search

hwdsl2 / docker-ipsec-vpn-server

Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
Other
6.5k stars 1.4k forks source link

l2tp服务启动起来,但是客户端连不上,求大佬帮指条明路 #274

Closed vincent1394 closed 2 years ago

vincent1394 commented 2 years ago

Describe the issue A clear and concise description of what the bug is. 客户端连接不上,我在另外一台机器上是可以的,在这台机器上无论如何也连接不上,也没有查出来问题,求大神帮解惑一下 1、服务器所在的网络也放开了500 4500 1701的udp tcp 2、我仔细对过了 端口都开着的 Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 0.0.0.0:1701 0.0.0.0: udp 0 0 0.0.0.0:8443 0.0.0.0: udp 0 0 0.0.0.0:4500 0.0.0.0: udp 0 0 0.0.0.0:500 0.0.0.0: udp6 0 0 :::1701 ::: udp6 0 0 :::8443 ::: udp6 0 0 :::4500 ::: udp6 0 0 :::500 ::: 3、然后防火墙也打开端口了 [root@bio-scripts ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1701 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443

日志:docker exec -it ipsec-vpn-server tail -f /var/log/auth.log Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 192.168.218.0/24 0.0.0.0/0 ACCEPT all -- 192.168.42.0/24 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

2022-01-17T09:30:17.318533+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: responding to Main Mode from unknown peer 172.17.0.1:36740
2022-01-17T09:30:17.319282+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: sent Main Mode R1
2022-01-17T09:30:17.526572+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: sent Main Mode R2
2022-01-17T09:30:18.027878+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response
2022-01-17T09:30:18.528735+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 1 seconds for response
2022-01-17T09:30:19.530087+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 2 seconds for response
2022-01-17T09:30:21.532429+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 4 seconds for response
2022-01-17T09:30:25.536773+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 8 seconds for response
2022-01-17T09:30:33.541546+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 16 seconds for response
2022-01-17T09:30:49.542168+00:00 2179ddfcb68b pluto[1951]: "l2tp-psk"[5] 172.17.0.1 #8: STATE_MAIN_R2: retransmission; will wait 32 seconds for response

Client (please complete the following information)

hwdsl2 commented 2 years ago

@vincent1394 你好!你的问题是关于 Docker 镜像,所以我将它转到了 #274。首先,你的 Docker 主机的 IPTables 不需要打开 1701,500 和 4500 端口。Docker 容器启动时,Docker 会自动加入相应的 IPTables 转发规则以打开端口。只有 UDP 500 和 4500 两个端口是 VPN 正常工作需要的。

在这台 Docker 主机上,你的 iptables -L -n 命令输出并没有显示 Docker 相关规则。要修复,你可能需要在备份后重新安装主机上的 Docker。

你的日志显示 retransmission,可能是 VPN 服务器和客户端之间的网络出现了问题,不一定是因为没有打开端口。另外,这个 Docker 镜像不支持不带 IPsec 加密的 L2TP 模式,因为此模式下数据没有任何加密。而许多路由器仅支持此模式,所以使用这些路由器无法连接是正常的。

如果你有更多信息,可以继续在这里回复。

vincent1394 commented 2 years ago

您好,因为我没有直接把docker暴露出来,是通过vps宿主机端口映射到docker容器上,在其它机器上都是可以启动docker就能连上了。 因为我有试过用脚本直接装到vps宿主机上 也是报同样的错误,然后就给换到docker上。错误也是一模一样的。大佬需要哪个日志,我去重新把宿主机上给启动起来。把日志给放上来 路由器支持加密的可以连接。

vincent1394 commented 2 years ago

这个是我在宿主机上装的日志,也是一样的。下面这些是我找到的一些日志,求大神帮看看有没有什么思路 Jan 18 14:10:05 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2 Jan 18 14:10:09 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2 Jan 18 14:10:13 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2 Jan 18 14:10:18 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: discarding initial packet; already STATE_MAIN_R2 Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: responding to Main Mode from unknown peer XXX.XXX.XXX.XXX:500 Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP1024] refused Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP1024] refused Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: sent Main Mode R1 Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: sent Main Mode R2 Jan 18 14:10:29 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response Jan 18 14:10:30 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 1 seconds for response Jan 18 14:10:31 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 2 seconds for response Jan 18 14:10:32 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: STATE_MAIN_R2: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our IKEv1 message Jan 18 14:10:32 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #130: deleting state (STATE_MAIN_R2) aged 64.082034s and NOT sending notification Jan 18 14:10:33 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 4 seconds for response Jan 18 14:10:37 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 8 seconds for response Jan 18 14:10:45 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: STATE_MAIN_R2: retransmission; will wait 16 seconds for response Jan 18 14:10:47 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: discarding initial packet; already STATE_MAIN_R2 Jan 18 14:10:51 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #131: discarding initial packet; already STATE_MAIN_R2

