我想在 XEN 上安裝 OpenVPN domU。 Dom0 和 domU 正在運行 Debian Squeeze,所有 domU 都在 NAT 專用網路 10.0.0.1/24 上,我的 VPN-Gate 是 von 10.0.0.1 並且正在運行。如何才能在dom0公網IP下存取呢?
我嘗試使用 iptables 轉發端口,但沒有成功。
這是我所做的:
~ # iptables -L -n -v
Chain INPUT (policy ACCEPT 1397 packets, 118K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 930 packets, 133K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif5.0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif5.0 udp spt:68 dpt:67
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif5.0
0 0 ACCEPT all -- * * 10.0.0.1 0.0.0.0/0 PHYSDEV match --physdev-in vif5.0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif3.0 udp spt:68 dpt:67
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.0
0 0 ACCEPT all -- * * 10.0.0.5 0.0.0.0/0 PHYSDEV match --physdev-in vif3.0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif2.0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif2.0 udp spt:68 dpt:67
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif2.0
0 0 ACCEPT all -- * * 10.0.0.2 0.0.0.0/0 PHYSDEV match --physdev-in vif2.0
147 8236 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
13 546 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
Chain OUTPUT (policy ACCEPT 1000 packets, 99240 bytes)
pkts bytes target prot opt in out source destination
~ # iptables -L -t nat -n -v
Chain PREROUTING (policy ACCEPT 324 packets, 23925 bytes)
pkts bytes target prot opt in out source destination
139 7824 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.5:80
1 42 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 to:10.0.0.1:1194
Chain POSTROUTING (policy ACCEPT 92 packets, 5030 bytes)
pkts bytes target prot opt in out source destination
863 64983 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 180 packets, 13953 bytes)
pkts bytes target prot opt in out source destination
答案1
我設法讓它工作。錯誤不在於包轉發,而在於IP路由。我需要確保 VPN 用戶端知道在哪裡可以找到 10.0.0.0/24 網路。這可以透過使用 OpenVPN 來完成push-route
。