Vpn

帶有偽裝的簡單 iptables 埠轉發不起作用

  • February 1, 2013

我正在嘗試使用 Android 範例 ToyVpnServer 在 EC2(Ubuntu 12.04)上設置一個簡單的 VPN 伺服器。其說明:

// There are several ways to play with this program. Here we just give an
// example for the simplest scenario. Let us say that a Linux box has a
// public IPv4 address on eth0. Please try the following steps and adjust
// the parameters when necessary.
//
// # Enable IP forwarding
// echo 1 > /proc/sys/net/ipv4/ip_forward
//
// # Pick a range of private addresses and perform NAT over eth0.
// iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
//
// # Create a TUN interface.
// ip tuntap add dev tun0 mode tun
//
// # Set the addresses and bring up the interface.
// ifconfig tun0 10.0.0.1 dstaddr 10.0.0.2 up
//
// # Create a server on port 8000 with shared secret "test".
// ./ToyVpnServer tun0 8000 test -m 1400 -a 10.0.0.2 32 -d 8.8.8.8 -r 0.0.0.0 0
//
// This program only handles a session at a time. To allow multiple sessions,
// multiple servers can be created on the same port, but each of them requires
// its own TUN interface. A short shell script will be sufficient. Since this
// program is designed for demonstration purpose, it performs neither strong
// authentication nor encryption. DO NOT USE IT IN PRODUCTION!

我遵循上述但將 10.* 替換為 192.168.* 因為 EC2 的網路已經佔用了 10.*:

$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ ip tuntap add dev tun0 mode tun
$ ifconfig tun0 192.168.0.1 dstaddr 192.168.0.2 up
$ iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
$ ./ToyVpnServer tun0 8000 test -m 1400 -a 192.168.0.2 32 -d 8.8.8.8 -r 0.0.0.0 0

然後我從 Android 模擬器建立連接,它可以工作。然後,當我嘗試來自 Android 瀏覽器的 Web 請求時,伺服器會獲取數據包,但它們不會被轉發:

$ sudo tcpdump -i tun0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
07:41:46.342823 IP 192.168.0.2.21668 > 8.8.8.8.53: 59997+ A? www.google.com. (32)
07:41:51.347913 IP 192.168.0.2.35397 > 8.8.8.8.53: 49390+ A? www.google.com. (32)
07:41:56.353276 IP 192.168.0.2.35397 > 8.8.8.8.53: 49390+ A? www.google.com. (32)
^C

$ sudo tcpdump -i eth0 not host 64.236.139.254 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C

其他情況:

$ ip route
default via 10.252.49.129 dev eth0  metric 100
10.252.49.128/26 dev eth0  proto kernel  scope link  src 10.252.49.153
192.168.0.2 dev tun0  proto kernel  scope link  src 192.168.0.1

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 22:00:0a:fc:31:99 brd ff:ff:ff:ff:ff:ff
   inet 10.252.49.153/26 brd 10.252.49.191 scope global eth0
   inet6 fe80::2000:aff:fefc:3199/64 scope link 
      valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 500
   link/none 
   inet 192.168.0.1 peer 192.168.0.2/32 scope global tun0

$ cat /proc/sys/net/ipv4/ip_forward 
1

任何幫助將不勝感激。謝謝。

我通過添加來調試它:

sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j LOG --log-prefix "blah blah: "

在 /var/log/syslog 中顯示:

Feb  1 10:53:47 ip-10-252-194-250 kernel: [9722772.386808] [UFW BLOCK] IN=tun0 OUT=eth0 MAC= SRC=192.168.0.2 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=30129 DF PROTO=UDP SPT=64512 DPT=53 LEN=40

簡單地使用ufw disable似乎已經成功了。

引用自:https://serverfault.com/questions/474480