IPTables Cookbook

允许一个网卡路由转发到另外一个网卡#

  • 允许 wlan1 -> wlan0
iptables -A FORWARD -i wlan1 -o wlan0 -j ACCEPT
iptables -A FORWARD -i wlan0 -o wlan1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

NAT with IPSec#

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth1 -j ACCEPT
ip link add ipsec0 type xfrm dev eth0 if_id 42
ip link set ipsec0 up
# 配置基于 xfrm 的 vpn
iptables -A FORWARD -i ipsec0 -j ACCEPT
# 查看当前地址
ip xfrm policy
# 如果是使用的 swanctl
VIP=$(swanctl -l -i vpn -P | grep local-vips -A1 | tail -1 | tr -d ' ')
# 添加地址 - xfrm 不需要地址也能工作,但 MASQUERADE 需要转换出正确的地址需要
ip addr add $VIP/32 dev ipsec0
# 测试
ip ro add 8.8.8.8 dev ipsec0 src $VIP
# NAT
iptables -t nat -A POSTROUTING -o ipsec0 -j MASQUERADE
RIP=$(swanctl -l -i vpn -P | grep remote-host | egrep -o '[0-9.]+')
# 远程 IP 走默认
ip ro add $RIP dev eth0 src 192.168.1.2 via 192.168.1.1
# 本地默认路由
ip ro add default dev ipsec0 src $VIP

stun/turn#