更新 tailscale/tailscale-install.md

2025-12-13 23:30:50 +08:00
parent df82e403fa
commit 874deda91c
1 changed files with 67 additions and 1 deletions
--- a/tailscale/tailscale-install.md
+++ b/tailscale/tailscale-install.md
@@ -51,7 +51,26 @@ RuntimeDirectory=headscale
 WantedBy=multi-user.target

 ```
-### 启动
+#### 需要# 启用IP转发
+```
+echo 'net.ipv4.ip_forward=1' |  tee -a /etc/sysctl.conf
+ sysctl -p
+```
+##### 配置NAT规则（以eth0为外网接口）
+```
+apt install iptables-persistent
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+iptables -t filter -A FORWARD -i tailscale0 -o eth0 -j ACCEPT
+iptables -t filter -A FORWARD -i eth0 -o tailscale0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+netfilter-persistent save
+```
+#### 启用出口节点模式
+```
+tailscale up --advertise-exit-node
+```
+
+
+#### 启动
 ```
 systemctl daemon-reload
 systemctl enable --now headscale
@@ -188,4 +207,51 @@ ID | Hostname  | Name      | MachineKey | NodeKey | User | IP addresses
 1  | localhost | localhost | [ZqdSj]    | [qxtoU] | cba  | 100.64.0.1, fd7a:115c:a1e0::1 | false     | 2025-12-13 15:03:06 | 0001-01-01 00:00:00 | offline   | no     
 2  | smb-kk    | smb-kk    | [6+OpS]    | [ZOUQN] | abc  | 100.64.0.2, fd7a:115c:a1e0::2 | false     | 2025-12-13 14:42:15 | 0001-01-01 00:00:00 | online    | no     

+```
+#### 回到 Tailscale 客户端所在的 Linux 主机，可以看到 Tailscale 会自动创建相关的路由表和 iptables 规则。路由表可通过以下命令查看
+```
+# ip route show table 52
+
+100.64.0.1 dev tailscale0 
+100.100.100.100 dev tailscale0 
+```
+#### 查看 iptables 规则：
+
+```
+#  iptables -S
+-P INPUT ACCEPT
+-P FORWARD DROP
+-P OUTPUT ACCEPT
+-N DOCKER
+-N DOCKER-BRIDGE
+-N DOCKER-CT
+-N DOCKER-FORWARD
+-N DOCKER-ISOLATION-STAGE-1
+-N DOCKER-ISOLATION-STAGE-2
+-N DOCKER-USER
+-N ts-forward
+-N ts-input
+-A INPUT -j ts-input
+-A FORWARD -j ts-forward
+-A FORWARD -j DOCKER-USER
+-A FORWARD -j DOCKER-FORWARD
+-A DOCKER ! -i docker0 -o docker0 -j DROP
+-A DOCKER-BRIDGE -o docker0 -j DOCKER
+-A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A DOCKER-FORWARD -j DOCKER-CT
+-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A DOCKER-FORWARD -j DOCKER-BRIDGE
+-A DOCKER-FORWARD -i docker0 -j ACCEPT
+-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
+-A DOCKER-USER -j RETURN
+-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000
+-A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
+-A ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP
+-A ts-forward -o tailscale0 -j ACCEPT
+-A ts-input -s 100.64.0.2/32 -i lo -j ACCEPT
+-A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN
+-A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
+-A ts-input -i tailscale0 -j ACCEPT
+-A ts-input -p udp -m udp --dport 41641 -j ACCEPT
 ```