我正在努力實現與以下非常相似的目標iptables - 將封包路由到特定介面的目標?和https://unix.stackexchange.com/questions/21093/output-traffic-on- Different-interfaces-based-on-destination-port但我沒有讓它發揮作用。
這是我的設定:
RPi4(本地IP,eth0:10.0.0.196/24;wireguard IP:10.10.10.2/24;wireguard 介面名為「客戶端」)<---> 伺服器(wireguard IP:10.10.10.1/24,全域全域IPv4) < ---> 網路
這是到目前為止我的測試片段:
systemctl start [email protected]
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.client.rp_filter=0
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
ip rule add fwmark 2 table 3
ip route add default via 10.10.10.1 table 3
ip route flush cache
iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 2
iptables -t nat -A POSTROUTING -o client -j SNAT --to-source 10.10.10.2
如果我然後嘗試達到例如
telnet -4 gmail-smtp-in.l.google.com 25
Trying 108.177.119.26...
telnet: Unable to connect to remote host: No route to host
任何其他流量(任何未標記為我的標記“2”的流量)都通過 eth0(不是“客戶端”)正確路由並且工作正常(例如ping 1.1.1.1和curl ifconfig.me)
這是運行上面的程式碼片段之前和之後的路由和 iptables 的樣子。
前:
# ip route show table all
default via 10.0.0.1 dev eth0 proto dhcp src 10.0.0.196 metric 100
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.196
10.0.0.1 dev eth0 proto dhcp scope link src 10.0.0.196 metric 100
broadcast 10.0.0.0 dev eth0 table local proto kernel scope link src 10.0.0.196
local 10.0.0.196 dev eth0 table local proto kernel scope host src 10.0.0.196
broadcast 10.0.0.255 dev eth0 table local proto kernel scope link src 10.0.0.196
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
# iptables -S -t mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
後:
# ip route show table all
default via 10.10.10.1 dev client table 3
default via 10.0.0.1 dev eth0 proto dhcp src 10.0.0.196 metric 100
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.196
10.0.0.1 dev eth0 proto dhcp scope link src 10.0.0.196 metric 100
10.10.10.0/24 dev client proto kernel scope link src 10.10.10.2
broadcast 10.0.0.0 dev eth0 table local proto kernel scope link src 10.0.0.196
local 10.0.0.196 dev eth0 table local proto kernel scope host src 10.0.0.196
broadcast 10.0.0.255 dev eth0 table local proto kernel scope link src 10.0.0.196
broadcast 10.10.10.0 dev client table local proto kernel scope link src 10.10.10.2
local 10.10.10.2 dev client table local proto kernel scope host src 10.10.10.2
broadcast 10.10.10.255 dev client table local proto kernel scope link src 10.10.10.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
# ip rule show
0: from all lookup local
32765: from all fwmark 0x2 lookup 3
32766: from all lookup main
32767: from all lookup default
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A POSTROUTING -o client -j SNAT --to-source 10.10.10.2
# iptables -S -t mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x2/0xffffffff
答案1
這是網路資料包的圖片
。在我看來,它不起作用,因為路由決策已做出前封包通過您的 fwmark 規則,您無法使其透過另一個介面退出。
您可以直接使用基於策略的路由,無需 fwmark。正確閱讀你的範例,這應該重定向全部透過 Wireguard 的傳出 SMTP 流量:
iptables -t nat -A POSTROUTING -o client -j SNAT --to-source 10.10.10.2
ip rule add priority 1000 dport 25 table 3
ip route add default via 10.10.10.1 table 3
man ip-rule詳情請參閱
答案2
我了解您的需求只是建立 VPN 連接並透過 VPN 發送所有外部流量。如果我做對了,請按以下方式設定您的wireguard:
伺服器端(/etc/wireguard/wg0.conf)
[Interface]
PrivateKey = <YOUR PRIVATE KEY HERE>
Address = 10.10.10.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT
[Peer]
PublicKey = [CLIETS PUBLIC KEY]
AllowedIPs = 10.10.10.2/32 # The client's IP address
客戶端(/etc/wireguard/wg0.conf)
[Interface]
PrivateKey = <Output of privatekey file that contains your private key>
Address = 10.10.10.2/24
PostUp = ip route add [SERVER_PUBLIC_IP] via [LOCAL_GATEWAY_IP] dev eth0
[Peer]
PublicKey = <Server Public key>
Endpoint = <Server Public IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepAlive = 25
請注意,您需要新增一條路由來將所有目標流量傳送到您的民眾透過乙太網路進行wireguard IP,否則會破壞客戶端的連線。
下面的操作方法對我非常有幫助: 如何在 Linux 中設定 WireGuard 防火牆規則
注意1:在這種情況下,您只需要在伺服器端設定NAT MASQUERADE。
注意 2:您需要在 Linux 電腦上設定 IP 轉送:
sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sudo sysctl -p