Linux

Linux 路由和埠轉發到無法從 WAN 工作的輔助網路

  • October 20, 2021

我有一個充當路由器的 linux 盒子,有兩個介面 · eth0 - 192.168.0.61 · as0t0 - 172.27.224.1

網路 192.168.2.0/24 可以通過 as0t0 訪問,所以我有這樣的路由:

[root@192.168.0.61 ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    100    0        0 eth0
172.27.224.0    0.0.0.0         255.255.240.0   U     0      0        0 as0t0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 as0t0

我還有一個埠轉發規則:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8123 -j DNAT --to-destination 192.168.2.245:8123

目前 192.168.0.0/24 的主機可以完美使用 192.168.2.245:8123 的 web 伺服器,它在 WAN 的主機上不起作用。主路由器是 192.168.0.251,帶有路由和埠轉發。

數據包到達192.168.0.61 eth0,但是沒有經過as0t0,不知道為什麼。

例如,當主機 192.168.0.6 使用網路瀏覽器訪問 192.168.0.61:8123 時,一切正常。

[root@192.168.0.61 ~]# tcpdump -i eth0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:47:22.232044 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [SEW], seq 361471277, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:47:22.305155 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [S.], seq 226116772, ack 361471278, win 64240, options [mss 1258,nop,nop,sackOK,nop,wscale 7], length 0
16:47:22.305722 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [.], ack 1, win 1027, length 0
16:47:22.305868 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [P.], seq 1:601, ack 1, win 1027, length 600
16:47:22.446997 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [.], ack 601, win 501, length 0
16:47:22.447020 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [P.], seq 1:170, ack 601, win 501, length 169
16:47:22.447035 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [P.], seq 170:230, ack 601, win 501, length 60
16:47:22.447484 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [.], ack 230, win 1026, length 0
16:47:22.537873 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [P.], seq 601:1431, ack 230, win 1026, length 830
16:47:22.646742 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [.], ack 1431, win 501, length 0
16:47:22.646762 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [P.], seq 230:400, ack 1431, win 501, length 170
16:47:22.646777 IP 192.168.0.61.8123 > 192.168.0.6.58898: Flags [P.], seq 400:570, ack 1431, win 501, length 170
16:47:22.647193 IP 192.168.0.6.58898 > 192.168.0.61.8123: Flags [.], ack 570, win 1024, length 0
...

[root@192.168.0.61 ~]# tcpdump -i as0t0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on as0t0, link-type RAW (Raw IP), capture size 262144 bytes
16:47:22.232111 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [SEW], seq 361471277, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:47:22.305136 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [S.], seq 226116772, ack 361471278, win 64240, options [mss 1258,nop,nop,sackOK,nop,wscale 7], length 0
16:47:22.305863 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 1, win 1027, length 0
16:47:22.305872 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [P.], seq 1:601, ack 1, win 1027, length 600
16:47:22.446980 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [.], ack 601, win 501, length 0
16:47:22.447013 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 1:170, ack 601, win 501, length 169
16:47:22.447030 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 170:230, ack 601, win 501, length 60
16:47:22.447495 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 230, win 1026, length 0
16:47:22.537892 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [P.], seq 601:1431, ack 230, win 1026, length 830
16:47:22.646728 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [.], ack 1431, win 501, length 0
16:47:22.646755 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 230:400, ack 1431, win 501, length 170
16:47:22.646771 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 400:570, ack 1431, win 501, length 170
16:47:22.647207 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 570, win 1024, length 0


pi@192.168.2.245:~ $ sudo tcpdump -i tun0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
16:47:22.283238 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [SEW], seq 361471277, win 64240, options [mss 1258,nop,wscale 8,nop,nop,sackOK], length 0
16:47:22.283327 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [S.], seq 226116772, ack 361471278, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:47:22.375692 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 1, win 1027, length 0
16:47:22.375946 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [P.], seq 1:601, ack 1, win 1027, length 600
16:47:22.375988 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [.], ack 601, win 501, length 0
16:47:22.383365 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 1:170, ack 601, win 501, length 169
16:47:22.383586 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 170:230, ack 601, win 501, length 60
16:47:22.494391 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 230, win 1026, length 0
16:47:22.585272 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [P.], seq 601:1431, ack 230, win 1026, length 830
16:47:22.585325 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [.], ack 1431, win 501, length 0
16:47:22.593274 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 230:400, ack 1431, win 501, length 170
16:47:22.594160 IP 192.168.2.245.8123 > 192.168.0.6.58898: Flags [P.], seq 400:570, ack 1431, win 501, length 170
16:47:22.693687 IP 192.168.0.6.58898 > 192.168.2.245.8123: Flags [.], ack 570, win 1024, length 0

但是,當請求來自網際網路 192.168.0.61 時,會收到請求,但不會通過 as0t0 轉發。例如:

[root@192.168.0.61 ~]# tcpdump -i eth0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:51:55.079366 IP 185.157.131.172.54673 > 192.168.0.61.8123: Flags [S], seq 331949659, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:55.759341 IP 185.157.131.172.54674 > 192.168.0.61.8123: Flags [S], seq 459540767, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:55.785218 IP 185.157.131.172.54675 > 192.168.0.61.8123: Flags [S], seq 3837920396, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:56.037321 IP 185.157.131.172.54676 > 192.168.0.61.8123: Flags [S], seq 1212264514, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:56.095399 IP 185.157.131.172.54673 > 192.168.0.61.8123: Flags [S], seq 331949659, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:56.775268 IP 185.157.131.172.54674 > 192.168.0.61.8123: Flags [S], seq 459540767, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:56.797301 IP 185.157.131.172.54675 > 192.168.0.61.8123: Flags [S], seq 3837920396, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:57.055209 IP 185.157.131.172.54676 > 192.168.0.61.8123: Flags [S], seq 1212264514, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:58.115261 IP 185.157.131.172.54673 > 192.168.0.61.8123: Flags [S], seq 331949659, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:58.799213 IP 185.157.131.172.54674 > 192.168.0.61.8123: Flags [S], seq 459540767, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:58.800187 IP 185.157.131.172.54675 > 192.168.0.61.8123: Flags [S], seq 3837920396, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:51:59.067247 IP 185.157.131.172.54676 > 192.168.0.61.8123: Flags [S], seq 1212264514, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
...



[root@192.168.0.61~]# tcpdump -i as0t0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on as0t0, link-type RAW (Raw IP), capture size 262144 bytes


pi@192.168.2.245:~ $ sudo tcpdump -i tun0 port 8123 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes

我不知道如何繼續故障排除。任何的想法?

謝謝

編輯1:

