Ubuntu

PPTP VPN iptables 防火牆問題 csf

  • June 4, 2011

我在使用 iptables 和 PPTP VPN 時遇到了問題,我已經閱讀了有關聽力和線上的相關主題,但仍然無法正常工作!我正在嘗試在我們本地網路上的 ubuntu 伺服器上設置 PPTP,以強制客戶端必須通過 VPN 登錄才能訪問網際網路。ubuntu 伺服器直接連接到網際網路。

在我的 rc.local 中,我有以下內容要轉發並接受 gre

# PPTP IP forwarding
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A INPUT -p gre -j ACCEPT
sudo iptables -A OUTPUT -p gre -j ACCEPT

這顯示在我的 iptables 列表中,所以我知道它在那裡。

我在伺服器上使用 CSF 作為我的防火牆,如果禁用,我可以連接到 VPN 並通過它瀏覽網際網路,如果啟用 CSF,我要麼“被通信設備斷開連接”,要麼可以連接但無法訪問網際網路通過VPN。

這也有一個奇怪的問題,它似乎時不時地通過防火牆工作!

我打開了以下埠:

TCP_IN = ...47,53,80,92,110,143,443,465,587,993,995,1723,7777..
TCP_OUT = ...47,53,80,92,110,113,443,1723,25565,7777...
UDP_IN = 20,21,47,53,1723,27015,27025
UDP_OUT = 20,21,47,53,113,123,1723,27015, 27025

您對如何解決此問題有任何建議嗎?您需要任何進一步的資訊嗎?

非常感謝您的時間,


按要求提供的額外資訊:

iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
7377  749K LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
5631  786K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     udp  --  !lo    *       130.88.13.7          0.0.0.0/0           udp spts:1024:65535 dpt:53 
   0     0 ACCEPT     tcp  --  !lo    *       130.88.13.7          0.0.0.0/0           tcp spts:1024:65535 dpt:53 
   3   626 ACCEPT     udp  --  !lo    *       130.88.13.7          0.0.0.0/0           udp spt:53 dpts:1024:65535 
   0     0 ACCEPT     tcp  --  !lo    *       130.88.13.7          0.0.0.0/0           tcp spt:53 dpts:1024:65535 
   0     0 ACCEPT     udp  --  !lo    *       130.88.13.7          0.0.0.0/0           udp spt:53 dpt:53 
   0     0 ACCEPT     udp  --  !lo    *       130.88.149.93        0.0.0.0/0           udp spts:1024:65535 dpt:53 
   0     0 ACCEPT     tcp  --  !lo    *       130.88.149.93        0.0.0.0/0           tcp spts:1024:65535 dpt:53 
 431 71632 ACCEPT     udp  --  !lo    *       130.88.149.93        0.0.0.0/0           udp spt:53 dpts:1024:65535 
   0     0 ACCEPT     tcp  --  !lo    *       130.88.149.93        0.0.0.0/0           tcp spt:53 dpts:1024:65535 
   0     0 ACCEPT     udp  --  !lo    *       130.88.149.93        0.0.0.0/0           udp spt:53 dpt:53 
5021  561K INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
4255  519K ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
   1    64 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:47 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
  61  3648 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
   1    64 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:92 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:389 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995 
   3   192 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1723 
   2   128 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:7777 
  89  5340 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 
  84  5040 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:27015 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21433 
 103  6180 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25566 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:23456 
   0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6667 
   0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20 
   0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21 
   0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:47 
   0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
   0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1723 
 435 19275 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27015 
 389 16837 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27025 
   0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:6667 
   2   122 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 
   0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 0 limit: avg 1/sec burst 5 
   0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 11 
   0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 3 
1127 73207 LOGDROPIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
8150  710K LOCALOUTPUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     tcp  --  *      lo      0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner GID match 8 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner UID match 0 
 123  7380 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
5631  786K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
 436 32454 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           udp dpt:53 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           tcp spt:53 
   0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           udp spt:53 
6572  649K INVALID    tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
6852  636K ACCEPT     all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:47 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
 148  8880 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:92 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:113 
   2   120 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:389 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1723 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:7777 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:27015 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21433 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:23456 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306 
  30  1800 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2082 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:92 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25555 
   0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6667 
   0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20 
   0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21 
   0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:47 
   0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
   0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:113 
  52  3952 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123 
   0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1723 
   0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27015 
   0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27025 
   0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:6667 
   0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 0 
   0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 8 
   0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 11 
   0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 3 
   3   183 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0                    

Chain INVALID (2 references)
pkts bytes target     prot opt in     out     source               destination         
  19   844 INVDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
   0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
   0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F 
   0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
   0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
   0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05 
   0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01 
   0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08 
   0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x30/0x20 
   9   360 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW 

Chain INVDROP (10 references)
pkts bytes target     prot opt in     out     source               destination         
  28  1204 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALINPUT (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  !lo    *       10.1.2.0/24          0.0.0.0/0           
 461 31652 ACCEPT     all  --  !lo    *       78.129.132.155       0.0.0.0/0           
6901  714K DSHIELD    all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
6831  695K SPAMHAUS   all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALOUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            10.1.2.0/24         
 600 32952 ACCEPT     all  --  *      !lo     0.0.0.0/0            78.129.132.155      

Chain LOGDROPIN (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:67 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:68 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:68 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:111 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:113 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:135:139 
  76 18810 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:135:139 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:500 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:500 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:513 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:513 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:520 
 979 50908 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
  26  1056 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' 
  41  2173 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* ' 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* ' 
  72  3489 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPOUT (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* ' 
   0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* ' 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* ' 
   3   183 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0 

iptables -nvL -t nat

pez@brave:~$ sudo iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 42112 packets, 3106K bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 716 packets, 43090 bytes)
pkts bytes target     prot opt in     out     source               destination          
   0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
   0     0 MASQUERADE  all  --  *      venet0  10.10.0.0/24         0.0.0.0/0           
31176 2345K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

解決方案總結,在 /etc/csf/ 中創建新文件 csfpre 添加以下內容:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -p gre -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -p ALL -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -p ALL -j ACCEPT

從我所見,您似乎並沒有真正啟用 GRE 協議。您允許 TCP 埠 47,但這不一樣。您rc.local關於 GRE 的規則看起來不錯,但可能已被覆蓋,因此請在您的防火牆系統中適當添加這些規則。

您還有一個用於轉發數據包的 DROP 策略 - 將此規則添加為最小值:

iptables -A FORWARD -i ppp+ -j ACCEPT

這為所有以 開頭的介面啟用轉發ppp,這對於基於 PPTP 的 VPN 來說應該足夠了。

此外,您可能已經這樣做了,但請檢查您是否啟用了數據包轉發sysctl net.ipv4.ip_forward- 它應該是 1。

請注意 TCP 1723 的數據包計數(第一列)為 0。嘗試連接並檢查它是否上升。但是首先啟用GRE,否則它當然不起作用。

引用自:https://serverfault.com/questions/276518