反正就是一样连不上 [root@bio-scripts log]# ipsec verify Verifying installed system and configuration files

Version check and ipsec on-path [OK] Libreswan 4.6 (XFRM) on 4.18.0-348.7.1.el8_5.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OK] [root@bio-scripts log]# ps aux | grep l2tp root 33458 0.0 0.0 15876 1824 ? Ss 10:29 0:00 /usr/sbin/xl2tpd -D root 34215 0.0 0.0 221928 1156 pts/1 R+ 14:18 0:00 grep --color=auto l2tp

[root@bio-scripts log]# iptables -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1701 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0

Warning: iptables-legacy tables present, use iptables-legacy to see them

[root@bio-scripts log]# systemctl status ipsec ● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2022-01-18 11:59:28 HKT; 2h 19min ago Docs: man:ipsec(8) man:pluto(8) man:ipsec.conf(5) Process: 34052 ExecStartPre=/usr/local/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS) Process: 34049 ExecStartPre=/usr/local/sbin/ipsec --checknss (code=exited, status=0/SUCCESS) Process: 33813 ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS) Process: 33811 ExecStartPre=/usr/local/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS) Main PID: 34063 (pluto) Status: "Startup completed." Tasks: 4 (limit: 23719) Memory: 3.3M CGroup: /system.slice/ipsec.service └─34063 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

1月 18 14:18:40 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 4 seconds for response 1月 18 14:18:44 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 8 seconds for response 1月 18 14:18:52 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 16 seconds for response 1月 18 14:18:54 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2 1月 18 14:18:58 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2 1月 18 14:19:03 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2 1月 18 14:19:08 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2 1月 18 14:19:08 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: STATE_MAIN_R2: retransmission; will wait 32 seconds for response 1月 18 14:19:13 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2 1月 18 14:19:17 bio-scripts pluto[34063]: "l2tp-psk"[2] XXX.XXX.XXX.XXX #139: discarding initial packet; already STATE_MAIN_R2

hwdsl2 commented 2 years ago

@vincent1394 你的 Docker 主机系统是 CentOS 8 对吧?从你提供的信息来看,有可能是 IPTables 规则问题。或者也可能是连接被 GFW 干扰了。

请运行以下三个命令看一下输出:

iptables -nvL; iptable -nvL -t nat
iptables-legacy -nvL; iptable-legacy -nvL -t nat
nft list ruleset
hwdsl2 commented 2 years ago

@vincent1394 另外如果像你说的把脚本直接装到 VPS 宿主机上也是报同样的错误,考虑 VPN 连接被 GFW 干扰或屏蔽的可能性大。

vincent1394 commented 2 years ago

未找到匹配的参数: iptables-legacy 这个机器上没有,yum也没有 ,如果需要的话我可以再找找rpm包。 大佬再帮看一下,实在不行就只能放弃了这个机器了

root@bio-scripts log]# iptables -nvL;
Chain INPUT (policy ACCEPT 3028 packets, 528K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol none
    1    40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 140K   68M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    4  1734 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 500,4500
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol ipsec
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1701
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4500
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:500
    5   559 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8443
  165  8492 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1723
    5  2834 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     47   --  ens17  *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  101 10580 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     all  --  ens17  ppp+    0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  ppp+   ens17   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ppp+   ppp+    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ens17  *       0.0.0.0/0            192.168.43.0/24      ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      ens17   192.168.43.0/24      0.0.0.0/0
    0     0 ACCEPT     all  --  *      ppp+    192.168.43.0/24      0.0.0.0/0
 252K  190M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 4138  334K ACCEPT     all  --  *      *       192.168.218.0/24     0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       192.168.42.0/24      0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 151K packets, 154M bytes)
 pkts bytes target     prot opt in     out     source               destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them