[root@192.168.0.61 ~]# iptables-save -c
# Generated by iptables-save v1.4.21 on Tue Oct 19 16:14:28 2021
*mangle
:PREROUTING ACCEPT [47:10649]
:INPUT ACCEPT [560:148103]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [548:147705]
:POSTROUTING ACCEPT [548:147705]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
[533:144894] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
[2:251] -A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
[533:144894] -A AS0_MANGLE_PRE_REL_EST -j ACCEPT
[2:251] -A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
[2:251] -A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Tue Oct 19 16:14:28 2021
# Generated by iptables-save v1.4.21 on Tue Oct 19 16:14:28 2021
*raw
:PREROUTING ACCEPT [611:161750]
:OUTPUT ACCEPT [577:150493]
COMMIT
# Completed on Tue Oct 19 16:14:28 2021
# Generated by iptables-save v1.4.21 on Tue Oct 19 16:14:28 2021
*filter
:INPUT ACCEPT [7:1954]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [504:140983]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_U_OPENVPN_IN - [0:0]
:AS0_U_OPENVPN_OUT - [0:0]
:AS0_WEBACCEPT - [0:0]
[534:144934] -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
[13:780] -A INPUT -i lo -j AS0_ACCEPT
[0:0] -A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
[2:120] -A INPUT -d 192.168.0.61/32 -p tcp -m state --state NEW -m tcp --dport 1194 -j AS0_ACCEPT
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
[0:0] -A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
[0:0] -A FORWARD -o as0t+ -j AS0_OUT_S2C
[0:0] -A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
[549:145834] -A AS0_ACCEPT -j ACCEPT
[0:0] -A AS0_IN -d 172.27.224.1/32 -j ACCEPT
[0:0] -A AS0_IN -s 172.27.224.2/32 -j AS0_U_OPENVPN_IN
[0:0] -A AS0_IN -s 192.168.2.0/24 -j AS0_U_OPENVPN_IN
[0:0] -A AS0_IN -j AS0_IN_POST
[0:0] -A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
[0:0] -A AS0_IN_NAT -j ACCEPT
[0:0] -A AS0_IN_POST -d 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_IN_POST -o as0t+ -j AS0_OUT
[0:0] -A AS0_IN_POST -j DROP
[0:0] -A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
[0:0] -A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
[0:0] -A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
[0:0] -A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
[0:0] -A AS0_IN_PRE -j DROP
[0:0] -A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
[0:0] -A AS0_IN_ROUTE -j ACCEPT
[0:0] -A AS0_OUT -d 172.27.224.2/32 -j AS0_U_OPENVPN_OUT
[0:0] -A AS0_OUT -d 192.168.2.0/24 -j AS0_U_OPENVPN_OUT
[0:0] -A AS0_OUT -j AS0_OUT_POST
[0:0] -A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
[0:0] -A AS0_OUT_LOCAL -j ACCEPT
[0:0] -A AS0_OUT_POST -j DROP
[0:0] -A AS0_OUT_S2C -s 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_OUT_S2C -j AS0_OUT
[0:0] -A AS0_U_OPENVPN_IN -d 192.168.0.0/24 -j AS0_IN_ROUTE
[0:0] -A AS0_U_OPENVPN_IN -j AS0_IN_POST
[0:0] -A AS0_U_OPENVPN_OUT -s 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -s 192.168.2.0/24 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -s 172.27.224.0/20 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -j AS0_OUT_POST
[0:0] -A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Tue Oct 19 16:14:28 2021
# Generated by iptables-save v1.4.21 on Tue Oct 19 16:14:28 2021
*nat
:PREROUTING ACCEPT [36:10120]
:INPUT ACCEPT [14:2429]
:OUTPUT ACCEPT [18:1141]
:POSTROUTING ACCEPT [18:1141]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
[0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 1883 -j DNAT --to-destination 192.168.2.245:1883
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 1884 -j DNAT --to-destination 192.168.2.245:1884
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 8123 -j DNAT --to-destination 192.168.2.245:8123
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.2.245:22
[0:0] -A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
[0:0] -A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
[0:0] -A AS0_NAT -o eth0 -j SNAT --to-source 192.168.0.61
[0:0] -A AS0_NAT -j ACCEPT
[0:0] -A AS0_NAT_POST_REL_EST -j ACCEPT
[0:0] -A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
[0:0] -A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
[0:0] -A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
[0:0] -A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
[0:0] -A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
[0:0] -A AS0_NAT_PRE -j AS0_NAT
[0:0] -A AS0_NAT_PRE_REL_EST -j ACCEPT
[0:0] -A AS0_NAT_TEST -o as0t+ -j ACCEPT
[0:0] -A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
[0:0] -A AS0_NAT_TEST -d 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_NAT_TEST -d 192.168.2.0/24 -j ACCEPT
[0:0] -A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT
[0:0] -A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Tue Oct 19 16:14:28 202

編輯 2:正如@a​​b 建議的那樣,我提供了有關網路佈局的更多資訊,因為有一個 openVPN 隧道(路由)可能會過濾一些數據包。openVPN 隧道表示為一條射線。

