Debuggen meines NAT-Setups

tag-icon tag-icon linux iptables masquerade
Debuggen meines NAT-Setups

Ich versuche, einen Raspberry Pi3 dazu zu bringen, eingehenden Datenverkehr wlan0über weiter nach oben weiterzuleiten eth0, aber das funktioniert aus einem Grund nicht, den ich nicht erkennen kann. Hoffentlich kann jemand anderes die Probleme erkennen.

Pi3-Zustand:

# Interfaces
samveen@pi3:~$ ip -o -4 a
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever preferred_lft forever
2: eth0    inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0\       valid_lft forever preferred_lft forever
3: wlan0    inet 192.168.0.124/24 brd 192.168.0.255 scope global dynamic wlan0\       valid_lft 166572sec preferred_lft 166572sec

# Routes
samveen@pi3:~$ ip r
default via 10.0.0.5 dev eth0 proto static 
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.1 
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.124 
192.168.0.1 dev wlan0 proto dhcp scope link src 192.168.0.124 metric 600 

# iptables rules
samveen@pi3:~$ cat routing.sh 
#!/bin/bash -x
# Setup forwarding (with NAT) from wlan0 towards eth0
# https://raspberrypi.stackexchange.com/a/50073/124471
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT  

# Internet test
samveen@pi3:~$ curl --silent -I network-test.debian.org |egrep  '^H|X-Cl'
HTTP/1.1 200 OK
X-Clacks-Overhead: GNU Terry Pratchett

# add iptables tracing
samveen@pi3:~$ sudo iptables -t raw -A PREROUTING -p tcp --source 192.168.0.0/24 --dport 80 -j TRACE
samveen@pi3:~$ sudo iptables -t raw -A OUTPUT -p tcp --source 192.168.0.0/24 --dport 80 -j TRACE

Um zu prüfen, was schief lief, habe ich wget -4 -O - http://google.comauf dem Downstream-Host ( 192.168.0.1) versucht, die Pakete zu verfolgen.

  • tcpdumpder eingehenden Pakete auf dem Problemhost (die nicht weitergeleitet wurden):
# tcpdump of incoming packets
samveen@pi3:~$ sudo tcpdump -nvvvi wlan0 tcp and src host 192.168.0.1 and dst port 80
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:44:12.492367 IP (tos 0x0, ttl 64, id 49906, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x86c5 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182572917 ecr 0,nop,wscale 6], length 0
15:44:13.536363 IP (tos 0x0, ttl 64, id 49907, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x82b7 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182573955 ecr 0,nop,wscale 6], length 0
15:44:15.615949 IP (tos 0x0, ttl 64, id 49908, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x7a97 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182576035 ecr 0,nop,wscale 6], length 0
15:44:19.697021 IP (tos 0x0, ttl 64, id 49909, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x6aa7 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182580115 ecr 0,nop,wscale 6], length 0
15:44:27.935601 IP (tos 0x0, ttl 64, id 49910, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x4a77 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182588355 ecr 0,nop,wscale 6], length 0
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
  • Gleichzeitig tcpdumpwurden mir auf der Ausgabeschnittstelle des Problemhosts keine Pakete angezeigt (ich hatte erwartet, hier ausgehende Pakete zu sehen)
samveen@pi3:~$ sudo tcpdump -nvvvi eth0 tcp and  dst port 80
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
  • Ablaufverfolgungsprotokoll von dmesg:
[468794.617195] device eth0 entered promiscuous mode
[468798.441177] device wlan0 entered promiscuous mode
[468890.193285] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49906 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA1750000000001030306) 
[468890.193395] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49906 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA1750000000001030306) 
[468891.237300] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49907 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA5830000000001030306) 
[468891.237413] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49907 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA5830000000001030306) 
[468893.316857] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49908 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CADA30000000001030306) 
[468893.316958] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49908 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CADA30000000001030306) 
[468897.397941] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49909 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CBD930000000001030306) 
[468897.398056] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49909 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CBD930000000001030306) 
[468905.636557] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49910 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CDDC30000000001030306) 
[468905.636659] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49910 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CDDC30000000001030306) 
[468939.580532] device eth0 left promiscuous mode
[468941.338008] device wlan0 left promiscuous mode

Ich habe erwartet, in der Ablaufverfolgung einige Protokollzeilen mit FORWARDund zu sehen OUT=eth0, aber ich sehe nichts. Was mache ich hier falsch?

Antwort1

IPv4 ForwardingDas Problem war, dass ich die Konfiguration für den Kernel nicht aktiviert hatte :

samveen@pi3:~$ cat  /etc/sysctl.d/51-ipv4-forwarding.conf 
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
samveen@pi3:~$ sudo sysctl -p /etc/sysctl.d/51-ipv4-forwarding.conf 
net.ipv4.ip_forward = 1

Damit hat alles oben genannte wie erwartet funktioniert.

verwandte Informationen