop:~/>sudo /usr/sbin/tcpdump -i en3 -n -nn -ttt "ip6[40]=128 or ip6[40]=129" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en3, link-type EN10MB (Ethernet), capture size 65535 bytes 00:00:00.000000 IP6 2a01:dead:beef::312 > 2a01:beef:beef::666: ICMP6, echo request, seq 1, length 64 00:00:00.000050 IP6 2a01:beef:beef::666 > 2a01:dead:beef::312: ICMP6, echo reply, seq 1, length 64 00:00:00.999054 IP6 2a01:dead:beef::312 > 2a01:beef:beef::666: ICMP6, echo request, seq 2, length 64 00:00:00.000045 IP6 2a01:beef:beef::666 > 2a01:dead:beef::312: ICMP6, echo reply, seq 2, length 64 00:00:00.999858 IP6 2a01:dead:beef::312 > 2a01:beef:beef::666: ICMP6, echo request, seq 3, length 64 00:00:00.000038 IP6 2a01:beef:beef::666 > 2a01:dead:beef::312: ICMP6, echo reply, seq 3, length 64 00:00:00.999968 IP6 2a01:dead:beef::312 > 2a01:beef:beef::666: ICMP6, echo request, seq 4, length 64 00:00:00.000158 IP6 2a01:beef:beef::666 > 2a01:dead:beef::312: ICMP6, echo reply, seq 4, length 64
因此,回應要求來自
2a01:dead:beef::312
instad2a01:dead:beef::2ea
,這意味著 SNAT 這次不會更改源地址。伙計們,你能告訴我,我在這裡做錯了什麼嗎?
我在這裡搞砸了 SNAT 規則。正確的規則是
ip6tables -t nat -A POSTROUTING -s 2a01:230:2:6::312 -o eth0 -j SNAT --to-source 2a01:230:2:6::2ea
我將傳出介面從更改為
tun0
,eth0
因為我想匹配外部而不是內部的數據包。我仍然很困惑,這怎麼可能奏效,如果你知道怎麼做,請提出這個答案。