網路佈局 在範例中 192.168.0.6 可以通過隧道,但公共 ip (185.157.131.172) 不能。

根據@AB 的建議,我查看了 OpenVPN AS 設置,它生成了很多 iptables 規則。我修改了一個欄位:

Routing
Specify the private subnets to which all clients should be given access (one per line): 
192.168.0.0/24

經過:

Routing
Specify the private subnets to which all clients should be given access (one per line): 
192.168.0.0/24
0.0.0.0/0

現在具有公共 IP 的數據包從eth0轉發到as0t0沒有問題,一切正常。

如果現在我做一個 iptables-save -c 我得到:

[root@192.168.0.61 ~]# iptables-save -c
# Generated by iptables-save v1.4.21 on Wed Oct 20 16:25:06 2021
*mangle
:PREROUTING ACCEPT [232:55794]
:INPUT ACCEPT [2986:381728]
:FORWARD ACCEPT [15:2541]
:OUTPUT ACCEPT [2929:1099682]
:POSTROUTING ACCEPT [2944:1102223]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
[2899:374408] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
[12:1506] -A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
[2899:374408] -A AS0_MANGLE_PRE_REL_EST -j ACCEPT
[12:1506] -A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
[12:1506] -A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Wed Oct 20 16:25:06 2021
# Generated by iptables-save v1.4.21 on Wed Oct 20 16:25:06 2021
*raw
:PREROUTING ACCEPT [3175:434235]
:OUTPUT ACCEPT [2972:1103685]
COMMIT
# Completed on Wed Oct 20 16:25:06 2021
# Generated by iptables-save v1.4.21 on Wed Oct 20 16:25:06 2021
*filter
:INPUT ACCEPT [61:5708]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2839:1062541]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_U_OPENVPN_IN - [0:0]
:AS0_U_OPENVPN_OUT - [0:0]
:AS0_WEBACCEPT - [0:0]
[2900:374448] -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
[14:840] -A INPUT -i lo -j AS0_ACCEPT
[0:0] -A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
[1:60] -A INPUT -d 192.168.0.61/32 -p tcp -m state --state NEW -m tcp --dport 1194 -j AS0_ACCEPT
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
[0:0] -A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
[15:2541] -A FORWARD -o as0t+ -j AS0_OUT_S2C
[0:0] -A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
[2915:375348] -A AS0_ACCEPT -j ACCEPT
[0:0] -A AS0_IN -d 172.27.224.1/32 -j ACCEPT
[0:0] -A AS0_IN -s 172.27.224.2/32 -j AS0_U_OPENVPN_IN
[0:0] -A AS0_IN -s 192.168.2.0/24 -j AS0_U_OPENVPN_IN
[0:0] -A AS0_IN -j AS0_IN_POST
[0:0] -A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
[0:0] -A AS0_IN_NAT -j ACCEPT
[0:0] -A AS0_IN_POST -j ACCEPT
[0:0] -A AS0_IN_POST -o as0t+ -j AS0_OUT
[0:0] -A AS0_IN_POST -j DROP
[0:0] -A AS0_IN_PRE -j AS0_IN
[0:0] -A AS0_IN_PRE -j DROP
[0:0] -A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
[0:0] -A AS0_IN_ROUTE -j ACCEPT
[0:0] -A AS0_OUT -d 172.27.224.2/32 -j AS0_U_OPENVPN_OUT
[0:0] -A AS0_OUT -d 192.168.2.0/24 -j AS0_U_OPENVPN_OUT
[0:0] -A AS0_OUT -j AS0_OUT_POST
[0:0] -A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
[0:0] -A AS0_OUT_LOCAL -j ACCEPT
[0:0] -A AS0_OUT_POST -j DROP
[15:2541] -A AS0_OUT_S2C -j ACCEPT
[0:0] -A AS0_OUT_S2C -j AS0_OUT
[0:0] -A AS0_U_OPENVPN_IN -d 192.168.0.0/24 -j AS0_IN_ROUTE
[0:0] -A AS0_U_OPENVPN_IN -j AS0_IN_POST
[0:0] -A AS0_U_OPENVPN_OUT -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -s 192.168.2.0/24 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -s 172.27.224.0/20 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -j AS0_OUT_POST
