Ubuntu 共享网络配置

网络配置

iptables 配置

开启转发

启用路由转发，编辑/etc/sysctl.conf 文件，删除起始的"#"，解除

#net.ipv4.ip_forward=1

的注释。然后使其生效：

sudo sysctl -p

配置转发规则

配置NAT规则

sudo iptables -A FORWARD -o eth0 -i eth1 -s 10.0.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

第一条规则允许转发初始网络包，第二条规则允许转发已经建立连接后的网络包，第三条则设置NAT。

查看规则

sudo iptables -vnL -t filter
sudo iptables -vnL -t nat

配置 filter FORWARD

sudo iptables -A FORWARD -o wlp2s0 -i enp1s0 -s 10.42.0.1/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

n100:~$ sudo iptables -vnL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
1317  241K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1318  241K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
  70  151K ACCEPT     all  --  *      br-f626c33164bc  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   0     0 DOCKER     all  --  *      br-f626c33164bc  0.0.0.0/0            0.0.0.0/0           
  48  3740 ACCEPT     all  --  br-f626c33164bc !br-f626c33164bc  0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  br-f626c33164bc br-f626c33164bc  0.0.0.0/0            0.0.0.0/0           
 180 10800 ACCEPT     all  --  enp1s0 wlp2s0  10.42.0.0/24         0.0.0.0/0            ctstate NEW
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     tcp  --  !br-f626c33164bc br-f626c33164bc  0.0.0.0/0            172.18.0.2           tcp dpt:8096

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
  48  3740 DOCKER-ISOLATION-STAGE-2  all  --  br-f626c33164bc !br-f626c33164bc  0.0.0.0/0            0.0.0.0/0           
1322  241K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
   0     0 DROP       all  --  *      br-f626c33164bc  0.0.0.0/0            0.0.0.0/0           
  48  3740 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
pkts bytes target     prot opt in     out     source               destination         
1317  241K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0    

配置 NAT

sudo iptables -t nat -A POSTTOUTING -o wlp2s0  -j MASQUERADE

n100:~$ sudo iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
  75  9423 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   4   348 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   1    90 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
   3   210 MASQUERADE  all  --  *      !br-f626c33164bc  172.18.0.0/16        0.0.0.0/0           
   0     0 MASQUERADE  tcp  --  *      *       172.18.0.2           172.18.0.2           tcp dpt:8096
   5   300 MASQUERADE  all  --  *      wlp2s0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
   0     0 RETURN     all  --  br-f626c33164bc *       0.0.0.0/0            0.0.0.0/0           
   0     0 DNAT       tcp  --  !br-f626c33164bc *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8096 to:172.18.0.2:8096

保存规则

接下来需要保存iptables规则，确保每次重启时能够加载NAT规则：

2.1 保存iptables规则

sudo iptables-save | sudo tee /etc/iptables.sav

2.2 编辑/etc/rc.local文件，将下面的一行添加到"exit 0"之前：

iptables-restore < /etc/iptables.sav

这样以后每次重启机器时都会自动加载NAT相关的iptables规则。

永久保存路由：

sudo apt install iptables-persistent

netfilter-persistent save

删除

sudo iptables -D POSTROUTING 5 -t nat