Iptables
我的 iptable 規則不允許 VPN 連接
我已經在我的 Archlinux 伺服器上安裝了 OpenVPN 並修改了我的 iptable 規則以允許埠上的傳入流量
1194
並將其轉發到tun0
介面。當我禁用/停止 iptables 時,OpenVPN 客戶端連接到伺服器。但是,啟用 iptables 後,客戶端無法連接到伺服器。客戶端讀取:“等待伺服器響應”。我的
iptable rules
:#!/bin/bash ## Flush all current rules from iptables iptables -F iptables -t nat -F ## Set default policies for INPUT, FORWARD and OUTPUT chains iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P INPUT ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT ## Create two user-defined chains that we will use to open up ports in the firewall iptables -N TCP iptables -N UDP ## Allow local traffic iptables -A INPUT -i lo -j ACCEPT ## Accept packets belonging to established and related connections iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP ## Accept all new incoming ICMP echo requests, also known as pings iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT ## Attach the TCP and UDP chains to the INPUT chain to handle all new incoming connections iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP ## Reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst ## For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable #### BEGIN - Tricking port scanners #### ## SYN scans iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst ## UDP scans iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable ## Restore the Final Rule iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable #### END - Tricking port scanners #### ## Allow SSH connections on tcp port 22 iptables -A TCP -p tcp --dport 22 -j ACCEPT ## To accept incoming TCP connections on port 80 for a web server iptables -A TCP -p tcp --dport 80 -j ACCEPT ## To accept incoming TCP connections on port 443 for a web server (HTTPS) iptables -A TCP -p tcp --dport 443 -j ACCEPT ## Allow VPN iptables -A TCP -p tcp --dport 1194 -j ACCEPT iptables -A TCP -p udp --dport 1194 -j ACCEPT ### Setting up a NAT gateway ## Use another chain in the filter table iptables -N fw-interfaces ## Set up a rule with the conntrack match, identical to the one in the INPUT chain iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ## To enable forwarding for trusted interfaces iptables -A FORWARD -j fw-interfaces ## The remaining packets are denied with an ICMP message iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach iptables -P FORWARD DROP ### Setting up the nat table ## Setting up the POSTROUTING chain iptables -A fw-interfaces -i tun0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE ## Save settings #/sbin/service iptables save iptables-save -c > /etc/iptables/iptables.rules ## If you edit the configuration file manually, you have to reload it systemctl reload iptables ## List rules iptables -L -n -v
我的
ifconfig
:eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.105 netmask 255.255.255.0 broadcast 192.168.0.255 ether b8:27:eb:a3:be:07 txqueuelen 1000 (Ethernet) RX packets 3396 bytes 288974 (282.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2229 bytes 440341 (430.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 0 (Local Loopback) RX packets 4 bytes 304 (304.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4 bytes 304 (304.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
啟用 IP 轉發:
> sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
如果您需要有關我的伺服器/OpenVPN 配置的更多資訊,請告訴我我的 iptable 規則有什麼問題。我試過這個和這個,但沒有運氣。
感謝 Xavier Lucas 的評論,這是我解決問題的方法。我更改了以下行
iptables
:## Allow VPN iptables -A UDP -p udp --dport 1194 -j ACCEPT