Linux

如何將流量從隧道介面轉發到 eth0

  • January 4, 2016

網路拓撲結構:


網際網路
|
|
(eth0) IP:202.xxx.xxx.xxx/255.255.255.0
A: Remote_Server(Debian)
(tun0) IP:10.10.1.1/255.255.255.0
|
|
(utun0) IP: 10.10.1.2/255.255.255.0
B:iOS_Device(iOS 9)


設備 A:
一個 TCP 伺服器,在 7777 上監聽客戶端(iOS 設備)連接。

設備 B:
帶有 WIFI 連接到 Internet 的 iOS 設備。

工作流程:

  1. 伺服器監聽“0.0.0.0:7777”
  2. 客戶端連接到“202.xxx.xxx.xxx:7777”(使用使用者名等)
  3. 伺服器檢查客戶端的使用者名以進行客戶端身份驗證
  4. 伺服器向客戶端發送隧道配置資訊(例如:10.10.1.2/24,dns:8.8.8.8)
  5. 客戶端放置一個新的隧道連接到伺服器
  6. 客戶端通過隧道向伺服器發送網路數據包(DNS 查詢,HTTPS 請求,…)(並等待伺服器的響應)

伺服器端日誌(客戶端通過隧道連接後):

$ sudo ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
     inet addr:10.10.1.1  P-t-P:10.10.1.1  Mask:255.255.255.0
     UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:500 
     RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
-----------------------------------------------------------
tun0      Link encap:UNSPEC  HWaddr ...
     ...
     RX packets:12 errors:0 dropped:12 overruns:0 frame:0
     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
     ...
     RX bytes:742 (742.0 B)  TX bytes:0 (0.0 B)
-----------------------------------------------------------
tun0      Link encap:UNSPEC  HWaddr ...
     ...
     RX packets:25 errors:0 dropped:25 overruns:0 frame:0
     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
     ...
     RX bytes:1548 (1.5 KiB)  TX bytes:0 (0.0 B)
-----------------------------------------------------------

RX bytes: 0 -> 742 -> 1548 bytes

現在,問題是:

在伺服器端,如何將流量從 tun0 轉發到 eth0?

有人可以幫忙嗎,請


已嘗試以下命令,但似乎無法正常工作。

$sudo sysctl net.ipv4.ip_forward
   net.ipv4.ip_forward = 1

$sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 13472 packets, 4929K bytes)
pkts bytes target     prot opt in     out     source               destination         
 207 13105 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   0     0 ACCEPT     all  --  *      *       10.30.0.0/24         0.0.0.0/0           
 288 18484 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
   0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 13436 packets, 5315K bytes)
pkts bytes target     prot opt in     out     source               destination

$
$sudo iptables -A FORWARD --in-interface tun0 -j ACCEPT
$sudo iptables --table nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
$

更多日誌(伺服器端):

$ ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: dummy0@NONE: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default 
   link/ether 8a:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
   link/ether f2:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
   inet 202.xxx.xxx.xxx/24 brd 202.a.b.c scope global eth0
      valid_lft forever preferred_lft forever
   inet6 xxxx:xxxx::xxxx:xxxx:xxxx:xxxx/64 scope global 
      valid_lft forever preferred_lft forever
   inet6 aaaa::bbbb:cccc:dddd:eeee/64 scope link 
      valid_lft forever preferred_lft forever
4: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
   link/void 
5: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default 
   link/ipip 0.0.0.0 brd 0.0.0.0
6: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default 
   link/gre 0.0.0.0 brd 0.0.0.0
7: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
   link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
8: ip_vti0@NONE: <NOARP> mtu 1428 qdisc noop state DOWN group default 
   link/ipip 0.0.0.0 brd 0.0.0.0
9: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default 
   link/tunnel6 :: brd ::
10: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default 
   link/sit 0.0.0.0 brd 0.0.0.0
11: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default 
   link/tunnel6 :: brd ::
12: ip6gre0@NONE: <NOARP> mtu 1448 qdisc noop state DOWN group default 
   link/gre6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
175: tun0@NONE: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
   link/none 
   inet 10.10.1.1/24 scope global tun0
      valid_lft forever preferred_lft forever

$ ip ro show
default via 202.xxx.xxx.1 dev eth0 
10.10.1.0/24 dev tun0  proto kernel  scope link  src 10.10.1.1 
202.xxx.xxx.0/24 dev eth0  proto kernel  scope link  src 202.xxx.xxx.xxx     

$ ip rule show
0:  from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default

$ sudo iptables -L -vn
Chain INPUT (policy ACCEPT 1291 packets, 198K bytes)
pkts bytes target     prot opt in     out     source               destination         
  87  5541 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   0     0 ACCEPT     all  --  *      *       10.30.0.0/24         0.0.0.0/0           
 168 10829 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
   0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1230 packets, 300K bytes)
pkts bytes target     prot opt in     out     source               destination         

