国内外分流 iptables 规则求指点

2018-07-30 12:47:47 +08:00
 Laynooor

起因


水平不够,折腾了一天的 iptables 规则还是没获得自己想要的效果。 把自己目前的状况写下来希望有大佬能指点一二……

详情


见图

目标就是国内外分流 CN 客户端 A 连上 VPN 之后,国内 IP 段从 eth0 走,国外 IP 段从 ppp0 走。

有用的信息和遇到的问题

如上图全部 VPN 建立连接后

192.168.125.1 [US 服务器 VPN 服务端网关] 成功访问 RouterOS 的管理页面
172.20.168.44 [US 服务器 eth0 IP] 成功访问 RouterOS 的管理页面
...
正常网站均能打开。
不存在的网站均无法打开。

使用 ip route add 命令添加。

default via 2.2.2.1 dev eth0 onlink ( eth0 默认公网路由)
114.114.114.0/24 via 192.168.125.1 dev ppp0 (临时设置测试连通性)
172.20.168.0/24 via 192.168.125.1 dev ppp0 (临时设置测试连通性,US 内网 IP 段)
172.217.0.0/16 via 192.168.125.1 dev ppp0 (临时设置测试连通性,Google)
192.168.42.10 dev ppp1 proto kernel scope link src 192.168.42.1 ( ppp1 默认路由)
192.168.125.1 dev ppp0 proto kernel scope link src 192.168.125.200 (ppp0 默认路由)
2.2.2.0/24 dev eth0 proto kernel scope link src 2.2.2.2 ( eth0 默认公网路由)

Chain INPUT (policy DROP 74 packets, 5196 bytes)
 pkts bytes target     prot opt in     out     source               destination         
36215 2419K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol none
11619  569K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 271K   38M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   18  7456 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 500,4500
    8   776 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol ipsec
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701
18873 1404K ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
18873 1404K ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
13384 1079K ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 2445  163K ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 2445  163K ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 2445  163K ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  362 16596 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     all  --  ppp+   ppp+    0.0.0.0/24           192.168.42.0/24     
    0     0 ACCEPT     all  --  ppp+   ppp+    192.168.42.0/24      0.0.0.0/24          
  344 29047 ACCEPT     all  --  ppp+   ppp+    192.168.42.0/24      172.20.168.0/24     
  476 74499 ACCEPT     all  --  ppp+   ppp+    192.168.125.0/24     192.168.42.0/24     
  641 39905 ACCEPT     all  --  ppp+   ppp+    192.168.42.0/24      192.168.125.0/24    
63115  114M ACCEPT     all  --  eth0   ppp+    0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
96728 8340K ACCEPT     all  --  ppp+   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  ppp+   ppp+    192.168.42.0/24      192.168.42.0/24     
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            192.168.43.0/24      ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      eth0    192.168.43.0/24      0.0.0.0/0           
 2215  293K ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 2215  293K ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1613 96831 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1613 96831 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1613 96831 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1613 96831 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1613 96831 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1 packets, 116 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 283K  262M ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 283K  262M ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  770 59547 ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  770 59547 ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  770 59547 ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  770 59547 ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   20  1156 REJECT     all  --  *      *       119.90.39.158        0.0.0.0/0            reject-with icmp-port-unreachable
35772 2390K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9577  747K ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
   74 16946 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
   11   548 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
   21  1028 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
   14  4632 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
 1242  146K ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  422 25371 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2411  161K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  602  196K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 1613 96831 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   54  3324 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
  530 27946 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
18289 1373K ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
18289 1373K ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  349 36371 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 282K  262M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  770 59547 ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 7382  458K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
10907  915K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
10939  916K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    7   524 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
  706 53027 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4871  291K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:22
    4   192 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
   30  1930 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING (policy ACCEPT 40331 packets, 2639K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 5456 packets, 328K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 775 packets, 60021 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1141 packets, 81902 bytes)
 pkts bytes target     prot opt in     out     source               destination         
12853  767K MASQUERADE  all  --  *      eth0    192.168.42.0/24      0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    192.168.43.0/24      0.0.0.0/0            policy match dir out pol none
    1    56 MASQUERADE  all  --  *      eth0    192.168.125.0/24     0.0.0.0/0           

控制台安全组已放行全部端口。Mangle 无规则。


其他

CN 和 US 之间互联本来想用 Gre over IPsec 的,但是 Gre 怎么也起不来,遂放弃,选用 L2TP 互联。

不知道有没有更好的互联方法,可以回复告诉我。

排版和写内容花了一个小时……

1891 次点击
所在节点    问与答
2 条回复
Laynooor
2018-07-30 13:02:14 +08:00
更正:

从 CN 客户端 A 进行 ping 测试:114.114.114.114

路由为: 192.168.42.1 -> 空路由
Laynooor
2018-07-30 13:08:14 +08:00
tail -f /var/log/syslog 看到这个:

Jul 30 13:03:58 vm719214 kernel: [78472.868822] [UFW BLOCK] IN=ppp1 OUT=ppp0 MAC= SRC=192.168.42.10 DST=114.114.114.114 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59046 DF PROTO=TCP SPT=38030 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

但不知道是哪条规则引起的。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/475306

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX