我有一个iptables POSTROUTING规则的问题,看来SNAT规则不会改变源IP地址。 我想build立下面的系统,通过VPN隧道路由所有来自LAN 2的stream量。 系统有两个路由表configuration。
+-----------------+ LAN 2 ----> |eth1 eth0 +-----> LAN 1 ---> Gateway ---> Internet | tun1 | +-------------|---+ `--------------- VPN tunnel ------> iptables的
root@misio:~# iptables -n -L --line-numbers -v -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 122 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 122 bytes) num pkts bytes target prot opt in out source destination 1 0 0 SNAT all -- * * 192.168.124.0/24 0.0.0.0/0 to:192.168.124.1
路由(两个路由表)
root@misio:~# ip route list default via 192.168.123.1 dev eth0 192.168.123.0/24 dev eth0 proto kernel scope link src 192.168.123.3 root@misio:~# ip route list table frankenjura default via 10.10.11.4 dev tun1 10.10.11.0/24 dev tun1 scope link 192.168.124.0/24 dev eth1 scope link root@misio:~# ip rule 0: from all lookup local 32761: from 192.168.124.0/24 lookup frankenjura 32762: from all to 192.168.124.0/24 lookup frankenjura 32766: from all lookup main 32767: from all lookup default
input(eth1) – 系统正在接收来自LAN 2(192.168.124.17)中主机的数据包:
root@misio:~# tcpdump -n -i eth1 icmp and host 8.8.8.8 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 12:39:25.134315 IP 192.168.124.17 > 8.8.8.8: ICMP echo request, id 1, seq 1181, length 40 12:39:30.142011 IP 192.168.124.17 > 8.8.8.8: ICMP echo request, id 1, seq 1182, length 40
输出(tun1) – 数据包路由到正确的接口(tun1), 但源IP地址不变:
root@misio:~# tcpdump -n -i tun1 icmp and host 8.8.8.8 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun1, link-type RAW (Raw IP), capture size 262144 bytes 12:40:20.140953 IP 192.168.124.17 > 8.8.8.8: ICMP echo request, id 1, seq 1192, length 40 12:40:25.148605 IP 192.168.124.17 > 8.8.8.8: ICMP echo request, id 1, seq 1193, length 40
…但以下规则的数据包/字节数不会增加!
Chain POSTROUTING (policy ACCEPT 1 packets, 122 bytes) num pkts bytes target prot opt in out source destination 1 0 0 SNAT all -- * * 192.168.124.0/24 0.0.0.0/0 to:192.168.124.1
IP表版本:1.4.21
请你帮忙好吗?
我设置了所有链中的iptables日志logging,并了解到数据包根本不经过NAT表!
数据包通过: – 原始(PREROUTING) – mangle(PREROUTING) – filter(FORWARD) – mangle(POSTROUTING)
Jul 15 12:36:04 misio kernel: [ 7913.969872] raw-PRE IN=eth1 OUT= MAC=00:1e:2a:49:9d:ad:00:17:a4:da:13:09:08:00 SRC=192.168.124.17 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7668 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1022 Jul 15 12:36:04 misio kernel: [ 7913.969894] mangle-PRE IN=eth1 OUT= MAC=00:1e:2a:49:9d:ad:00:17:a4:da:13:09:08:00 SRC=192.168.124.17 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7668 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1022 Jul 15 12:36:04 misio kernel: [ 7913.969908] filter-FW IN=eth1 OUT=tun1 MAC=00:1e:2a:49:9d:ad:00:17:a4:da:13:09:08:00 SRC=192.168.124.17 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7668 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1022 Jul 15 12:36:04 misio kernel: [ 7913.969914] mangle-POST IN= OUT=tun1 SRC=192.168.124.17 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7668 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1022
亲切的问候,Grzegorz