我正在 VyOS 路由器上設定 TPROXY,將某些流量轉送到本地透明代理。它運行得很好,直到我發現我的所有 DNAT 連接埠轉送規則都不再起作用(從外部網路連接時連接逾時)。
環境
- 路由器:(
10.0.0.1/24代理正在1234連接埠上運行並新增 SO_MARK0xff) - 內部主機:(
10.0.0.2/24連接埠80應公開)
TPROXY規則
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
nft add table myproxy
nft add chain myproxy prerouting { type filter hook prerouting priority 0 \; }
nft add rule myproxy prerouting ip daddr { 127.0.0.1/32, 224.0.0.0/4, 255.255.255.255/32 } return
nft add rule myproxy prerouting meta l4proto tcp ip daddr 10.0.0.0/24 return
nft add rule myproxy prerouting mark 0xff return
nft add rule myproxy prerouting meta l4proto { tcp, udp } mark set 1 tproxy to 127.0.0.1:1234 accept
nft add chain myproxy output { type route hook output priority 0 \; }
nft add rule myproxy output ip daddr { 127.0.0.1/32, 224.0.0.0/4, 255.255.255.255/32 } return
nft add rule myproxy output meta l4proto tcp ip daddr 10.0.0.0/24 return
nft add rule myproxy output mark 0xff return
nft add rule myproxy output meta l4proto { tcp, udp } mark set 1 accept
nft add table filter
nft add chain filter divert { type filter hook prerouting priority -150 \; }
nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
DNAT規則
$ nft 清單表 nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
iifname "pppoe0" tcp dport { 8080 } counter packets 7 bytes 400 dnat to 10.0.0.2:80
}
}
症狀
連接RouterPublicIP:8080逾時。理想情況下,它應該將流量轉送到10.0.0.2:80.
我猜入站 DNAT 流量被錯誤地轉發到代理(而不是實際主機10.0.0.2),但是我無法找出正確的 nft 規則。
先致謝!