Vpn
帶有偽裝的簡單 iptables 埠轉發不起作用
我正在嘗試使用 Android 範例 ToyVpnServer 在 EC2(Ubuntu 12.04)上設置一個簡單的 VPN 伺服器。其說明:
// There are several ways to play with this program. Here we just give an // example for the simplest scenario. Let us say that a Linux box has a // public IPv4 address on eth0. Please try the following steps and adjust // the parameters when necessary. // // # Enable IP forwarding // echo 1 > /proc/sys/net/ipv4/ip_forward // // # Pick a range of private addresses and perform NAT over eth0. // iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE // // # Create a TUN interface. // ip tuntap add dev tun0 mode tun // // # Set the addresses and bring up the interface. // ifconfig tun0 10.0.0.1 dstaddr 10.0.0.2 up // // # Create a server on port 8000 with shared secret "test". // ./ToyVpnServer tun0 8000 test -m 1400 -a 10.0.0.2 32 -d 8.8.8.8 -r 0.0.0.0 0 // // This program only handles a session at a time. To allow multiple sessions, // multiple servers can be created on the same port, but each of them requires // its own TUN interface. A short shell script will be sufficient. Since this // program is designed for demonstration purpose, it performs neither strong // authentication nor encryption. DO NOT USE IT IN PRODUCTION!我遵循上述但將 10.* 替換為 192.168.* 因為 EC2 的網路已經佔用了 10.*:
$ echo 1 > /proc/sys/net/ipv4/ip_forward $ ip tuntap add dev tun0 mode tun $ ifconfig tun0 192.168.0.1 dstaddr 192.168.0.2 up $ iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE $ ./ToyVpnServer tun0 8000 test -m 1400 -a 192.168.0.2 32 -d 8.8.8.8 -r 0.0.0.0 0然後我從 Android 模擬器建立連接,它可以工作。然後,當我嘗試來自 Android 瀏覽器的 Web 請求時,伺服器會獲取數據包,但它們不會被轉發:
$ sudo tcpdump -i tun0 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes 07:41:46.342823 IP 192.168.0.2.21668 > 8.8.8.8.53: 59997+ A? www.google.com. (32) 07:41:51.347913 IP 192.168.0.2.35397 > 8.8.8.8.53: 49390+ A? www.google.com. (32) 07:41:56.353276 IP 192.168.0.2.35397 > 8.8.8.8.53: 49390+ A? www.google.com. (32) ^C $ sudo tcpdump -i eth0 not host 64.236.139.254 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C其他情況:
$ ip route default via 10.252.49.129 dev eth0 metric 100 10.252.49.128/26 dev eth0 proto kernel scope link src 10.252.49.153 192.168.0.2 dev tun0 proto kernel scope link src 192.168.0.1 $ ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 22:00:0a:fc:31:99 brd ff:ff:ff:ff:ff:ff inet 10.252.49.153/26 brd 10.252.49.191 scope global eth0 inet6 fe80::2000:aff:fefc:3199/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 500 link/none inet 192.168.0.1 peer 192.168.0.2/32 scope global tun0 $ cat /proc/sys/net/ipv4/ip_forward 1任何幫助將不勝感激。謝謝。
我通過添加來調試它:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j LOG --log-prefix "blah blah: "在 /var/log/syslog 中顯示:
Feb 1 10:53:47 ip-10-252-194-250 kernel: [9722772.386808] [UFW BLOCK] IN=tun0 OUT=eth0 MAC= SRC=192.168.0.2 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=30129 DF PROTO=UDP SPT=64512 DPT=53 LEN=40簡單地使用
ufw disable似乎已經成功了。