使用文档中的 ip forward 但是宿主机不能 ping 通目标网络

[AkashiSensei]

在使用usage.md中的 ip forward 时遇到一些问题，系统 Ubuntu Server 23.10，Docker version 24.0.5, build ced0996，使用 cli 版本的镜像。启动容器以及添加透明代理使用的脚本部分内容如下：

sudo docker run --rm --name ${NAME} -d --device /dev/net/tun --cap-add NET_ADMIN -ti -p 127.0.0.1:1080:1080 -p 127.0.0.1:8888:8888 -e EC_VER=7.6.3 -e CLI_OPTS="-d ******** -u ******** -p ********" hagb/docker-easyconnect:cli

# NETWORK 为需要代理的目标网络。
# CONTAINER_IP 为获取到的容器地址。
# MTU 为获取到的 mtu。
# TABLE 设置为 3。
sudo ip route add $NETWORK via $CONTAINER_IP mtu $MTU table $TABLE
sudo ip rule add iif lo table $TABLE

容器成功启动后，容器内部能够成功 ping 通目标网络，但是宿主机不能正常访问到目标网络。其它的一些宿主机应用是可以通过代理访问的，例如我为 ssh 配置了代理 ProxyCommand nc -X 5 -x 127.0.0.1:1080 %h %p 是能够成功通过代理连接目标网络的。我不太明白是哪里没有配置对，导致宿主机不能 ping 通目标网络，例如还需要配置 snat 等，还是我对透明代理这种方案的理解有问题。

启动时的日志见下：

Error: ipv4: FIB table does not exist.
Flush terminated
Error: Missing goto target for action goto.
/usr/local/bin/start.sh: line 186: ulimit: open files: cannot modify limit: Operation not permitted
/usr/local/bin/start.sh: line 146: tigervncpasswd: command not found
WARNING: logging deactivated (can't log to stdout when daemonized)
/usr/local/bin/start.sh: line 152: tigervncserver: command not found
/usr/local/bin/start.sh: line 164: xclip: command not found
auto login is disabled
user "********" login successfully!

使用 traceroute 探测目标网络的结果见下：

traceroute to ******** (********), 30 hops max, 60 byte packets
 1  172.17.0.2 (172.17.0.2)  0.091 ms  0.020 ms  0.016 ms
 2  * * *
 3  * * *
 4  * * *
# 其余略

宿主机 iptables -L 的输出见下：

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  bogon/16             anywhere             /* generated for MicroK8s pods */
ACCEPT     all  --  anywhere             bogon/16             /* generated for MicroK8s pods */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:8888
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:socks

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

sudo iptables -t nat -L -n --line-numbers 命令的输出见下：

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    DOCKER     0    --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DOCKER     0    --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  0    --  172.17.0.0/16        0.0.0.0/0           
2    MASQUERADE  0    --  172.18.0.0/16        0.0.0.0/0           
3    MASQUERADE  6    --  172.17.0.2           172.17.0.2           tcp dpt:8888
4    MASQUERADE  6    --  172.17.0.2           172.17.0.2           tcp dpt:1080

Chain DOCKER (2 references)
num  target     prot opt source               destination         
1    RETURN     0    --  0.0.0.0/0            0.0.0.0/0           
2    RETURN     0    --  0.0.0.0/0            0.0.0.0/0           
3    DNAT       6    --  0.0.0.0/0            127.0.0.1            tcp dpt:8888 to:172.17.0.2:8888
4    DNAT       6    --  0.0.0.0/0            127.0.0.1            tcp dpt:1080 to:172.17.0.2:1080

ping 命令失败的记录见下：

From 172.17.0.2: icmp_seq=2 Redirect Host(New nexthop: 172.17.0.1)

对于一次 ping ******** -c 1，我在宿主机上抓包 tcpdump -i any icmp 得到：

10:50:12.250461 docker0 Out IP localhost > 目标网络中的目标主机: ICMP echo request, id 38423, seq 1, length 64
10:50:12.250473 veth4a7f751 Out IP localhost > 目标网络中的目标主机: ICMP echo request, id 38423, seq 1, length 64
10:50:12.250524 veth4a7f751 P   IP localhost > 目标网络中的目标主机: ICMP echo request, id 38423, seq 1, length 64
10:50:12.250524 docker0 In  IP localhost > 目标网络中的目标主机: ICMP echo request, id 38423, seq 1, length 64

同样对于一次 ping ******** -c 1，我在容器内抓包 tcpdump -i any icmp 得到：

02:50:12.250475 eth0  In  IP 172.17.0.1 > 目标网络中的目标主机: ICMP echo request, id 38423, seq 1, length 64
02:50:12.250523 eth0  Out IP 172.17.0.1 > 目标网络中的目标主机: ICMP echo request, id 38423, seq 1, length 64
02:50:34.002802 tun0  In  IP 10.254.72.1 > 10.3.0.85: ICMP echo reply, id 21845, seq 17459, length 56

网络地址转换一层套一层，有点绕晕了，没太捋明白问题出在哪里。

[ljj038]

同问 ip route设置好以后 不能访问
socks代理没有问题