Ubuntu
PPTP VPN iptables 防火牆問題 csf
我在使用 iptables 和 PPTP VPN 時遇到了問題,我已經閱讀了有關聽力和線上的相關主題,但仍然無法正常工作!我正在嘗試在我們本地網路上的 ubuntu 伺服器上設置 PPTP,以強制客戶端必須通過 VPN 登錄才能訪問網際網路。ubuntu 伺服器直接連接到網際網路。
在我的 rc.local 中,我有以下內容要轉發並接受 gre
# PPTP IP forwarding sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A INPUT -p gre -j ACCEPT sudo iptables -A OUTPUT -p gre -j ACCEPT這顯示在我的 iptables 列表中,所以我知道它在那裡。
我在伺服器上使用 CSF 作為我的防火牆,如果禁用,我可以連接到 VPN 並通過它瀏覽網際網路,如果啟用 CSF,我要麼“被通信設備斷開連接”,要麼可以連接但無法訪問網際網路通過VPN。
這也有一個奇怪的問題,它似乎時不時地通過防火牆工作!
我打開了以下埠:
TCP_IN = ...47,53,80,92,110,143,443,465,587,993,995,1723,7777.. TCP_OUT = ...47,53,80,92,110,113,443,1723,25565,7777... UDP_IN = 20,21,47,53,1723,27015,27025 UDP_OUT = 20,21,47,53,113,123,1723,27015, 27025您對如何解決此問題有任何建議嗎?您需要任何進一步的資訊嗎?
非常感謝您的時間,
按要求提供的額外資訊:
iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 7377 749K LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 5631 786K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- !lo * 130.88.13.7 0.0.0.0/0 udp spts:1024:65535 dpt:53 0 0 ACCEPT tcp -- !lo * 130.88.13.7 0.0.0.0/0 tcp spts:1024:65535 dpt:53 3 626 ACCEPT udp -- !lo * 130.88.13.7 0.0.0.0/0 udp spt:53 dpts:1024:65535 0 0 ACCEPT tcp -- !lo * 130.88.13.7 0.0.0.0/0 tcp spt:53 dpts:1024:65535 0 0 ACCEPT udp -- !lo * 130.88.13.7 0.0.0.0/0 udp spt:53 dpt:53 0 0 ACCEPT udp -- !lo * 130.88.149.93 0.0.0.0/0 udp spts:1024:65535 dpt:53 0 0 ACCEPT tcp -- !lo * 130.88.149.93 0.0.0.0/0 tcp spts:1024:65535 dpt:53 431 71632 ACCEPT udp -- !lo * 130.88.149.93 0.0.0.0/0 udp spt:53 dpts:1024:65535 0 0 ACCEPT tcp -- !lo * 130.88.149.93 0.0.0.0/0 tcp spt:53 dpts:1024:65535 0 0 ACCEPT udp -- !lo * 130.88.149.93 0.0.0.0/0 udp spt:53 dpt:53 5021 561K INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 4255 519K ACCEPT all -- !lo * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 1 64 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:47 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 61 3648 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 1 64 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:92 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995 3 192 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1723 2 128 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7777 89 5340 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25565 84 5040 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:27015 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21433 103 6180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25566 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:23456 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6667 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:47 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1723 435 19275 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:27015 389 16837 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:27025 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:6667 2 122 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 11 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 3 1127 73207 LOGDROPIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 8150 710K LOCALOUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner GID match 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 0 123 7380 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 5631 786K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 436 32454 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp spt:53 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp spt:53 6572 649K INVALID tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 6852 636K ACCEPT all -- * !lo 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:47 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 148 8880 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:92 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113 2 120 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1723 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25565 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7777 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:27015 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21433 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:23456 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 30 1800 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2082 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:92 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25555 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6667 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:47 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:113 52 3952 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1723 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:27015 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:27025 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:6667 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 0 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 11 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 3 3 183 LOGDROPOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 Chain INVALID (2 references) pkts bytes target prot opt in out source destination 19 844 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20 9 360 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW Chain INVDROP (10 references) pkts bytes target prot opt in out source destination 28 1204 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOCALINPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- !lo * 10.1.2.0/24 0.0.0.0/0 461 31652 ACCEPT all -- !lo * 78.129.132.155 0.0.0.0/0 6901 714K DSHIELD all -- !lo * 0.0.0.0/0 0.0.0.0/0 6831 695K SPAMHAUS all -- !lo * 0.0.0.0/0 0.0.0.0/0 Chain LOCALOUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * !lo 0.0.0.0/0 10.1.2.0/24 600 32952 ACCEPT all -- * !lo 0.0.0.0/0 78.129.132.155 Chain LOGDROPIN (1 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:68 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139 76 18810 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520 979 50908 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520 26 1056 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' 41 2173 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* ' 72 3489 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOGDROPOUT (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* ' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* ' 3 183 DROP all -- * * 0.0.0.0/0 0.0.0.0/0iptables -nvL -t nat
pez@brave:~$ sudo iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 42112 packets, 3106K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 716 packets, 43090 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 0 0 MASQUERADE all -- * venet0 10.10.0.0/24 0.0.0.0/0 31176 2345K MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0解決方案總結,在 /etc/csf/ 中創建新文件 csfpre 添加以下內容:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -p gre -j ACCEPT iptables -A OUTPUT -p gre -j ACCEPT iptables -A FORWARD -i ppp+ -o eth0 -p ALL -j ACCEPT iptables -A FORWARD -i eth0 -o ppp+ -p ALL -j ACCEPT
從我所見,您似乎並沒有真正啟用 GRE 協議。您允許 TCP 埠 47,但這不一樣。您
rc.local關於 GRE 的規則看起來不錯,但可能已被覆蓋,因此請在您的防火牆系統中適當添加這些規則。您還有一個用於轉發數據包的 DROP 策略 - 將此規則添加為最小值:
iptables -A FORWARD -i ppp+ -j ACCEPT這為所有以 開頭的介面啟用轉發
ppp,這對於基於 PPTP 的 VPN 來說應該足夠了。此外,您可能已經這樣做了,但請檢查您是否啟用了數據包轉發
sysctl net.ipv4.ip_forward- 它應該是 1。請注意 TCP 1723 的數據包計數(第一列)為 0。嘗試連接並檢查它是否上升。但是首先啟用GRE,否則它當然不起作用。