DDWRT는 모든 트래픽(몇 가지 예외 제외)이 라우팅되는 VPN 클라이언트 데몬(인터페이스 tun1)을 실행하고 있습니다.
첫 번째 예외는 포트 12600의 트래픽이 vlan2VPN이 아닌 일반적인 인터넷 연결인 을 통해 라우팅되어야 한다는 것입니다. 이를 통해 외출 중일 때 라우터에 SSH로 접속할 수 있습니다.
# Create table 202 via the Gateway Ip on the Interface VLAN2
ip route add default via $(nvram get wan_gateway) dev vlan2 table 202
# Apply the rule on table 202 to packages marked with 22
ip rule add fwmark 22 table 202
# Tag with 22 every output package on port 12600 not coming from any machine in the local network
iptables -t mangle -I OUTPUT -p tcp --sport 12600 -d ! 192.168.1.0/24 -j MARK --set-mark 22
이것은 매력처럼 작동합니다 :-)
이제 두 번째 문제는 포트 16001을 내 Raspberry PI(로컬 IP 192.168.1.132)로 전달하고 vlan2해당 트래픽을 tun1.
전달 부분이 작동 중입니다.
iptables -t nat -I PREROUTING -p tcp --dport 12601 -j DNAT --to 192.168.`.132:12601
iptables -I FORWARD -i vlan2 -d 192.168.1.132 -p tcp --dport 12601 -j ACCEPT
이 시점에서 라우터에서 OpenVPN 데몬을 비활성화하면 RPI에 대한 SSH 연결이 제대로 작동합니다. 문제는 데몬이 활성화되면 패키지가 vlan2예상대로 인터페이스를 통해 RPI에 도달하고 RPI가 응답을 다시 보내고 를 통해 라우팅되므로 tun1SSH가 불가능하다는 것입니다.
규칙을 추가하려고 합니다.
iptables -t mangle -I OUTPUT -p tcp -s 192.168.1.132 -j MARK --set-mark 22
그러나 그것은 작동하지 않았습니다. 이 규칙에 대해 표시된 패키지가 없습니다.
어떤 사람들은 rp_filter를 언급하지만 내 필터는 모두 0으로 설정되어 있습니다(수정하지 않았으므로 DD-WRT의 기본값이어야 함).
root@DD-WRT:~# sysctl -a | grep \\.rp_filter
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.br0.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.imq0.rp_filter = 0
net.ipv4.conf.imq1.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.teql0.rp_filter = 0
net.ipv4.conf.tun1.rp_filter = 0
net.ipv4.conf.vlan1.rp_filter = 0
net.ipv4.conf.vlan2.rp_filter = 0
내 iptable은 다음과 같습니다.
root@DD-WRT:~# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 183 packets, 30508 bytes)
pkts bytes target prot opt in out source destination
4 256 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12601 to:192.168.1.132:12601
53 3644 DNAT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:192.168.1.1
0 0 DNAT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:192.168.1.1
0 0 DROP tcp -- * * 192.168.1.1 192.168.1.1 tcp dpt:443
0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.1.1 tcp dpt:443
3 180 DNAT tcp -- * * 0.0.0.0/0 !73.93.100.100 tcp dpt:80 to:192.168.1.1:8118
0 0 DNAT tcp -- * * 0.0.0.0/0 73.93.100.100 tcp dpt:8080 to:192.168.1.1:443
0 0 DNAT tcp -- * * 0.0.0.0/0 73.93.100.100 tcp dpt:12600 to:192.168.1.1:12600
0 0 DNAT icmp -- * * 0.0.0.0/0 73.93.100.100 to:192.168.1.1
126 21928 TRIGGER 0 -- * * 0.0.0.0/0 73.93.100.100 TRIGGER type:dnat match:0 relate:0
Chain INPUT (policy ACCEPT 11131 packets, 732K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 60 packets, 6022 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 23 packets, 4522 bytes)
pkts bytes target prot opt in out source destination
92 9920 MASQUERADE 0 -- * tun1 0.0.0.0/0 0.0.0.0/0
2 120 SNAT 0 -- * vlan2 192.168.1.0/24 0.0.0.0/0 to:73.93.100.100
root@DD-WRT:~# iptables -vnL -t mangle
Chain PREROUTING (policy ACCEPT 1787 packets, 398K bytes)
pkts bytes target prot opt in out source destination
1787 398K FILTER_IN 0 -- * * 0.0.0.0/0 0.0.0.0/0
385 101K VPN_IN 0 -- tun+ * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 529K packets, 462M bytes)
pkts bytes target prot opt in out source destination
53 7298 IMQ 0 -- tun+ * 0.0.0.0/0 0.0.0.0/0 IMQ: todev 0
559 161K IMQ 0 -- vlan2 * 0.0.0.0/0 0.0.0.0/0 IMQ: todev 0
293 35826 IMQ 0 -- !vlan2 * 0.0.0.0/0 0.0.0.0/0 IMQ: todev 1
Chain FORWARD (policy ACCEPT 487K packets, 318M bytes)
pkts bytes target prot opt in out source destination
332 94003 IMQ 0 -- tun+ * 0.0.0.0/0 0.0.0.0/0 IMQ: todev 0
98 5984 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
39 6701 IMQ 0 -- vlan2 * 0.0.0.0/0 0.0.0.0/0 IMQ: todev 0
918 204K IMQ 0 -- !vlan2 !vlan2 0.0.0.0/0 0.0.0.0/0 IMQ: todev 1