[0:0] -A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Wed Oct 20 16:25:06 2021
# Generated by iptables-save v1.4.21 on Wed Oct 20 16:25:06 2021
*nat
:PREROUTING ACCEPT [207:53029]
:INPUT ACCEPT [63:5230]
:OUTPUT ACCEPT [19:1202]
:POSTROUTING ACCEPT [21:1562]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
[0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 1883 -j DNAT --to-destination 192.168.2.245:1883
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 1884 -j DNAT --to-destination 192.168.2.245:1884
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 8123 -j DNAT --to-destination 192.168.2.245:8123
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.2.245:22
[0:0] -A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
[0:0] -A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
[0:0] -A AS0_NAT -o eth0 -j SNAT --to-source 192.168.0.61
[0:0] -A AS0_NAT -j ACCEPT
[0:0] -A AS0_NAT_POST_REL_EST -j ACCEPT
[0:0] -A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
[0:0] -A AS0_NAT_PRE -j AS0_NAT_TEST
[0:0] -A AS0_NAT_PRE -j AS0_NAT
[0:0] -A AS0_NAT_PRE_REL_EST -j ACCEPT
[0:0] -A AS0_NAT_TEST -o as0t+ -j ACCEPT
[0:0] -A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
[0:0] -A AS0_NAT_TEST -j ACCEPT
[0:0] -A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Wed Oct 20 16:25:06 2021[root@centoscwp ~]# iptables-save -c
# Generated by iptables-save v1.4.21 on Wed Oct 20 16:25:06 2021
*mangle
:PREROUTING ACCEPT [232:55794]
:INPUT ACCEPT [2986:381728]
:FORWARD ACCEPT [15:2541]
:OUTPUT ACCEPT [2929:1099682]
:POSTROUTING ACCEPT [2944:1102223]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
[2899:374408] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
[12:1506] -A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
[2899:374408] -A AS0_MANGLE_PRE_REL_EST -j ACCEPT
[12:1506] -A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
[12:1506] -A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Wed Oct 20 16:25:06 2021
# Generated by iptables-save v1.4.21 on Wed Oct 20 16:25:06 2021
*raw
:PREROUTING ACCEPT [3175:434235]
:OUTPUT ACCEPT [2972:1103685]
COMMIT
# Completed on Wed Oct 20 16:25:06 2021
# Generated by iptables-save v1.4.21 on Wed Oct 20 16:25:06 2021
*filter
:INPUT ACCEPT [61:5708]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2839:1062541]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_U_OPENVPN_IN - [0:0]
:AS0_U_OPENVPN_OUT - [0:0]
:AS0_WEBACCEPT - [0:0]
[2900:374448] -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
[14:840] -A INPUT -i lo -j AS0_ACCEPT
[0:0] -A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
[1:60] -A INPUT -d 192.168.0.61/32 -p tcp -m state --state NEW -m tcp --dport 1194 -j AS0_ACCEPT
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
[0:0] -A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
[15:2541] -A FORWARD -o as0t+ -j AS0_OUT_S2C
[0:0] -A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
[2915:375348] -A AS0_ACCEPT -j ACCEPT
[0:0] -A AS0_IN -d 172.27.224.1/32 -j ACCEPT
[0:0] -A AS0_IN -s 172.27.224.2/32 -j AS0_U_OPENVPN_IN
[0:0] -A AS0_IN -s 192.168.2.0/24 -j AS0_U_OPENVPN_IN