$ sudo iptables -L -vn
Chain INPUT (policy ACCEPT 1312 packets, 201K bytes)
pkts bytes target     prot opt in     out     source               destination         
  87  5541 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   0     0 ACCEPT     all  --  *      *       10.30.0.0/24         0.0.0.0/0           
 169 10900 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
   0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1258 packets, 311K bytes)
pkts bytes target     prot opt in     out     source               destination 

$ sudo iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 111 packets, 6908 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 68 packets, 4153 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 38 packets, 3678 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 MASQUERADE  all  --  *      eth0    10.30.0.0/24         0.0.0.0/0           
138K 9623K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
   0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
   0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

$ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xxxxxx.xxxx     0.0.0.0         UG    0      0        0 eth0
10.10.1.0       *               255.255.255.0   U     0      0        0 tun0
202.xxx.xxx.0   *               255.255.255.0   U     0      0        0 eth0

$ cat /proc/sys/net/ipv4/ip_forward
1

通過隧道(tun0,伺服器端)的網路數據包:

No. Time        Source      Destination                     Protocol    Length  Info
3   4.603031    10.10.1.2   google-public-dns-a.google.com  DNS         59      Standard query 0xc09d A apple.com
4   4.708703    10.10.1.2   google-public-dns-a.google.com  DNS         67      Standard query 0x6f6d A guzzoni.apple.com
...
21  95.530358   10.10.1.2   10.10.1.1                       DNS         75      Standard query 0x850b A 20-courier.push.apple.com
22  104.468535  10.10.1.2   10.10.1.1                       DNS         75      Standard query 0x850b A 20-courier.push.apple.com

以及詳細的第 3 幀:

Frame 3: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface 0
   Interface id: 0 (utun0)
   Encapsulation type: NULL/Loopback (15)
   Arrival Time: Jan  3, 2016 23:40:31.564933000 HKT
   [Time shift for this packet: 0.000000000 seconds]
   Epoch Time: 1451835631.564933000 seconds
   [Time delta from previous captured frame: 0.614315000 seconds]
   [Time delta from previous displayed frame: 0.614315000 seconds]
   [Time since reference or first frame: 4.603031000 seconds]
   Frame Number: 3
   Frame Length: 59 bytes (472 bits)
   Capture Length: 59 bytes (472 bits)
   [Frame is marked: False]
   [Frame is ignored: False]
   [Protocols in frame: null:ip:udp:dns]
   [Coloring Rule Name: UDP]
   [Coloring Rule String: udp]
Null/Loopback
   Family: IP (2)
Internet Protocol Version 4, Src: 10.10.1.2 (10.10.1.2), Dst: google-public-dns-a.google.com (8.8.8.8)
   0100 .... = Version: 4
   .... 0101 = Header Length: 20 bytes
   Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
       0000 00.. = Differentiated Services Codepoint: Default (0)
       .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
   Total Length: 55
   Identification: 0x16e2 (5858)
   Flags: 0x00
       0... .... = Reserved bit: Not set
       .0.. .... = Don't fragment: Not set
       ..0. .... = More fragments: Not set
   Fragment offset: 0
   Time to live: 255
   Protocol: UDP (17)
   Header checksum: 0x89b8 [validation disabled]
       [Good: False]
       [Bad: False]
   Source: 10.10.1.2 (10.10.1.2)
   Destination: google-public-dns-a.google.com (8.8.8.8)
   [Source GeoIP: Unknown]
   [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 59951 (59951), Dst Port: domain (53)
   Source Port: 59951 (59951)
   Destination Port: domain (53)
   Length: 35
   Checksum: 0xe181 [validation disabled]
       [Good Checksum: False]
       [Bad Checksum: False]
   [Stream index: 0]
Domain Name System (query)
   Transaction ID: 0xc09d
   Flags: 0x0100 Standard query
       0... .... .... .... = Response: Message is a query
       .000 0... .... .... = Opcode: Standard query (0)
       .... ..0. .... .... = Truncated: Message is not truncated
       .... ...1 .... .... = Recursion desired: Do query recursively
       .... .... .0.. .... = Z: reserved (0)
       .... .... ...0 .... = Non-authenticated data: Unacceptable
   Questions: 1
   Answer RRs: 0
   Authority RRs: 0
   Additional RRs: 0
   Queries
       apple.com: type A, class IN
           Name: apple.com
           [Name Length: 9]
           [Label Count: 2]
           Type: A (Host Address) (1)
           Class: IN (0x0001)

2016-01-04 編輯 1:

執行命令“iptables -F FORWARD”後:

$ sudo ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
   inet addr:10.10.1.1  P-t-P:10.10.1.1  Mask:255.255.255.0
   UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
   RX packets:250 errors:0 dropped:250 overruns:0 frame:0
   TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:500 
   RX bytes:15845 (15.4 KiB)  TX bytes:0 (0.0 B)