Chain OUTPUT (policy ACCEPT 823 packets, 196K bytes)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- * * 0.0.0.0/0 !192.168.1.0/24 tcp spt:12600 MARK set 0x16
21 16378 IMQ tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:8118 IMQ: todev 0
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12601 MARK set 0x16
Chain POSTROUTING (policy ACCEPT 928K packets, 531M bytes)
pkts bytes target prot opt in out source destination
525 89419 VPN_OUT 0 -- * tun+ 0.0.0.0/0 0.0.0.0/0
1827 412K FILTER_OUT 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DSCP 0 -- * * 0.0.0.0/0 0.0.0.0/0 DSCP match !0x00 DSCP set 0x00
Chain FILTER_IN (1 references)
pkts bytes target prot opt in out source destination
1787 398K CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
1413 324K SVQOS_SVCS 0 -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x7ffc00
1787 398K CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
1787 398K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FILTER_OUT (1 references)
pkts bytes target prot opt in out source destination
1827 412K CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
1488 328K SVQOS_SVCS 0 -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x7ffc00
1827 412K VPN_DSCP 0 -- * * 0.0.0.0/0 0.0.0.0/0
1827 412K CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
1827 412K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain SVQOS_SVCS (2 references)
pkts bytes target prot opt in out source destination
2901 653K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain VPN_DSCP (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 DSCP match 0x0a MARK xset 0x19000/0x7ffc00
0 0 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 DSCP match 0x01 MARK xset 0x2800/0x7ffc00
126 32463 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 DSCP match 0x02 MARK xset 0x5000/0x7ffc00
0 0 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 DSCP match 0x03 MARK xset 0x7800/0x7ffc00
77 20422 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 DSCP match 0x04 MARK xset 0xa000/0x7ffc00
313 73735 DSCP 0 -- * * 0.0.0.0/0 0.0.0.0/0 DSCP match !0x00 DSCP set 0x00
1827 412K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain VPN_IN (1 references)
pkts bytes target prot opt in out source destination
385 101K CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
Chain VPN_OUT (1 references)
pkts bytes target prot opt in out source destination
root@DD-WRT:~# iptables -vnL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
95 20753 ACCEPT 0 -- tun1 * 0.0.0.0/0 0.0.0.0/0
864 291K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
146 12000 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:443
0 0 logbrute tcp -- vlan2 * 0.0.0.0/0 192.168.1.1 tcp dpt:12600
0 0 ACCEPT tcp -- vlan2 * 0.0.0.0/0 192.168.1.1 tcp dpt:12600
0 0 DROP icmp -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
4 293 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
162 27477 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
731 143K ACCEPT 0 -- * tun1 0.0.0.0/0 0.0.0.0/0
544 189K ACCEPT 0 -- tun1 * 0.0.0.0/0 0.0.0.0/0
11 688 ACCEPT tcp -- vlan2 * 0.0.0.0/0 192.168.1.132 tcp dpt:12601
86 12596 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
158 37906 lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
156 37786 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
2 120 ACCEPT 0 -- br0 vlan2 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * vlan2 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 DROP udp -- * vlan2 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
0 0 DROP udp -- * vlan2 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 TRIGGER 0 -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
tcpdump포트 12601의 RPI에 대한 인바운드 트래픽이 통과하는 것을 볼 수 있지만 아웃 vlan2바운드 트래픽은 다음으로 라우팅됩니다 tun1.
