水平不够,折腾了一天的 iptables 规则还是没获得自己想要的效果。 把自己目前的状况写下来希望有大佬能指点一二……
见图。
目标就是国内外分流 CN 客户端 A 连上 VPN 之后,国内 IP 段从 eth0 走,国外 IP 段从 ppp0 走。
如上图全部 VPN 建立连接后。
192.168.125.1 [US 服务器 VPN 服务端网关] 成功访问 RouterOS 的管理页面
172.20.168.44 [US 服务器 eth0 IP] 成功访问 RouterOS 的管理页面
...
正常网站均能打开。
不存在的网站均无法打开。
使用 ip route add
命令添加。
default via 2.2.2.1 dev eth0 onlink ( eth0 默认公网路由)
114.114.114.0/24 via 192.168.125.1 dev ppp0 (临时设置测试连通性)
172.20.168.0/24 via 192.168.125.1 dev ppp0 (临时设置测试连通性,US 内网 IP 段)
172.217.0.0/16 via 192.168.125.1 dev ppp0 (临时设置测试连通性,Google)
192.168.42.10 dev ppp1 proto kernel scope link src 192.168.42.1 ( ppp1 默认路由)
192.168.125.1 dev ppp0 proto kernel scope link src 192.168.125.200 (ppp0 默认路由)
2.2.2.0/24 dev eth0 proto kernel scope link src 2.2.2.2 ( eth0 默认公网路由)
Chain INPUT (policy DROP 74 packets, 5196 bytes)
pkts bytes target prot opt in out source destination
36215 2419K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none
11619 569K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
271K 38M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
18 7456 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
8 776 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
18873 1404K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
18873 1404K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
13384 1079K ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
2445 163K ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
2445 163K ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
2445 163K ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
362 16596 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- ppp+ ppp+ 0.0.0.0/24 192.168.42.0/24
0 0 ACCEPT all -- ppp+ ppp+ 192.168.42.0/24 0.0.0.0/24
344 29047 ACCEPT all -- ppp+ ppp+ 192.168.42.0/24 172.20.168.0/24
476 74499 ACCEPT all -- ppp+ ppp+ 192.168.125.0/24 192.168.42.0/24
641 39905 ACCEPT all -- ppp+ ppp+ 192.168.42.0/24 192.168.125.0/24
63115 114M ACCEPT all -- eth0 ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
96728 8340K ACCEPT all -- ppp+ eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp+ ppp+ 192.168.42.0/24 192.168.42.0/24
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * eth0 192.168.43.0/24 0.0.0.0/0
2215 293K ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
2215 293K ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1613 96831 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1613 96831 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1613 96831 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1613 96831 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
1613 96831 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1 packets, 116 bytes)
pkts bytes target prot opt in out source destination
283K 262M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
283K 262M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
770 59547 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
770 59547 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
770 59547 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
770 59547 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
20 1156 REJECT all -- * * 119.90.39.158 0.0.0.0/0 reject-with icmp-port-unreachable
35772 2390K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
9577 747K ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
74 16946 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
11 548 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
21 1028 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
14 4632 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
1242 146K ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
422 25371 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
2411 161K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
602 196K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
1613 96831 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
54 3324 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
530 27946 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
18289 1373K ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
18289 1373K ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
349 36371 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
282K 262M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
770 59547 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
7382 458K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
10907 915K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
10939 916K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
7 524 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
706 53027 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
4871 291K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
4 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
30 1930 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 40331 packets, 2639K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 5456 packets, 328K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 775 packets, 60021 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1141 packets, 81902 bytes)
pkts bytes target prot opt in out source destination
12853 767K MASQUERADE all -- * eth0 192.168.42.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * eth0 192.168.43.0/24 0.0.0.0/0 policy match dir out pol none
1 56 MASQUERADE all -- * eth0 192.168.125.0/24 0.0.0.0/0
控制台安全组已放行全部端口。Mangle 无规则。
CN 和 US 之间互联本来想用 Gre over IPsec 的,但是 Gre 怎么也起不来,遂放弃,选用 L2TP 互联。
不知道有没有更好的互联方法,可以回复告诉我。
排版和写内容花了一个小时……
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.