Iptables

ip6tables snat 無法正常工作

  • March 18, 2015

我買了三台電腦,名字分別是:laptop、vds 和 home;

vds 是 openvpn 伺服器;home是openvpn客戶端。而且,我有一個 ipv6 網路 2a01:dead:beef::/64

vds 有地址2a01:dead:beef::311tun0

家裡有地址2a01:dead:beef::312tun0

筆記型電腦上有2a01:beef:beef::666地址en3

我想通過 vds 從筆記型電腦訪問家庭,所以我在 vds 上做得很薄:

在 vds 上我添加了一個額外的地址2a01:dead:beef::2ea,並且我已經制定了這些 iptables 規則:

ip6tables -t nat -A PREROUTING -i eth0 -d 2a01:dead:beef::2ea -j DNAT --to-destination 2a01:dead:beef::312
ip6tables -t nat -A POSTROUTING -s 2a01:dead:beef::312 -o tun0 -j SNAT --to-source 2a01:dead:beef::2ea 

我在 vds 上更改了路線:

vds:~/>ip -6 r
2a01:dead:beef::312 dev tun0  metric 1
2a01:dead:beef::/64 dev eth0  proto kernel  metric 256
2a01:dead:beef::/64 dev tun0  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256
default via 2a01:dead:beef::1 dev eth0  metric 1024

並且,在我添加的 openvpn 伺服器配置中

push "route-ipv6 2000::/3"

所以 hometun0成為了預設的 ipv6 路由:

home:~/>ip -6 r
2a01:dead:beef::/64 dev tun0  proto kernel  metric 256
2000::/3 dev tun0  metric 1
fe80::/64 dev mlan0  proto kernel  metric 256
fe80::/64 dev eth11  proto kernel  metric 256
fe80::/64 dev tun0  proto kernel  metric 256

現在,如果我從筆記型電腦 ping 2a01:dead:beef::2ea,DNAT 和 SNAT 工作正常,我得到了 ping:

laptop:~/>ping6 2a01:dead:beef::2ea
PING6(56=40+8+8 bytes) 2a01:beef:beef::666 --> 2a01:dead:beef::2ea
16 bytes from 2a01:dead:beef::2ea, icmp_seq=0 hlim=55 time=108.618 ms
16 bytes from 2a01:dead:beef::2ea, icmp_seq=1 hlim=55 time=108.752 ms

但是,如果我從家裡 ping 我的筆記型電腦,我沒有得到 ping:

home:~/>ping6 2a01:beef:beef::666
PING 2a01:beef:beef::666 (2a01:beef:beef:0:0:0:0:666) 56 data bytes
^C
--- 2a01:beef:beef::666 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 6999ms

我已經在筆記型電腦上啟動了 tcpdump,這是我所看到的:

laptop:~/>sudo /usr/sbin/tcpdump -i en3 -n -nn -ttt "ip6[40]=128 or ip6[40]=129"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en3, link-type EN10MB (Ethernet), capture size 65535 bytes
00:00:00.000000 IP6 2a01:dead:beef::312 > 2a01:beef:beef::666: ICMP6, echo request, seq 1, length 64
00:00:00.000050 IP6 2a01:beef:beef::666 > 2a01:dead:beef::312: ICMP6, echo reply, seq 1, length 64
00:00:00.999054 IP6 2a01:dead:beef::312 > 2a01:beef:beef::666: ICMP6, echo request, seq 2, length 64
00:00:00.000045 IP6 2a01:beef:beef::666 > 2a01:dead:beef::312: ICMP6, echo reply, seq 2, length 64
00:00:00.999858 IP6 2a01:dead:beef::312 > 2a01:beef:beef::666: ICMP6, echo request, seq 3, length 64
00:00:00.000038 IP6 2a01:beef:beef::666 > 2a01:dead:beef::312: ICMP6, echo reply, seq 3, length 64
00:00:00.999968 IP6 2a01:dead:beef::312 > 2a01:beef:beef::666: ICMP6, echo request, seq 4, length 64
00:00:00.000158 IP6 2a01:beef:beef::666 > 2a01:dead:beef::312: ICMP6, echo reply, seq 4, length 64

因此,回應要求來自2a01:dead:beef::312instad 2a01:dead:beef::2ea,這意味著 SNAT 這次不會更改源地址。

伙計們,你能告訴我,我在這裡做錯了什麼嗎?

我在這裡搞砸了 SNAT 規則。正確的規則是

ip6tables -t nat -A POSTROUTING -s 2a01:230:2:6::312 -o eth0 -j SNAT --to-source 2a01:230:2:6::2ea

我將傳出介面從更改為tun0eth0因為我想匹配外部而不是內部的數據包。

我仍然很困惑,這怎麼可能奏效,如果你知道怎麼做,請提出這個答案。

引用自:https://serverfault.com/questions/676361