나는 호스트1이 원격 호스트3에 대한 게이트웨이로 호스트2를 사용하기를 원합니다.
온라인에서 해결책을 찾았지만 나에게는 효과가 없는 것 같습니다. VPN 클라이언트 소프트웨어 ike(shrewSoft VPN)가 가장 중요합니다.
------ local network -------
host 1 - eth0 - 192.168.0.20 (hostname: fred)
host 2 - eth0 - 192.168.0.95 (hostname: toronto)
tap0 - 172.16.1.20 (VPN tunnel)
----- remote network -------
host 3 - eth0 - 10.1.28.200
.
[root(tip)@fred ~]# ip route; echo; ip addr;
10.1.28.200 via 192.168.0.95 dev eth0
172.16.0.0/24 via 192.168.0.254 dev eth0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.20
169.254.0.0/16 dev eth0 scope link
default via 192.168.0.254 dev eth0
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether e0:69:95:c3:32:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.20/24 brd 192.168.0.255 scope global eth0
inet6 fe80::e269:95ff:fec3:325b/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
.
[root(prod1)@toronto ~]# ip route
149.135.71.84 via 192.168.0.254 dev eth0 proto static
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.95
169.254.0.0/16 dev eth0 scope link metric 1002
default via 172.16.1.5 dev tap0 proto static
default via 192.168.0.254 dev eth0
.
[root(prod1)@toronto ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b7:c5:ce brd ff:ff:ff:ff:ff:ff
inet 192.168.0.95/24 brd 192.168.0.255 scope global eth0
inet6 fe80::20c:29ff:feb7:c5ce/64 scope link
valid_lft forever preferred_lft forever
8: tap0: <BROADCAST,UP,LOWER_UP> mtu 1380 qdisc pfifo_fast state UNKNOWN qlen 500
link/ether 62:6b:37:53:c2:fb brd ff:ff:ff:ff:ff:ff
inet 172.16.1.5/32 brd 172.16.1.5 scope global tap0
inet6 fe80::606b:37ff:fe53:c2fb/64 scope link
valid_lft forever preferred_lft forever
.
[root(prod1)@toronto ~]# iptables -vnL
Chain INPUT (policy ACCEPT 67983 packets, 14M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 2032 packets, 90240 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 tap0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 52284 packets, 12M bytes)
pkts bytes target prot opt in out source destination
.
[root(prod1)@toronto ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 1099 packets, 186K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 511 packets, 30765 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * tap0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 510 packets, 30705 bytes)
pkts bytes target prot opt in out source destination
[root(prod1)@toronto ~]#
편집하다또한 Linux에서 패킷 전달을 허용했다는 점도 언급하고 싶습니다.
echo 1 > /proc/sys/net/ipv4/ip_forward
업데이트 2
나는 그것이 tap0일 때 tap0을 입력하고 있다는 것을 깨달았습니다. 위와 같이 변경했습니다. 이제 iptables -t nat -vnL패킷이 통과하고 tcpdump모든 패킷이 표시되는 것을 볼 수 있지만 tcpdump에는 패킷이 다시 돌아오는 것으로 표시되지 않습니다. MASQUERADE가 자동으로 SNAT/DNAT를 수행하는 줄 알았나요?