root@DD-WRT:~# tcpdump -n -i vlan2 port 12601
listening on vlan2, link-type EN10MB (Ethernet), capture size 65535 bytes
20:49:19.983896 IP 208.54.5.222.47184 > 73.93.100.100.12601: Flags [S], seq 1024682508, win 65535, options [mss 1380,nop,wscale 5,nop,nop,TS val 336905559 ecr 0,sackOK,eol], length 0
20:49:21.055561 IP 208.54.5.222.47184 > 73.93.100.100.12601: Flags [S], seq 1024682508, win 65535, options [mss 1380,nop,wscale 5,nop,nop,TS val 336906559 ecr 0,sackOK,eol], length 0
20:49:22.092159 IP 208.54.5.222.47184 > 73.93.100.100.12601: Flags [S], seq 1024682508, win 65535, options [mss 1380,nop,wscale 5,nop,nop,TS val 336907559 ecr 0,sackOK,eol], length 0
20:49:23.055189 IP 208.54.5.222.47184 > 73.93.100.100.12601: Flags [S], seq 1024682508, win 65535, options [mss 1380,nop,wscale 5,nop,nop,TS val 336908559 ecr 0,sackOK,eol], length 0
root@DD-WRT:~# tcpdump -n -i tun1 port 12601
listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes
20:49:37.052293 IP 73.93.100.100.12601 > 208.54.5.222.47184: Flags [S.], seq 3536123446, ack 1024682509, win 28960, options [mss 1460,sackOK,TS val 2958399 ecr 336905559,nop,wscale 7], length 0
20:49:38.062308 IP 73.93.100.100.12601 > 208.54.5.222.59028: Flags [S.], seq 2196420762, ack 1024682509, win 28960, options [mss 1460,sackOK,TS val 2958500 ecr 336916559,nop,wscale 7], length 0
20:49:38.995709 IP 73.93.100.100.12601 > 208.54.5.222.41591: Flags [S.], seq 4130650631, ack 1024682509, win 28960, options [mss 1460,sackOK,TS val 2958593 ecr 336924559,nop,wscale 7], length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel
답변1
효과가 있었습니다. ip route flush cacheDD-WRT를 새로 고칠 때까지 발생하지 않더라도 iptables가 변경된 것처럼 보입니다 . 새로 고침이란 모든 주요 서비스를 다시 시작하고 일부 설정을 변경한 후 Apply Changes.
참고로 외부 네트워크에서 SSH를 통해 Raspberry Pi에 접속하고 싶습니다. RPI는 OpenVPN을 클라이언트로 실행하는 DD-WRT 라우터에 연결합니다. DD-WRT는 포트 12601(SSH)을 RPI로 전달해야 하며 tun1응답 패킷이 인터넷 게이트웨이를 통해 들어오기 때문에 VPN 인터페이스(기본값)를 통한 응답 패킷 전송을 방지합니다 vlan2.
내 방화벽 스크립트는 다음과 같습니다.
# Create a rule to skip the VPN
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
ip route flush cache
## SSH to RPI (port 12601)
# First the port forwarding part
iptables -t nat -I PREROUTING -p tcp --dport 12601 -j DNAT --to 192.168.4.132:12601
iptables -I FORWARD -i vlan2 -d 192.168.1.132 -p tcp --dport 12601 -j ACCEPT
# Now mark packages from RPI and source port 12601 with tag 1. The rule above will direct packages marked with 1 through the wan gateway
iptables -t mangle -I PREROUTING -i br0 -p tcp -s 192.168.1.132 --sport 12601 -j MARK --set-mark 1