请教 iptables 防火墙及路由配置的打通两地局域网的问题

各位，基于 tinc 已经可以把各个节点都连接起来了，但是问题是每个要访问的节点上都需要安装 tinc，比较麻烦。

因此想通过配置路由的方式打通两地的局域网，这样只需要在路由器或 Linux 节点上配置一次 tinc 客户端即可，以下是网络拓扑：

+--------------------+       +       +--------------------+
|                    |       |       |                    |
|192.168.1.1/24 - LAN|       +<------+10.200.30.1/24 - LAN|
|172.16.14.1/24 - VPN+------>+       |172.16.14.2/24 - VPN|
|                    |       |       |                    |
+--------------------+       +       +--------------------+
          A                                     B

A、B 分别作为网关(路由器)。现在是想通过在 A、B 两个节点上配置路由和 iptables 规则，以达到 A 节点网络内主机可以访问 B 节点局域网其他主机的内容。

在 A 节点上配置路由：

ip route add 10.200.30.0/24 via 172.16.14.2

在 B 节点上配置路由和 iptables 规则:

iptables -A FORWARD -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o br-lan -j MASQUERADE

由于 B 节点不需要访问 A 节点内资源，因此没有在 B 上配置到 A 的路由。

但目前现在好像 A 节点和 A 节点局域网内的其他主机依然 ping 不通 B 节点网络内的主机。不知道是哪里出了问题。。。

jasonyang9

2020-02-11 14:39:14 +08:00

听上去是因为没有从 B 到 A 的路由导致 ping 的 echo-reply 数据包无法回到 A 网络

lilogo

2020-02-11 15:18:51 +08:00

@jasonyang9 应该不是这个原因，理论上 B 收到的包应该是来自 172.16.14.1 的，而不是 192.168.1.1 的，而 172 网段的是 VPN 网段，本身即可正常通信。

lilogo

2020-02-11 15:34:57 +08:00

在 A 节点机器 ping B 节点时，在 A 节点上使用 `tcpdump tun0` 抓包如下：

```
15:28:25.364435 IP 172.16.14.1 > 10.200.30.55: ICMP echo request, id 63083, seq 19, length 64
15:28:25.364779 IP 10.200.30.55 > 172.16.14.1: ICMP net 10.200.30.55 unreachable - unknown, length 92
15:28:26.364657 IP 172.16.14.1 > 10.200.30.55: ICMP echo request, id 63083, seq 20, length 64
15:28:26.365404 IP 10.200.30.55 > 172.16.14.1: ICMP net 10.200.30.55 unreachable - unknown, length 92
15:28:27.364882 IP 172.16.14.1 > 10.200.30.55: ICMP echo request, id 63083, seq 21, length 64
15:28:27.365638 IP 10.200.30.55 > 172.16.14.1: ICMP net 10.200.30.55 unreachable - unknown, length 92
15:28:28.365165 IP 172.16.14.1 > 10.200.30.55: ICMP echo request, id 63083, seq 22, length 64
15:28:28.365573 IP 10.200.30.55 > 172.16.14.1: ICMP net 10.200.30.55 unreachable - unknown, length 92
```

izoabr

2020-02-11 15:42:46 +08:00

你去 B 上加上那条路由试试不就知道了。
还有要把包转发打开哦。

lilogo

2020-02-11 15:42:59 +08:00

补充下所有主机都是可 ping 的，而且直接在 A、B 节点上 ping 172.16.14.0/24 网段内机器都是可以 ping 通的。
另外 tcpdump 抓虚拟网卡的命令是 tcpdump -i tun0

lilogo

2020-02-11 15:50:30 +08:00

@izoabr
@jasonyang9 在 B 上加上了到 A 的路由依然不行:

```
ip route add 192.168.1.0/24 via 172.16.14.1
```

izoabr

2020-02-11 15:53:13 +08:00

A 和 B 的路由表和策略表放出来看看

ip ro sh
ip ru sh

lilogo

2020-02-11 16:05:05 +08:00

A 节点的：
```
root@OpenWrt:~# ip route show
default via 53.3.94.1 dev pppoe-wan proto static
10.200.30.0/24 via 172.16.14.122 dev tun0
53.3.94.1 dev pppoe-wan proto kernel scope link src 53.3.94.180
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
172.16.14.0/24 dev ztmjffzrix proto kernel scope link src 172.16.14.1
172.16.14.0/24 dev tun0 proto kernel scope link src 172.16.14.1
192.168.133.0/24 dev tun1 proto kernel scope link src 192.168.133.1
root@OpenWrt:~# ip ru sh
0: from all lookup local
1001: from all iif pppoe-wan lookup main
2001: from all fwmark 0x100/0x3f00 lookup 1
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~#
```

