VPN을 통해서만 가상 머신 트래픽 라우팅

VPN을 통해서만 가상 머신 트래픽 라우팅

문제가 발생했고 가능하다면 도움을 받고 싶습니다. :-) 제 목표는 VM을 VPN을 통해 연결하고 호스트를 표준 게이트웨이를 통해 연결하는 것입니다.

구성: VM(192.168.100.1) => HOST-TAP0(192.168.100.254) => VPN-TUN0(10.8.0.62) => VPN-TUNX(10.8.0.61)

이것은 내 iptables 구성입니다.

# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    3   297 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    5  1491 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    2   144 DROP       all  --  *      *       0.0.0.0/0            192.168.19.255      
    0     0 DROP       all  --  *      *       0.0.0.0/0            255.255.255.255     
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.1           
    1    32 DROP       all  --  *      *       0.0.0.0/0            224.0.0.251         
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:138 dpt:138
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "INPUT-DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "FORWARD-DROP "

Chain OUTPUT (policy ACCEPT 5 packets, 277 bytes)
 pkts bytes target     prot opt in     out     source               destination         


# iptables -L -n -v -tnat
Chain PREROUTING (policy ACCEPT 66 packets, 9746 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 5 packets, 330 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 5 packets, 330 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       192.168.100.1        0.0.0.0/0           


# iptables -L -n -v -tmangle
Chain PREROUTING (policy ACCEPT 305 packets, 48293 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   183 MARK       all  --  *      *       192.168.100.1       !192.168.0.0/16       MARK set 0x33

Chain INPUT (policy ACCEPT 297 packets, 47445 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 3 packets, 183 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 235 packets, 24805 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 238 packets, 24988 bytes)
 pkts bytes target     prot opt in     out     source               destination    

내 IP 규칙은 다음과 같습니다.

# ip rule
0:      from all lookup local 
32764:  from all fwmark 0x33 lookup ks 
32766:  from all lookup main 
32767:  from all lookup default 

내 IP 라우팅은 다음과 같습니다.

# ip route 
default via 192.168.19.254 dev eno1  metric 202 
10.8.0.0/16 dev tun0  scope link 
10.8.0.61 dev tun0  proto kernel  scope link  src 10.8.0.62 
127.0.0.0/8 dev lo  scope host 
127.0.0.0/8 via 127.0.0.1 dev lo 
169.254.0.0/16 dev tap0  proto kernel  scope link  src 169.254.55.59  metric 204 
192.168.19.0/24 dev eno1  proto kernel  scope link  src 192.168.19.126  metric 202 
192.168.100.0/24 dev tap0  proto kernel  scope link  src 192.168.100.254 


# ip route show table ks
default via 10.8.0.61 dev tun0 
10.8.0.0/16 dev tun0  scope link 
192.168.100.0/24 dev tap0  scope link 

ip_forward가 활성화되었습니다:

# cat /proc/sys/net/ipv4/ip_forward
1

conntrack은 커널로 컴파일됩니다.

# grep -i conntrack .config
CONFIG_NF_CONNTRACK=y
# CONFIG_NF_CONNTRACK_MARK is not set
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CONNTRACK_TIMEOUT is not set
# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=y
# CONFIG_NF_CONNTRACK_H323 is not set
# CONFIG_NF_CONNTRACK_IRC is not set
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_SNMP is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
# CONFIG_NF_CONNTRACK_TFTP is not set
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y

tap0의 tcpdump(가상 머신에 연결됨):

# tcpdump -n -i tap0 host 216.58.208.206
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes

18:23:13.295621 IP 192.168.100.1.1165 > 216.58.208.206.80: Flags [S], seq 1720703916, win 16384, options [mss 1460,nop,nop,sackOK], length 0
18:23:16.188006 IP 192.168.100.1.1165 > 216.58.208.206.80: Flags [S], seq 1720703916, win 16384, options [mss 1460,nop,nop,sackOK], length 0

및 tun0의 tcpdump(VPN 인터페이스):

# tcpdump -n -i tun0 host 216.58.208.206
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
18:24:02.943753 IP 10.8.0.62.1166 > 216.58.208.206.80: Flags [S], seq 2743155711, win 16384, options [mss 1460,nop,nop,sackOK], length 0
18:24:02.957965 IP 216.58.208.206.80 > 10.8.0.62.1166: Flags [S.], seq 1382398319, ack 2743155712, win 42900, options [mss 1368,nop,nop,sackOK], length 0
18:24:03.433187 IP 216.58.208.206.80 > 10.8.0.62.1166: Flags [S.], seq 1382398319, ack 2743155712, win 42900, options [mss 1368,nop,nop,sackOK], length 0
18:24:05.438445 IP 216.58.208.206.80 > 10.8.0.62.1166: Flags [S.], seq 1382398319, ack 2743155712, win 42900, options [mss 1368,nop,nop,sackOK], length 0

트래픽이 VPN을 통해 다시 돌아오는 것 같지만 VM의 tap0으로 전달되지 않는 것 같아서 뭔가 빠진 것 같습니다.

도움이 필요하세요? 매우 감사합니다! 넬슨

관련 정보