开启 IP Forward
- 创建并编辑
/etc/sysctl.d/10-net.conf - 规则重启生效
- 若要立即生效:
sudo sysctl -p /etc/sysctl.d/10-net.conf
1net.ipv4.ip_forward = 1
2net.ipv6.conf.all.forwarding = 1
Nftables
安装 nftables
- Debian 默认安装,若未安装使用以下指令安装:
1sudo apt install -y nftables
NAT
- 编辑
/etc/nftables.conf line 10 masquerade 可选类型 fully-random、random、persistent- 将为来自
br-lan 路由至 eth0、ppp* 的启用 NAT
1flush ruleset
2
3table ip nat {
4 chain postrouting {
5 type nat hook postrouting priority srcnat; policy accept;
6 iifname "br-lan" jump ip_masquerade
7 }
8
9 chain ip_masquerade {
10 oifname "eth0" masquerade fully-random
11 oifname "ppp*" masquerade fully-random
12 }
13}
防火墙
- 在
/etc/nftables.conf 文件中追加 - 将丢弃所有来自
eth0、ppp* 的包 (丢弃远程主动建立连接的包,已建立的连接将正常放行,否则无法正常上网)
1table inet filter {
2 chain input {
3 type filter hook input priority filter; policy accept;
4 iifname "eth0" jump firewall
5 iifname "ppp*" jump firewall
6 }
7
8 chain firewall {
9 ct state established,related accept
10 ct state invalid drop
11 ct state new drop
12 }
13}
启用
- 开机自启:
1sudo systemctl enable --now nftables
- 使修改生效:
1sudo systemctl restart nftables
1sudo nft -f /etc/nftables.conf
![Featured image of post Debian 网关 [Episode 04]: 启用转发和 NAT](/post/b01133d3/cover_hue7d633b2d7f5b1b6e95a4af2800a9c85_31928_800x0_resize_box_3.png)