문제가 발생했고 가능하다면 도움을 받고 싶습니다. :-) 제 목표는 VM을 VPN을 통해 연결하고 호스트를 표준 게이트웨이를 통해 연결하는 것입니다.
구성: VM(192.168.100.1) => HOST-TAP0(192.168.100.254) => VPN-TUN0(10.8.0.62) => VPN-TUNX(10.8.0.61)
이것은 내 iptables 구성입니다.
# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
3 297 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
5 1491 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 144 DROP all -- * * 0.0.0.0/0 192.168.19.255
0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.1
1 32 DROP all -- * * 0.0.0.0/0 224.0.0.251
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:138 dpt:138
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "INPUT-DROP "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tap0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tap0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FORWARD-DROP "
Chain OUTPUT (policy ACCEPT 5 packets, 277 bytes)
pkts bytes target prot opt in out source destination
# iptables -L -n -v -tnat
Chain PREROUTING (policy ACCEPT 66 packets, 9746 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 330 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5 packets, 330 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 192.168.100.1 0.0.0.0/0
# iptables -L -n -v -tmangle
Chain PREROUTING (policy ACCEPT 305 packets, 48293 bytes)
pkts bytes target prot opt in out source destination
3 183 MARK all -- * * 192.168.100.1 !192.168.0.0/16 MARK set 0x33
Chain INPUT (policy ACCEPT 297 packets, 47445 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 3 packets, 183 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 235 packets, 24805 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 238 packets, 24988 bytes)
pkts bytes target prot opt in out source destination
내 IP 규칙은 다음과 같습니다.
# ip rule
0: from all lookup local
32764: from all fwmark 0x33 lookup ks
32766: from all lookup main
32767: from all lookup default
내 IP 라우팅은 다음과 같습니다.
# ip route
default via 192.168.19.254 dev eno1 metric 202
10.8.0.0/16 dev tun0 scope link
10.8.0.61 dev tun0 proto kernel scope link src 10.8.0.62
127.0.0.0/8 dev lo scope host
127.0.0.0/8 via 127.0.0.1 dev lo
169.254.0.0/16 dev tap0 proto kernel scope link src 169.254.55.59 metric 204
192.168.19.0/24 dev eno1 proto kernel scope link src 192.168.19.126 metric 202
192.168.100.0/24 dev tap0 proto kernel scope link src 192.168.100.254
# ip route show table ks
default via 10.8.0.61 dev tun0
10.8.0.0/16 dev tun0 scope link
192.168.100.0/24 dev tap0 scope link
ip_forward가 활성화되었습니다:
# cat /proc/sys/net/ipv4/ip_forward
1
conntrack은 커널로 컴파일됩니다.
# grep -i conntrack .config
CONFIG_NF_CONNTRACK=y
# CONFIG_NF_CONNTRACK_MARK is not set
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CONNTRACK_TIMEOUT is not set
# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=y
# CONFIG_NF_CONNTRACK_H323 is not set
# CONFIG_NF_CONNTRACK_IRC is not set
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_SNMP is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
# CONFIG_NF_CONNTRACK_TFTP is not set
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
tap0의 tcpdump(가상 머신에 연결됨):
# tcpdump -n -i tap0 host 216.58.208.206
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:23:13.295621 IP 192.168.100.1.1165 > 216.58.208.206.80: Flags [S], seq 1720703916, win 16384, options [mss 1460,nop,nop,sackOK], length 0
18:23:16.188006 IP 192.168.100.1.1165 > 216.58.208.206.80: Flags [S], seq 1720703916, win 16384, options [mss 1460,nop,nop,sackOK], length 0
및 tun0의 tcpdump(VPN 인터페이스):
# tcpdump -n -i tun0 host 216.58.208.206
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
18:24:02.943753 IP 10.8.0.62.1166 > 216.58.208.206.80: Flags [S], seq 2743155711, win 16384, options [mss 1460,nop,nop,sackOK], length 0
18:24:02.957965 IP 216.58.208.206.80 > 10.8.0.62.1166: Flags [S.], seq 1382398319, ack 2743155712, win 42900, options [mss 1368,nop,nop,sackOK], length 0
18:24:03.433187 IP 216.58.208.206.80 > 10.8.0.62.1166: Flags [S.], seq 1382398319, ack 2743155712, win 42900, options [mss 1368,nop,nop,sackOK], length 0
18:24:05.438445 IP 216.58.208.206.80 > 10.8.0.62.1166: Flags [S.], seq 1382398319, ack 2743155712, win 42900, options [mss 1368,nop,nop,sackOK], length 0
트래픽이 VPN을 통해 다시 돌아오는 것 같지만 VM의 tap0으로 전달되지 않는 것 같아서 뭔가 빠진 것 같습니다.
도움이 필요하세요? 매우 감사합니다! 넬슨