[0:0] -A AS0_IN -j AS0_IN_POST
[0:0] -A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
[0:0] -A AS0_IN_NAT -j ACCEPT
[0:0] -A AS0_IN_POST -j ACCEPT
[0:0] -A AS0_IN_POST -o as0t+ -j AS0_OUT
[0:0] -A AS0_IN_POST -j DROP
[0:0] -A AS0_IN_PRE -j AS0_IN
[0:0] -A AS0_IN_PRE -j DROP
[0:0] -A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
[0:0] -A AS0_IN_ROUTE -j ACCEPT
[0:0] -A AS0_OUT -d 172.27.224.2/32 -j AS0_U_OPENVPN_OUT
[0:0] -A AS0_OUT -d 192.168.2.0/24 -j AS0_U_OPENVPN_OUT
[0:0] -A AS0_OUT -j AS0_OUT_POST
[0:0] -A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
[0:0] -A AS0_OUT_LOCAL -j ACCEPT
[0:0] -A AS0_OUT_POST -j DROP
[15:2541] -A AS0_OUT_S2C -j ACCEPT
[0:0] -A AS0_OUT_S2C -j AS0_OUT
[0:0] -A AS0_U_OPENVPN_IN -d 192.168.0.0/24 -j AS0_IN_ROUTE
[0:0] -A AS0_U_OPENVPN_IN -j AS0_IN_POST
[0:0] -A AS0_U_OPENVPN_OUT -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -s 192.168.2.0/24 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -s 172.27.224.0/20 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -j AS0_OUT_POST
[0:0] -A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Wed Oct 20 16:25:06 2021
# Generated by iptables-save v1.4.21 on Wed Oct 20 16:25:06 2021
*nat
:PREROUTING ACCEPT [207:53029]
:INPUT ACCEPT [63:5230]
:OUTPUT ACCEPT [19:1202]
:POSTROUTING ACCEPT [21:1562]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
[0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 1883 -j DNAT --to-destination 192.168.2.245:1883
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 1884 -j DNAT --to-destination 192.168.2.245:1884
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 8123 -j DNAT --to-destination 192.168.2.245:8123
[0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.2.245:22
[0:0] -A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
[0:0] -A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
[0:0] -A AS0_NAT -o eth0 -j SNAT --to-source 192.168.0.61
[0:0] -A AS0_NAT -j ACCEPT
[0:0] -A AS0_NAT_POST_REL_EST -j ACCEPT
[0:0] -A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
[0:0] -A AS0_NAT_PRE -j AS0_NAT_TEST
[0:0] -A AS0_NAT_PRE -j AS0_NAT
[0:0] -A AS0_NAT_PRE_REL_EST -j ACCEPT
[0:0] -A AS0_NAT_TEST -o as0t+ -j ACCEPT
[0:0] -A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
[0:0] -A AS0_NAT_TEST -j ACCEPT
[0:0] -A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Wed Oct 20 16:25:06 2021

如您所見,一些規則已更改,例如:之前:

[0:0] -A AS0_IN_POST -d 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_OUT_S2C -s 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -s 192.168.0.0/24 -j ACCEPT
[0:0] -A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST

後:

[0:0] -A AS0_IN_POST -j ACCEPT
[15:2541] -A AS0_OUT_S2C -j ACCEPT
[0:0] -A AS0_U_OPENVPN_OUT -j ACCEPT
[0:0] -A AS0_NAT_PRE -j AS0_NAT_TEST

我附上了我已更改的 OpenVPN 設置的螢幕截圖 在此處輸入圖像描述

引用自:https://serverfault.com/questions/1080909

相關問答

Linux

重定向埠 A -> B 並在外部阻塞 B

  • August 3, 2013
檢視問答
Linux

Linux充當路由器 - 埠轉發

  • July 21, 2021
檢視問答
Linux

GRE 上的透明乙太網不轉發流量

  • April 12, 2016
檢視問答
Linux

Linux 路由 - 從 LAN 訪問外部 IP

  • July 21, 2013
檢視問答
Linux

Linux:將子文件夾路由到不同的埠

  • October 13, 2012
檢視問答
Linux

兩個網卡之間的路由

  • May 4, 2022
檢視問答