내 시나리오에는 다음과 같은 2개의 Debian 서버가 있습니다. 첫 번째 서버는 기본 openvpn 서버이며 2개의 NICS 활성 eth0(172.25.156.146) 및 eth3(172.26.16.1)이 있습니다. 두 번째 서버에도 2개의 NICS 활성 eth0 172.26이 있습니다. 16.16 및 eth1 10.77.144.75. 두 서버 모두 172.26.16.0/24에 직접 연결되어 있습니다.
내 LAN의 일부 서비스/서버는 두 번째 서버(따라서 직접 연결)에서만 액세스할 수 있으며 이러한 내부 서버/서비스를 기본 서버(172.25.156.146)에서 액세스할 수 있도록 다음 규칙이 활성화되었습니다.
메인 서버에서:
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.25.156.145 0.0.0.0 UG 0 0 0 eth0
10.77.144.0 172.26.16.16 255.255.255.0 UG 0 0 0 eth3 # internal servers range
10.250.250.0 0.0.0.0 255.255.255.0 U 0 0 0 tap3
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.16.16.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
172.17.17.0 0.0.0.0 255.255.255.0 U 0 0 0 tap5
172.25.132.0 172.25.156.145 255.255.255.128 UG 0 0 0 eth0
172.25.156.144 0.0.0.0 255.255.255.248 U 0 0 0 eth0
172.26.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 #route back
두 번째 서버로
172.31.249.0 0.0.0.0 255.255.255.0 U 0 0 0 tap4
192.168.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 tap6
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap6
192.168.88.0 192.168.88.2 255.255.255.0 UG 0 0 0 tun0
192.168.88.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.200.0 192.168.200.1 255.255.255.0 UG 0 0 0 tap2
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 tap2
192.168.200.100 192.168.200.1 255.255.255.255 UGH 0 0 0 tap2
/proc/sys/net/ipv4/ip_forward = 1
iptables rules (even though it is not relevant)
Chain INPUT (policy ACCEPT 24M packets, 15G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 16463 packets, 985K bytes)
pkts bytes target prot opt in out source destination
252 15593 ACCEPT all -- tun0 eth0 192.168.88.0/24 10.77.128.0/24 ctstate NEW
1671K 742M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0 192.168.88.0/24 10.77.120.0/24 ctstate NEW
Chain OUTPUT (policy ACCEPT 16M packets, 18G bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.88.0/24 10.77.128.0/24 ctstate NEW
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.88.0/24 10.77.120.0/24 ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
두 번째 서버에서
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.0.0 10.77.144.1 255.0.0.0 UG 0 0 0 eth1
10.77.144.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 # towards the internal servers
172.25.132.0 10.77.144.1 255.255.255.128 UG 0 0 0 eth1
172.26.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 # route back to the main server
192.168.88.0 172.26.16.1 255.255.255.0 UG 0 0 0 eth0
iptables 규칙:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2330 127K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
41784 2293K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
14 840 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
947 149K DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4346 833K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 512 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 state NEW
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10620 879K ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 47570 packets, 19M bytes)
pkts bytes target prot opt in out source destination
IP 전달이 활성화되었습니다.
문제: 주 서버에서는 내부 서버에 핑을 보낼 수 없지만 두 번째 서버에서는 핑할 수 있습니다. 어떤 도움이라도 주시면 감사하겠습니다.
답변1
다음은 위의 문제를 해결했습니다(두 번째 서버에서 실행되는 경우).
root@armittage:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@armittage:~# iptables -A FORWARD -i eth1 -j ACCEPT
root@armittage:~# iptables -A FORWARD -i eth0 -j ACCEPT
root@armittage:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE –