Linux
具有粘性轉發/路由的 iptables
我的 iptables 卡住了。我在 IPTables 後面有一個 DNS 伺服器,並在一個經過 NAT 的 OpenVPN 管道下。使用 tcpdump 我看到 DNS 數據包到達了外部路由器,但是在 DNS 請求實際通過管道到達 dns 伺服器之前,它需要 4 或 5 次 DNS 查詢嘗試。伺服器剛剛更新,問題仍然存在。什麼可能導致這種“粘性路由”,我該如何擺脫它?
iptables-保存:
# Generated by iptables-save v1.4.21 on Wed Oct 15 18:53:53 2014 *security :INPUT ACCEPT [6661499:1780706800] :FORWARD ACCEPT [1395363:1087119696] :OUTPUT ACCEPT [9054598:4470085569] COMMIT # Completed on Wed Oct 15 18:53:53 2014 # Generated by iptables-save v1.4.21 on Wed Oct 15 18:53:53 2014 *raw :PREROUTING ACCEPT [8279921:2932266784] :OUTPUT ACCEPT [9054600:4470085953] COMMIT # Completed on Wed Oct 15 18:53:53 2014 # Generated by iptables-save v1.4.21 on Wed Oct 15 18:53:53 2014 *nat :PREROUTING ACCEPT [608923:62822718] :INPUT ACCEPT [21598:1030929] :OUTPUT ACCEPT [1936482:102286294] :POSTROUTING ACCEPT [1846412:66372854] -A PREROUTING -d 198.74.49.126/32 -i eth0 -p tcp -m multiport --dports 21,25,80,10000 -j DNAT --to-destination 10.8.0.14 -A PREROUTING -d 198.74.49.126/32 -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 10.8.0.22 -A PREROUTING -d 198.74.49.126/32 -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.8.0.22 -A PREROUTING -d 198.74.49.126/32 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.8.0.26 -A POSTROUTING -o eth0 -j SNAT --to-source 198.74.49.126 COMMIT # Completed on Wed Oct 15 18:53:53 2014 # Generated by iptables-save v1.4.21 on Wed Oct 15 18:53:53 2014 *mangle :PREROUTING ACCEPT [8279921:2932266784] :INPUT ACCEPT [6884197:1845120939] :FORWARD ACCEPT [1395724:1087145845] :OUTPUT ACCEPT [9054603:4470086441] :POSTROUTING ACCEPT [10545150:5593566425] COMMIT # Completed on Wed Oct 15 18:53:53 2014 # Generated by iptables-save v1.4.21 on Wed Oct 15 18:53:53 2014 *filter :INPUT DROP [216663:64020937] :FORWARD DROP [355:25909] :OUTPUT ACCEPT [9054603:4470086441] :PRELUDE - [0:0] -A INPUT -j PRELUDE -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 218.1.21.162/32 -m comment --comment "ignore this spammer(?)" -j DROP -A INPUT -p tcp -m multiport --dports 80,21,25,53,8080,10000 -j ACCEPT -A INPUT -p udp -m multiport --dports 53,1194,2222,3333,4444,5555,6666,7777 -j ACCEPT -A FORWARD -j PRELUDE -A FORWARD -i tun+ -o tun+ -j ACCEPT -A FORWARD -i tun+ -o eth0 -j ACCEPT -A FORWARD -d 10.8.0.14/32 -i eth0 -o tun+ -p tcp -m multiport --dports 21,25,53,80 -m comment --comment "allow tcp to server" -j ACCEPT -A FORWARD -d 10.8.0.22/32 -i eth0 -o tun+ -p udp -m udp --dport 53 -m comment --comment "allow udp to dns server" -j ACCEPT -A FORWARD -d 10.8.0.22/32 -i eth0 -o tun+ -p tcp -m tcp --dport 53 -m comment --comment "allow tcp to dns server" -j ACCEPT -A FORWARD -d 10.8.0.26/32 -i eth0 -o tun+ -p tcp -m tcp --dport 8080 -m comment --comment "allow tcp to dns server" -j ACCEPT -A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A PRELUDE -m conntrack --ctstate INVALID -j DROP -A PRELUDE -i lo -j ACCEPT -A PRELUDE -p icmp -j ACCEPT COMMIT # Completed on Wed Oct 15 18:53:53 2014openvpn.conf:
local 198.74.50.169 port 1194 ;proto tcp proto udp ;dev tap dev tun ;dev-node MyTap ca /usr/share/openvpn/easy-rsa/keys/ca.crt cert /usr/share/openvpn/easy-rsa/keys/server.crt key /usr/share/openvpn/easy-rsa/keys/server.key # This file should be kept secret dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt route 10.8.1.0 255.255.255.0 client-config-dir /etc/openvpn/ccd push "dhcp-option DNS 66.228.35.79" push "dhcp-option DNS 10.8.0.22" ;push "dhcp-option WINS 10.8.0.1" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 5 ;mute 20
確保您在 named.conf 中受信任的 ips 反映了您的前端路由器。