B 节点的：
```
root@OpenWrt:~# ip route show
default via 10.200.30.250 dev br-lan src 10.200.30.1
10.200.30.0/24 dev br-lan scope link src 10.200.30.1
192.168.1.0/24 via 172.16.14.1 dev tun0
172.16.14.0/24 dev tun0 scope link src 172.16.14.2
root@OpenWrt:~# ip ru sh
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~#
```
@izoabr

lilogo

2020-02-11 16:10:17 +08:00

抱歉上一条有一行错了，参考这个：
A 节点的：
```
root@OpenWrt:~# ip route show
default via 53.3.94.1 dev pppoe-wan proto static
10.200.30.0/24 via 172.16.14.2 dev tun0
53.3.94.1 dev pppoe-wan proto kernel scope link src 53.3.94.180
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
172.16.14.0/24 dev ztmjffzrix proto kernel scope link src 172.16.14.1
172.16.14.0/24 dev tun0 proto kernel scope link src 172.16.14.1
192.168.133.0/24 dev tun1 proto kernel scope link src 192.168.133.1
root@OpenWrt:~# ip ru sh
0: from all lookup local
1001: from all iif pppoe-wan lookup main
2001: from all fwmark 0x100/0x3f00 lookup 1
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~#
```

B 节点的：
```
root@OpenWrt:~# ip route show
default via 10.200.30.250 dev br-lan src 10.200.30.1
10.200.30.0/24 dev br-lan scope link src 10.200.30.1
192.168.1.0/24 via 172.16.14.1 dev tun0
172.16.14.0/24 dev tun0 scope link src 172.16.14.2
root@OpenWrt:~# ip ru sh
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~#
```

@izoabr

izoabr

2020-02-11 16:47:10 +08:00

你用 traceroute 探一遍路看看。
1、从 10.200.30.55 ping 172.16.14.1
2、然后反过来，从 172.16.14.1 ping 10.200.30.55
3、看一下上面两个的 traceroute 的结果

lilogo

2020-02-11 17:30:12 +08:00

@izoabr
从 B 上 traceroute A 的情况:
```
root@OpenWrt:~# traceroute 172.16.14.1
traceroute to 172.16.14.1 (172.16.14.1), 30 hops max, 46 byte packets
1 172.16.14.1 (172.16.14.1) 5.077 ms 5.189 ms 4.681 ms
root@OpenWrt:~# traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 46 byte packets
1 192.168.1.1 (192.168.1.1) 0.003 ms !U 0.002 ms !U 0.002 ms !U
root@OpenWrt:~#
```

从 A 上 traceroute B 的情况：
```
root@OpenWrt:~# traceroute 172.16.14.2
traceroute to 172.16.14.2 (172.16.14.2), 30 hops max, 38 byte packets
1 172.16.14.2 (172.16.14.2) 6.088 ms 4.304 ms 4.858 ms
root@OpenWrt:~# traceroute 10.200.30.55
traceroute to 10.200.30.55 (10.200.30.55), 30 hops max, 38 byte packets
1 10.200.30.55 (10.200.30.55) 1.315 ms !U 0.031 ms !U 0.030 ms !U
root@OpenWrt:~#
```

sujin190

2020-02-11 17:55:03 +08:00

sysctl 的 ip_forward 打开了没啊？

hawhaw

2020-02-11 18:05:27 +08:00

1，A 和 B 打开 ip 转发；
2，A 及 A 后端的网络里都要将 B 后端的网络的网段路由指向 A ；
3，B 及 B 后端的网络里要将 A 所在网段地址的路由指向我 B ；
4，关闭 A 和 B 上的防火墙；
此时我，双向就应该已经通了。
5，再打开 B 上防火墙，封掉从 B 网段到 A 网段数据包的转发