[root@bio-scripts log]# nft list ruleset
table ip raw {
    chain PREROUTING {
        type filter hook prerouting priority raw; policy accept;
    }

    chain OUTPUT {
        type filter hook output priority raw; policy accept;
    }
}
table ip mangle {
    chain PREROUTING {
        type filter hook prerouting priority mangle; policy accept;
    }

    chain INPUT {
        type filter hook input priority mangle; policy accept;
    }

    chain FORWARD {
        type filter hook forward priority mangle; policy accept;
    }

    chain OUTPUT {
        type route hook output priority mangle; policy accept;
    }

    chain POSTROUTING {
        type filter hook postrouting priority mangle; policy accept;
    }
}
table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
    }

    chain INPUT {
        type nat hook input priority 100; policy accept;
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "ens17" ip saddr 192.168.42.0/24 counter packets 0 bytes 0 masquerade
        oifname "ens17" ip saddr 192.168.43.0/24  counter packets 0 bytes 0 masquerade
        oifname "ens17" ip saddr 192.168.218.0/24 counter packets 3829 bytes 309709 masquerade
        oifname "ens17" ip saddr 192.168.42.0/24 counter packets 0 bytes 0 masquerade
        oifname "ens17" ip saddr 192.168.11.0/24 counter packets 0 bytes 0 masquerade
    }

    chain OUTPUT {
        type nat hook output priority -100; policy accept;
    }
}
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        meta l4proto udp udp dport 1701 meta secpath missing counter packets 0 bytes 0 drop
        ct state invalid counter packets 1 bytes 40 drop
        ct state related,established counter packets 140866 bytes 67958852 accept
        meta l4proto udp udp dport { 500,4500} counter packets 4 bytes 1734 accept
        meta l4proto udp udp dport 1701 meta secpath exists counter packets 0 bytes 0 accept
        meta l4proto udp udp dport 1701 counter packets 0 bytes 0 drop
        meta l4proto udp udp dport 1701 counter packets 0 bytes 0 accept
        meta l4proto tcp tcp dport 1701 counter packets 1 bytes 44 accept
        meta l4proto udp udp dport 4500 counter packets 0 bytes 0 accept
        meta l4proto tcp tcp dport 4500 counter packets 1 bytes 44 accept
        meta l4proto udp udp dport 500 counter packets 0 bytes 0 accept
        meta l4proto tcp tcp dport 500 counter packets 1 bytes 44 accept
        meta l4proto udp udp dport 8443 counter packets 5 bytes 559 accept
        meta l4proto tcp tcp dport 8443 counter packets 165 bytes 8492 accept
        meta l4proto tcp tcp dport 1723 counter packets 0 bytes 0 accept
        meta l4proto gre counter packets 5 bytes 2834 accept
        iifname "ens17" meta l4proto gre counter packets 0 bytes 0 accept
    }

    chain FORWARD {
        type filter hook forward priority filter; policy accept;
        ct state invalid counter packets 101 bytes 10580 drop
        iifname "ens17" oifname "ppp*" ct state related,established counter packets 0 bytes 0 accept
        iifname "ppp*" oifname "ens17" counter packets 0 bytes 0 accept
        iifname "ppp*" oifname "ppp*" counter packets 0 bytes 0 accept
        iifname "ens17" ip daddr 192.168.43.0/24 ct state related,established counter packets 0 bytes 0 accept
        oifname "ens17" ip saddr 192.168.43.0/24 counter packets 0 bytes 0 accept
        oifname "ppp*" ip saddr 192.168.43.0/24 counter packets 0 bytes 0 accept
        ct state related,established counter packets 252323 bytes 190491551 accept
        ip saddr 192.168.218.0/24 counter packets 4144 bytes 334389 accept
        ip saddr 192.168.42.0/24 counter packets 0 bytes 0 accept
        counter packets 0 bytes 0 reject
        counter packets 0 bytes 0 drop
    }

    chain OUTPUT {
        type filter hook output priority filter; policy accept;
    }
}
hwdsl2 commented 2 years ago

@vincent1394 你的 IPTables 规则和 nft 规则都看起来正常。所以不太清楚是什么问题。建议你换一台机器试试看?