MASQUERADE 不起作用 - 響應封包遺失

根據 tcpdump，來自 VPN 客戶端的初始數據包將其源地址轉換並發送到目的地，然後響應數據包到達，但這個響應數據包只是失去了。我什至做到了firewall-cmd --set-log-denied=all，但是這個封包遺失了，沒有任何日誌消息。

以前我在 CentOS7 上安裝了我的 OpenVPN 伺服器，沒有防火牆，並為這樣的客戶端啟用了​​ Internet 訪問：

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
# localhost:~ # iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 10 packets, 751 bytes)
pkts bytes target     prot opt in     out     source               destination
   3   180 MASQUERADE  all  --  *      eth0    10.8.1.0/24          0.0.0.0/0

遷移到 OpenSUSE Tumbleweed 後，我花了 4 個小時嘗試使用 firewalld 進行配置，但放棄了，停止了 firewalld 並嘗試使用相同的 iptables 命令，但它仍然不起作用 - 響應數據包被默默丟棄。

10.8.1.1 tun0 # VPN server
172.31.1.100 eth0 # WAN

_

localhost:~ # systemctl stop firewalld
localhost:~ # nft list ruleset
localhost:~ # iptables -t nat -I POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
localhost:~ # nft list ruleset
localhost:~ # iptables-save
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*mangle
:PREROUTING ACCEPT [8078:12476730]
:INPUT ACCEPT [7999:12471990]
:FORWARD ACCEPT [29:1740]
:OUTPUT ACCEPT [7524:1618476]
:POSTROUTING ACCEPT [7553:1620216]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*raw
:PREROUTING ACCEPT [8078:12476730]
:OUTPUT ACCEPT [7524:1618476]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*security
:INPUT ACCEPT [7999:12471990]
:FORWARD ACCEPT [29:1740]
:OUTPUT ACCEPT [7524:1618476]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021
# Generated by iptables-save v1.8.7 on Fri Oct 15 02:39:41 2021
*filter
:INPUT ACCEPT [7999:12471990]
:FORWARD ACCEPT [29:1740]
:OUTPUT ACCEPT [7524:1618476]
COMMIT
# Completed on Fri Oct 15 02:39:41 2021

客戶端嘗試連接到 SMTP

localhost:~ # tcpdump -nn -i any "port 465 or icmp"
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
02:41:25.326501 tun0  In  IP 10.8.1.32.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758001736 ecr 0,nop,wscale 7], length 0
02:41:25.326590 eth0  Out IP 172.31.1.100.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758001736 ecr 0,nop,wscale 7], length 0
02:41:25.363047 eth0  In  IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105615202 ecr 1758001736,nop,wscale 8], length 0
02:41:26.280346 tun0  In  IP 10.8.1.32.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758002755 ecr 0,nop,wscale 7], length 0
02:41:26.280400 eth0  Out IP 172.31.1.100.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758002755 ecr 0,nop,wscale 7], length 0
02:41:26.316940 eth0  In  IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105616156 ecr 1758001736,nop,wscale 8], length 0
02:41:27.331029 eth0  In  IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105617170 ecr 1758001736,nop,wscale 8], length 0
02:41:28.306349 tun0  In  IP 10.8.1.32.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758004782 ecr 0,nop,wscale 7], length 0
02:41:28.306380 eth0  Out IP 172.31.1.100.37346 > 173.194.222.16.465: Flags [S], seq 3151810436, win 64240, options [mss 1286,sackOK,TS val 1758004782 ecr 0,nop,wscale 7], length 0
02:41:28.342862 eth0  In  IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105618182 ecr 1758001736,nop,wscale 8], length 0
02:41:30.403068 eth0  In  IP 173.194.222.16.465 > 172.31.1.100.37346: Flags [S.], seq 1158840380, ack 3151810437, win 65535, options [mss 1430,sackOK,TS val 4105620242 ecr 1758001736,nop,wscale 8], length 0
^C
11 packets captured
13 packets received by filter
0 packets dropped by kernel

所以我決定重新啟動，但在重新啟動之前，我將執行時核心參數轉儲到一個文件中，然後重複iptables/sysctl設置，這次成功了！

在比較 sysctl 輸出後，我看到它net.ipv4.conf.eth0.forwarding是 0，即使net.ipv4.ip_forward是 1。我不知道可以為單個網卡啟用或禁用轉發。看起來像是在firewall-cmd為執行時核心參數設置錯誤的值，並且firewall-cmd由於某種原因無法恢復它。

引用自：https://unix.stackexchange.com/questions/673287