首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
广告
wineway
V2EX  ›  问与答

请教大佬们一个用 iptables 做 nat 报文只能出不能进的问题

  •   
  •   wineway · 2022-01-10 19:01:24 +08:00 · 396 次点击
    这是一个创建于 857 天前的主题,其中的信息可能已经有所发展或是发生改变。

    我在按照 https://wiki.archlinux.org/title/Internet_sharing_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87) 这个 wiki 配网络共享

    有线网卡 eno2 的 pppoe 网络共享的 wlo1 无线网卡热点给其他设备使用

    配置后的 iptables 是这样的

    # Generated by iptables-save v1.8.7 on Mon Jan 10 10:52:41 2022
*mangle
:PREROUTING ACCEPT [15903:1059519]
:INPUT ACCEPT [9115:599605]
:FORWARD ACCEPT [6441:411864]
:OUTPUT ACCEPT [7046:953276]
:POSTROUTING ACCEPT [13487:1365140]
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jan 10 10:52:41 2022
# Generated by iptables-save v1.8.7 on Mon Jan 10 10:52:41 2022
*nat
:PREROUTING ACCEPT [4922:292549]
:INPUT ACCEPT [3729:190171]
:OUTPUT ACCEPT [728:55863]
:POSTROUTING ACCEPT [1574:110191]
-A POSTROUTING -o eno2 -j MASQUERADE
COMMIT
# Completed on Mon Jan 10 10:52:41 2022
# Generated by iptables-save v1.8.7 on Mon Jan 10 10:52:41 2022
*filter
:INPUT ACCEPT [1131:72435]
:FORWARD ACCEPT [1325:84720]
:OUTPUT ACCEPT [891:99934]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eno2 -o wlo1 -j ACCEPT
COMMIT
# Completed on Mon Jan 10 10:52:41 2022

    然后客户端后连接抓无线网卡的的包

    10:26:19.251788 IP localhost.60341 > 17.248.165.45.https: Flags [SEW], seq 3777170305, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2659359174 ecr 0,sackOK,eol], length 0
10:26:19.483318 IP localhost.60335 > 17.188.182.132.https: Flags [S], seq 2340663921, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1650620106 ecr 0,sackOK,eol], length 0
10:26:19.501651 IP localhost.60334 > 17.248.165.18.https: Flags [S], seq 3239738140, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 560181688 ecr 0,sackOK,eol], length 0
10:26:19.503940 IP localhost.60331 > 17.248.165.4.https: Flags [S], seq 808423480, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1329634627 ecr 0,sackOK,eol], length 0
10:26:19.504796 IP localhost.60342 > 17.188.182.68.https: Flags [SEW], seq 2107145060, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 407501337 ecr 0,sackOK,eol], length 0
10:26:19.739509 IP localhost.60336 > 17.248.170.138.https: Flags [S], seq 2652166369, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 278083628 ecr 0,sackOK,eol], length 0
10:26:19.740028 IP localhost.60337 > 17.188.182.4.https: Flags [S], seq 771367321, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1158407063 ecr 0,sackOK,eol], length 0
10:26:19.937013 IP localhost.60332 > 17.248.165.47.https: Flags [S], seq 974617882, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2953579632 ecr 0,sackOK,eol], length 0
10:26:19.939985 IP localhost.60332 > 17.248.165.47.https: Flags [S], seq 974617882, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2953579632 ecr 0,sackOK,eol], length 0
10:26:19.992149 IP localhost.60338 > 17.188.183.4.https: Flags [S], seq 4141085989, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3914467971 ecr 0,sackOK,eol], length 0
10:26:19.993428 IP localhost.60339 > 17.248.165.10.https: Flags [S], seq 3596363636, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3577910077 ecr 0,sackOK,eol], length 0
10:26:19.994584 IP localhost.60329 > 17.248.165.14.https: Flags [S], seq 571160726, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3768716701 ecr 0,sackOK,eol], length 0
10:26:20.244249 IP localhost.60333 > 17.248.165.6.https: Flags [S], seq 1826949672, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1021036598 ecr 0,sackOK,eol], length 0
10:26:20.250559 IP localhost.60340 > 17.188.182.196.https: Flags [S], seq 322168669, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3253873762 ecr 0,sackOK,eol], length 0
10:26:20.280508 IP localhost.60341 > 17.248.165.45.https: Flags [S], seq 3777170305, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2659360180 ecr 0,sackOK,eol], length 0
10:26:20.284157 IP localhost.60330 > 17.248.165.134.https: Flags [S], seq 3507111415, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 4276677295 ecr 0,sackOK,eol], length 0
10:26:20.504139 IP localhost.60335 > 17.188.182.132.https: Flags [S], seq 2340663921, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1650621111 ecr 0,sackOK,eol], length 0

    全是 syn 包没有 ack ,看上去是只能出不能进的样子,请教大佬们指教 iptables 哪里出了问题

    第 1 条附言  ·  2022-01-10 19:38:12 +08:00
    问题解决……
    网卡选错了,把连接中的 internet0 从 eno2 换成 ppp0 就好了
    目前尚无回复
    nopwscalelocalhostsackok
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   4188 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 25ms · UTC 00:58 · PVG 08:58 · LAX 17:58 · JFK 20:58
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.