RX 數據包:250 錯誤:0丟棄:250


$ sudo iptables -L -vn
Chain INPUT (policy ACCEPT 207 packets, 22574 bytes)
pkts bytes target     prot opt in     out     source               destination         
 258 16411 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 8 packets, 1632 bytes)
pkts bytes target     prot opt in     out     source               destination         
   8   578 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          

$ sudo iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 18 packets, 1056 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 16 packets, 914 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 128 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 MASQUERADE  all  --  *      eth0    10.30.0.0/24         0.0.0.0/0           
138K 9687K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
   0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
   0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
   0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0     

2016-01-04 編輯 2:

我所做的客戶端測試步驟:

  1. 客戶端(iOS 設備)連接到伺服器。
  2. 在伺服器端執行 tcpdump。
  3. 客戶端使用 Safari打開一個 URL:“ https://www.apple.com ”。
  4. 檢查伺服器端的 tcpdump 日誌
  5. 檢查客戶端是否接收到來自伺服器的響應內容(應該是 HTTP 200 響應)

測試結果:

客戶端確實發送了 HTTP 請求並得到了請求超時(等待響應超時)。

tcpdump 日誌:

$ sudo tcpdump -i tun0 -s 0 -B 524288 -w ~/tmp/tun0_traffic.pcap
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
^C
98 packets received by filter
0 packets dropped by kernel
58 packets dropped by interface

-----------------------------------------------------------

$ tcpdump -s 0 -n -e -x -vvv -r ~/tmp/tun0_traffic.pcap 
reading from file /home/tube/tmp/tun0_traffic.pcap, link-type RAW (Raw IP)
01:40:03.445148 ip: (tos 0x0, ttl 255, id 2395, offset 0, flags [none], proto UDP (17), length 76)
   10.10.1.2.65368 > 8.8.8.8.53: [udp sum ok] 52854+ A? p02-keyvalueservice.icloud.com. (48)
   0x0000:  4500 004c ...

01:40:07.461931 ip: (tos 0xc0, ttl 64, id 34376, offset 0, flags [none], proto ICMP (1), length 104)
   10.10.1.1 > 10.10.1.2: ICMP 10.10.1.1 udp port 53 unreachable, length 84
   (tos 0x0, ttl 255, id 36211, offset 0, flags [none], proto UDP (17), length 76)
   10.10.1.2.65368 > 10.10.1.1.53: [udp sum ok] 52854+ A? p02-keyvalueservice.icloud.com. (48)
   0x0000:  45c0 0068 ...

$ sudo tcpdump -i eth0 -s 0 -B 524288 -n src net 10.10.1.0/24 -w ~/tmp/eth0_traffic_from_tun0.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
1 packet received by filter
0 packets dropped by kernel

-----------------------------------------------------------

$ tcpdump -s 0 -n -e -x -vvv -r ~/tmp/eth0_traffic_from_tun0.pcap 
reading from file /home/tube/tmp/eth0_traffic_from_tun0.pcap, link-type EN10MB (Ethernet)
$

2016-01-04 編輯 3:

新的 tcpdump 日誌:(非常感謝@MadHatter。)

sudo tcpdump -i eth0 -s 0 -B 524288 -n -w ~/tmp/eth0_traffic_all.pcap

And read the ~/tmp/eth0_traffic_all.pcap file:
No. Time        Source          Destination     Protocol    Length  Info
51  3.268219    202.xxx.xxx.xxx 8.8.8.8         DNS         69      Standard query 0x4d19 A apple.com
57  3.270244    8.8.8.8         202.xxx.xxx.xxx DNS         117     Standard query response 0x4d19 A apple.com A ...

來自 tun0 轉發(到 eth0)的數據包執行良好!eth0 確實得到了 8.8.8.8 的響應

首先,您的FORWARD鏈條正在引起問題。其中的第三條規則是阻止所有不滿足前兩條規則的轉發流量,並且根據前三個規則的數據包計數來判斷,前兩條不匹配任何內容,這意味著規則 3 正在停止所有內容。

您已經編寫了允許您想要的流量的規則,但是由於它們位於規則 3之後,因此流量永遠不會到達它們(第一個決定性匹配獲勝)。當您清除FORWARD鏈中的所有規則並讓ACCEPT策略生效時,流量就會流動。

其次,您正在使用高度限制性的tcpdump咒語來查看流量。具體來說,您在FORWARDing10.10.1.0/24 之後tcpdump尋找具有源地址的流量 - 但您的 nat 規則正在偽裝此流量,因此沒有擷取它。當您打開tcpdump呼叫時,您會看到 now-FORWARDed 流量。

引用自:https://serverfault.com/questions/746465