如何使用 GRE 隧道通过 server_B 路由 server_A 的互联网流量？

soc*_*lly 5 route iptables gre

我有两台 Linux 服务器。我想使用 GRE 隧道将所有互联网流量从 ClientBox 通过隧道路由到 GatewayBox，这样，对于互联网的其余部分，我的 ClientBox 看起来就是 GatewayBox，这样我就可以将 GatewayBox 的外部 IP 用于所有 ClientBox互联网使用。我已经在它们之间建立了一条 GRE 隧道（代理无法满足我的特定需求）。

我的 GRE 隧道工作了！我可以 ping 两端。

现在我需要配置 GatewayBox 以实际将这些传入连接从 ClientBox 路由到互联网并返回到 ClientBox。所以我运行了以下脚本：

#! /bin/bash

IPTABLES=/sbin/iptables

WANIF='ens3' # servers from this company use ens3 instead of eth0, it seems
LANIF='gre1' # both boxes have the gre tunnel set up as gre1

# enable ip forwarding in the kernel
echo 'Enabling Kernel IP forwarding...'
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains
echo 'Flushing rules and deleting existing chains...'
$IPTABLES -F
$IPTABLES -X

# enable masquerading to allow LAN internet access
echo 'Enabling IP Masquerading and other rules...'
$IPTABLES -t nat -A POSTROUTING -o $LANIF -j MASQUERADE
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $WANIF -o $LANIF -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $WANIF -j MASQUERADE
$IPTABLES -A FORWARD -i $WANIF -o $LANIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -j ACCEPT

echo 'Done.'

Run Code Online (Sandbox Code Playgroud)

然后在 ClientBox 上执行：

$ curl whatismyip.com --interface gre1

Run Code Online (Sandbox Code Playgroud)

我可以看到 GatewayBox 上的 FORWARD 数据包和 POSTROUTING 数据包计数在增加。但 ClientBox 上的 curl 从未收到响应并最终超时。

因此，要么流量没有在两个盒子之间成功路由回来，要么根本就没有到达互联网。为了了解具体情况，我设置了一个示例测试服务器和一个 PHP 文件，该文件在获得任何点击/流量时写入文件。当我尝试从 ClientBox 执行curl 命令时，它没有写任何内容。但是当我从笔记本电脑上测试它时，它承认了点击/流量。

所以流量永远不会到达互联网。

这是 GatewayBox 的配置：（向下滚动）

# ip address

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 56:00:02:2f:e2:ce brd ff:ff:ff:ff:ff:ff
    inet 95.179.179.240/23 brd 95.179.179.255 scope global dynamic ens3
       valid_lft 79871sec preferred_lft 79871sec
    inet6 fe80::5400:2ff:fe2f:e2ce/64 scope link
       valid_lft forever preferred_lft forever
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 95.179.179.240 peer 155.138.239.111
    inet 10.10.10.2/24 scope global gre1
       valid_lft forever preferred_lft forever
    inet6 fe80::200:5efe:5fb3:b3f0/64 scope link
       valid_lft forever preferred_lft forever



# ip route show

default via 95.179.178.1 dev ens3 proto dhcp metric 100
10.10.10.0/24 dev gre1 proto kernel scope link src 10.10.10.2
95.179.178.0/23 dev ens3 proto kernel scope link src 95.179.179.240
155.138.239.111 dev ens3 scope link
169.254.169.254 via 95.179.178.1 dev ens3 proto dhcp metric 100



# curl ipinfo.io --interface ens3

{
  "ip": "95.179.179.240",
  "hostname": "95.179.179.240.vultr.com",
  "city": "Haarlem",
  "region": "North Holland",
  "country": "NL",
  "loc": "52.3902,4.6568",
  "org": "AS20473 Choopa, LLC",
  "postal": "2031",
  "timezone": "Europe/Amsterdam",
  "readme": "https://ipinfo.io/missingauth"
}



# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination



# iptables -L -t nat

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere

Run Code Online (Sandbox Code Playgroud)

知道我怎样才能让它工作吗？

归档时间：	6 年前
查看次数：	833 次
最近记录：	3 年前