tcpdump에 따르면 VPN 클라이언트의 초기 패킷은 소스 주소가 변환되어 대상으로 전송되고 응답 패킷이 도착하지만 해당 응답 패킷은 손실됩니다. 이렇게까지 했는데 firewall-cmd --set-log-denied=all로그 메시지도 없이 패킷이 손실되었습니다.
이전에는 방화벽 없이 CentOS7에 OpenVPN 서버가 있었고 다음과 같이 클라이언트에 대한 인터넷 액세스를 활성화했습니다.
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
# localhost:~ # iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 10 packets, 751 bytes)
pkts bytes target prot opt in out source destination
3 180 MASQUERADE all -- * eth0 10.8.1.0/24 0.0.0.0/0
OpenSUSE Tumbleweed로 마이그레이션한 후 Firewalld를 사용하여 동일한 구성을 시도하는 데 4시간이 걸렸지만 포기하고 Firewalld를 중지하고 동일한 iptables 명령을 시도했지만 여전히 작동하지 않았습니다. 응답 패킷이 자동으로 삭제되었습니다.
10.8.1.1 tun0 # VPN server
172.31.1.100 eth0 # WAN
_
localhost:~ # systemctl stop firewalld
localhost:~ # nft list ruleset
localhost:~ # iptables -t nat -I POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
localhost:~ # nft list ruleset
localhost:~ # iptables-save
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*mangle
:PREROUTING ACCEPT [8078:12476730]
:INPUT ACCEPT [7999:12471990]
:FORWARD ACCEPT [29:1740]
:OUTPUT ACCEPT [7524:1618476]
:POSTROUTING ACCEPT [7553:1620216]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*raw
:PREROUTING ACCEPT [8078:12476730]
:OUTPUT ACCEPT [7524:1618476]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*security
:INPUT ACCEPT [7999:12471990]
:FORWARD ACCEPT [29:1740]
:OUTPUT ACCEPT [7524:1618476]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*filter
:INPUT ACCEPT [7999:12471990]
:FORWARD ACCEPT [29:1740]
:OUTPUT ACCEPT [7524:1618476]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
클라이언트가 SMTP에 연결을 시도합니다.
localhost:~ # tcpdump -nn -i any "port 465 or icmp"
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
02:41:25.326501 tun0 In IP 10.8.1.32.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758001736 ecr 0,nop,wscale 7], length 0
02:41:25.326590 eth0 Out IP 172.31.1.100.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758001736 ecr 0,nop,wscale 7], length 0
02:41:25.363047 eth0 In IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105615202 ecr 1758001736,nop,wscale 8], length 0
02:41:26.280346 tun0 In IP 10.8.1.32.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758002755 ecr 0,nop,wscale 7], length 0
02:41:26.280400 eth0 Out IP 172.31.1.100.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758002755 ecr 0,nop,wscale 7], length 0
02:41:26.316940 eth0 In IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105616156 ecr 1758001736,nop,wscale 8], length 0
02:41:27.331029 eth0 In IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105617170 ecr 1758001736,nop,wscale 8], length 0
02:41:28.306349 tun0 In IP 10.8.1.32.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758004782 ecr 0,nop,wscale 7], length 0
02:41:28.306380 eth0 Out IP 172.31.1.100.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758004782 ecr 0,nop,wscale 7], length 0
02:41:28.342862 eth0 In IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105618182 ecr 1758001736,nop,wscale 8], length 0
02:41:30.403068 eth0 In IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105620242 ecr 1758001736,nop,wscale 8], length 0
^C
11 packets captured
13 packets received by filter
0 packets dropped by kernel
답변1
그래서 재부팅하기로 결정했지만 재부팅하기 전에 런타임 커널 매개변수를 파일에 덤프하고 설정을 반복했는데 iptables/sysctl이번에는 제대로 작동했습니다!
sysctl 출력을 비교해보니 1임에도 net.ipv4.conf.eth0.forwarding불구하고 0이라는 것을 발견했습니다. net.ipv4.ip_forward개별 네트워크 카드에 대해 전달을 활성화하거나 비활성화할 수 있다는 것을 몰랐습니다. firewall-cmd런타임 커널 매개변수에 잘못된 값이 설정된 것 같 으며 firewall-cmd어떤 이유로 복원할 수 없습니다.