나는 이것을 했다:
ip netns add vpn
ip netns exec vpn ip addr add 127.0.0.1/8 dev lo
ip netns exec vpn ip link set lo up
ip link add vpn0 type veth peer name vpn1
ip link set vpn0 up
ip link set vpn1 netns vpn up
ip addr add 10.200.200.1/24 dev vpn0
ip netns exec vpn ip addr add 10.200.200.2/24 dev vpn1
ip netns exec vpn ip route add default via 10.200.200.1 dev vpn1
iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o wl+ -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
ip netns exec vpn ping www.google.com
효과가 있었습니다. 그런 다음 나는 달렸고 ip netns exec vpn sudo openvpn종료 후에 다시 작동하도록 할 수 없었습니다. Ping은 더 이상 작동하지 않으며 IP 주소도 작동하지 않습니다. 명령을 실행 ip netns delete vpn하고 다시 실행해도 도움이 되지 않습니다.
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 22:cc:d1:f6:35:2b brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether f0:de:f1:f7:2c:4a brd ff:ff:ff:ff:ff:ff
inet 192.168.0.29/24 brd 192.168.0.255 scope global dynamic eth0
valid_lft 73102sec preferred_lft 73102sec
8: vpn0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 1e:5e:d3:e5:db:22 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.200.200.1/24 scope global vpn0
valid_lft forever preferred_lft forever
# ip route show
default via 192.168.0.1 dev eth0 proto static metric 100
10.200.200.0/24 dev vpn0 proto kernel scope link src 10.200.200.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.29 metric 100
# iptables-save
# Generated by iptables-save v1.6.1 on Tue Dec 19 12:49:08 2017
*nat
:PREROUTING ACCEPT [117:18442]
:INPUT ACCEPT [83:15245]
:OUTPUT ACCEPT [6361:448220]
:POSTROUTING ACCEPT [6369:448969]
-A POSTROUTING -s 10.200.200.0/24 -o wl+ -j MASQUERADE
COMMIT
# Completed on Tue Dec 19 12:49:08 2017
# Generated by iptables-save v1.6.1 on Tue Dec 19 12:49:08 2017
*filter
:INPUT ACCEPT [417285:494013961]
:FORWARD ACCEPT [100347:95403730]
:OUTPUT ACCEPT [306295:38038441]
-A INPUT -s 10.200.200.0/24 ! -i vpn0 -j DROP
COMMIT
# Completed on Tue Dec 19 12:49:08 2017
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
# ip netns exec vpn ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2030ms
답변1
규칙 은 사용되지 않은 나가는 트래픽 MASQUERADE에만 적용됩니다 . wlan0비슷한 규칙을 적용해야 합니까 eth0?
ip netns delete다른 참조가 유지되면 네임스페이스가 삭제되지 않아 veth 쌍이 유지되고 일부 명령이 오류와 함께 실패하게 됩니다.