調試我的 NAT 設置

tag-icon tag-icon linux iptables masquerade
調試我的 NAT 設置

我正在嘗試讓樹莓派 Pi3 通過 轉發進入wlan0更上游的流量eth0,但由於某種我看不到的原因而失敗。希望其他人能夠發現這些問題。

Pi3狀態:

# Interfaces
samveen@pi3:~$ ip -o -4 a
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever preferred_lft forever
2: eth0    inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0\       valid_lft forever preferred_lft forever
3: wlan0    inet 192.168.0.124/24 brd 192.168.0.255 scope global dynamic wlan0\       valid_lft 166572sec preferred_lft 166572sec

# Routes
samveen@pi3:~$ ip r
default via 10.0.0.5 dev eth0 proto static 
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.1 
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.124 
192.168.0.1 dev wlan0 proto dhcp scope link src 192.168.0.124 metric 600 

# iptables rules
samveen@pi3:~$ cat routing.sh 
#!/bin/bash -x
# Setup forwarding (with NAT) from wlan0 towards eth0
# https://raspberrypi.stackexchange.com/a/50073/124471
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT  

# Internet test
samveen@pi3:~$ curl --silent -I network-test.debian.org |egrep  '^H|X-Cl'
HTTP/1.1 200 OK
X-Clacks-Overhead: GNU Terry Pratchett

# add iptables tracing
samveen@pi3:~$ sudo iptables -t raw -A PREROUTING -p tcp --source 192.168.0.0/24 --dport 80 -j TRACE
samveen@pi3:~$ sudo iptables -t raw -A OUTPUT -p tcp --source 192.168.0.0/24 --dport 80 -j TRACE

為了檢查出了什麼問題,我wget -4 -O - http://google.com在下游主機 ( 192.168.0.1) 上運行以嘗試追蹤資料包。

  • tcpdump問題主機上的傳入封包(未轉送):
# tcpdump of incoming packets
samveen@pi3:~$ sudo tcpdump -nvvvi wlan0 tcp and src host 192.168.0.1 and dst port 80
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:44:12.492367 IP (tos 0x0, ttl 64, id 49906, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x86c5 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182572917 ecr 0,nop,wscale 6], length 0
15:44:13.536363 IP (tos 0x0, ttl 64, id 49907, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x82b7 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182573955 ecr 0,nop,wscale 6], length 0
15:44:15.615949 IP (tos 0x0, ttl 64, id 49908, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x7a97 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182576035 ecr 0,nop,wscale 6], length 0
15:44:19.697021 IP (tos 0x0, ttl 64, id 49909, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x6aa7 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182580115 ecr 0,nop,wscale 6], length 0
15:44:27.935601 IP (tos 0x0, ttl 64, id 49910, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.1.53814 > 216.58.200.206.80: Flags [S], cksum 0x4a77 (correct), seq 925105116, win 29200, options [mss 1460,sackOK,TS val 1182588355 ecr 0,nop,wscale 6], length 0
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel
  • 同時,tcpdump在問題主機的輸出介面上沒有給我任何資料包(我希望在這裡看到傳出資料包)
samveen@pi3:~$ sudo tcpdump -nvvvi eth0 tcp and  dst port 80
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
  • 來自 dmesg 的追蹤日誌:
[468794.617195] device eth0 entered promiscuous mode
[468798.441177] device wlan0 entered promiscuous mode
[468890.193285] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49906 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA1750000000001030306) 
[468890.193395] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49906 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA1750000000001030306) 
[468891.237300] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49907 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA5830000000001030306) 
[468891.237413] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49907 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CA5830000000001030306) 
[468893.316857] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49908 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CADA30000000001030306) 
[468893.316958] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49908 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CADA30000000001030306) 
[468897.397941] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49909 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CBD930000000001030306) 
[468897.398056] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49909 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CBD930000000001030306) 
[468905.636557] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49910 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CDDC30000000001030306) 
[468905.636659] TRACE: nat:PREROUTING:policy:1 IN=wlan0 OUT= MAC=b8:27:eb:2b:84:0c:b8:27:eb:5d:a5:46:08:00 SRC=192.168.0.1 DST=216.58.200.206 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49910 DF PROTO=TCP SPT=53814 DPT=80 SEQ=925105116 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A467CDDC30000000001030306) 
[468939.580532] device eth0 left promiscuous mode
[468941.338008] device wlan0 left promiscuous mode

在追蹤中,我希望看到一些帶有 和 的日誌行FORWARDOUT=eth0但我什麼也沒看到。我在這裡做錯了什麼?

答案1

問題是我沒有啟用IPv4 Forwarding核心的配置:

samveen@pi3:~$ cat  /etc/sysctl.d/51-ipv4-forwarding.conf 
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
samveen@pi3:~$ sudo sysctl -p /etc/sysctl.d/51-ipv4-forwarding.conf 
net.ipv4.ip_forward = 1

至此,上面的一切都如預期進行了。

相關內容