lilogo

2020-02-11 19:07:23 +08:00

@sujin190 打开转发是第一步，肯定开了

izoabr

2020-02-11 19:45:22 +08:00

@lilogo #11 从 10.200.30.55 ping 和 trace 172.16.14.1

lilogo

2020-02-11 19:48:34 +08:00

@hawhaw 按照你的步骤 1-4，在执行完第 4 步时依然 ping 不通，步骤如下：

A 节点:
```
root@OpenWrt:~# ip route show
default via 53.3.94.1 dev pppoe-wan proto static
53.3.94.1 dev pppoe-wan proto kernel scope link src 53.3.94.180
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
172.16.14.0/24 dev tun0 proto kernel scope link src 172.16.14.1
root@OpenWrt:~# ip route add 10.200.30.0/24 via 172.16.14.1
root@OpenWrt:~# cat /proc/sys/net/ipv4/ip_forward
1
root@OpenWrt:~# /etc/init.d/firewall stop
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 nat table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
root@OpenWrt:~#
```

B 节点：
```
root@OpenWrt:~# ip route add 192.168.1.0/24 via 172.16.14.2
root@OpenWrt:~# /etc/init.d/firewall stop
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan'
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @zone[1] (wan) has no device, network, subnet or extra options
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
root@OpenWrt:~# cat /proc/sys/net/ipv4/ip_forward
1
root@OpenWrt:~#
root@OpenWrt:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
^C
--- 192.168.1.1 ping statistics ---
15 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~#
```

B 节点 ping A 节点抓包:
```
root@OpenWrt:~# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
11:35:14.283993 IP6 fe80::31ad:504:165b:1666.63363 > ff02::c.1900: UDP, length 146
11:35:16.238521 IP 172.16.14.2 > 192.168.1.1: ICMP echo request, id 26670, seq 0, length 64
11:35:16.238591 IP 192.168.1.1 > 172.16.14.2: ICMP net 192.168.1.1 unreachable - unknown, length 92
11:35:17.238794 IP 172.16.14.2 > 192.168.1.1: ICMP echo request, id 26670, seq 1, length 64
11:35:17.238847 IP 192.168.1.1 > 172.16.14.2: ICMP net 192.168.1.1 unreachable - unknown, length 92
11:35:17.285547 IP6 fe80::31ad:504:165b:1666.63363 > ff02::c.1900: UDP, length 146
11:35:18.238836 IP 172.16.14.2 > 192.168.1.1: ICMP echo request, id 26670, seq 2, length 64
11:35:18.238885 IP 192.168.1.1 > 172.16.14.2: ICMP net 192.168.1.1 unreachable - unknown, length 92
11:35:19.238940 IP 172.16.14.2 > 192.168.1.1: ICMP echo request, id 26670, seq 3, length 64
11:35:19.238995 IP 192.168.1.1 > 172.16.14.2: ICMP net 192.168.1.1 unreachable - unknown, length 92
11:35:20.238975 IP 172.16.14.2 > 192.168.1.1: ICMP echo request, id 26670, seq 4, length 64
```

lilogo

2020-02-11 19:51:53 +08:00

@izoabr 从 10.200.30.55 上面 ping 和 traceroute 如下：
```
root@OpenWrt:~# traceroute 172.16.14.1
traceroute to 172.16.14.1 (172.16.14.1), 30 hops max, 46 byte packets
1 172.16.14.1 (172.16.14.1) 5.377 ms 5.160 ms 4.769 ms
root@OpenWrt:~#
root@OpenWrt:~# ping 172.16.14.1
PING 172.16.14.1 (172.16.14.1): 56 data bytes
64 bytes from 172.16.14.1: seq=0 ttl=64 time=5.329 ms
64 bytes from 172.16.14.1: seq=1 ttl=64 time=5.603 ms
^C
--- 172.16.14.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 5.329/5.466/5.603 ms
root@OpenWrt:~#
```
另外，是否和 17216.14.0/24 这个是 VPN 网段即 tun 设备有关系？