search

lanthora / candy

A reliable, low-latency, and anti-censorship virtual private network
https://docs.canets.org
MIT License
461 stars 56 forks source link

根据设备和目的地址指定流量出口 #416

Closed whoisgit closed 4 months ago

whoisgit commented 4 months ago

环境:

A: 10.0.0.1 (candy-test) B: 10.0.0.2

需求:

B 访问 8.8.8.8 时通过 A 转发.

服务端配置:

sdwan = "10.0.0.2/32,8.8.8.8/32,10.0.0.1"

A 设备开启 IPv4 转发 net.ipv4.ip_forward = 1

并执行了以下命令

iptables -t nat -A POSTROUTING -o candy-test -j MASQUERADE
iptables -A FORWARD -i eth0 -o candy-test -j ACCEPT
iptables -A FORWARD -i candy-test -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

在 B 上 ping 8.8.8.8 不通. A 能看到请求,没有响应,且 iptables 有 drop 包.

lanthora commented 4 months ago

iptables 规则配置问题,需要接受从 candy-test 发送到 eth0 的报文.对应的 iptables 规则应该修改为

iptables -A FORWARD -i candy-test -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o candy-test -m state --state RELATED,ESTABLISHED -j ACCEPT