클라이언트가 인터넷에 연결하는 데 문제가 있습니다. 내부 네트워크에는 연결할 수 있지만 인터넷에는 연결할 수 없습니다. 누구든지 무엇이 잘못되었는지 알고 있습니까? OpenVPN 서버용 iptables는 다음과 같습니다.
$ sudo iptables -L -v --line-number
Chain INPUT (policy ACCEPT 53189 packets, 70M bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
2 137 16324 ACCEPT all -- tun0 any anywhere anywhere
3 4841 586K ACCEPT udp -- wlan0 any anywhere anywhere udp dpt:443
Chain FORWARD (policy ACCEPT 4 packets, 256 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
2 4274 270K ACCEPT all -- any any 10.8.0.0/24 anywhere
3 0 0 ACCEPT all -- wlan0 tun0 anywhere anywhere
4 0 0 ACCEPT all -- tun0 wlan0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 13229 packets, 1247K bytes)
num pkts bytes target prot opt in out source destination
$ sudo iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 122 packets, 19337 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3 packets, 583 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 22 packets, 1386 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 22 packets, 1386 bytes)
pkts bytes target prot opt in out source destination
2621 166K SNAT all -- * * 10.8.0.0/24 !10.8.0.0/24 to:120.xx.xx.xx
0 0 MASQUERADE all -- * wlan0 10.8.0.0/24 0.0.0.0/0
22 1386 all -- * * 0.0.0.0/0 0.0.0.0/0
$ ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
inet6 fe80::6f08:6434:23ed:1239 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 1173 bytes 75296 (75.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7 bytes 432 (432.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.188 netmask 255.255.255.0 broadcast 192.168.100.255
ether 02:81:05:ba:1b:d4 txqueuelen 1000 (Ethernet)
RX packets 62966 bytes 75908690 (75.9 MB)
RX errors 0 dropped 1012 overruns 0 frame 0
TX packets 18570 bytes 2387345 (2.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
또한, sysctl -a
보여줍니다 net.ipv4.ip_forward = 1
.
업데이트 : 더 많은 출력
$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
여기 있습니다 ovpn
:
client
proto udp
remote 120.xx.xx.xx 443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_EjfYsD2SU86zv2oB name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
...
업데이트 2 : iptables에 몇 가지 규칙을 추가 한 후에도 클라이언트는 여전히 인터넷에 액세스 할 수 없습니다.
$ sudo iptables -L -v --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
2 0 0 ACCEPT all -- tun0 any anywhere anywhere
3 1094 134K ACCEPT udp -- wlan0 any anywhere anywhere udp dpt:443
4 721 721K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
5 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:443
6 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
7 0 0 ACCEPT icmp -- any any anywhere anywhere
8 1 201 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
2 417 26066 ACCEPT all -- any any 10.8.0.0/24 anywhere
3 0 0 ACCEPT all -- wlan0 tun0 anywhere anywhere
4 0 0 ACCEPT all -- tun0 wlan0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 4 packets, 496 bytes)
num pkts bytes target prot opt in out source destination
iptables
기본 정책은이므로 패킷 수를 계산하는 것 외에는 거의 모든 규칙이 영향을 미치지 않습니다 ACCEPT
. 예외는 POSTROUTING
패킷을 복구 할 수 없도록 관리하는 테이블입니다.
인터넷에 노출 할 서비스를 정의하고 (120.xxx가 인터넷에 도달 할 수 있다고 가정) 다른 모든 서비스를 차단해야합니다. 이 예에서는 udp / 443, tcp / 22 및 icmp를 허용합니다.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Existing connections
iptables -A INPUT -p udp --dport 443 -j ACCEPT # OpenVPN
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
iptables -A INPUT -p icmp -j ACCEPT # Ping and other ICMP
iptables -A INPUT -j REJECT # Discard everything else
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE # Hide behind me
더 정교한 예제를 사용할 수 있지만 ( "openvpn iptables masquerade"와 같은 용어로 검색하기 만하면됩니다) 실행하려면 최소한이어야합니다.
이 기사는 인터넷에서 수집됩니다. 재 인쇄 할 때 출처를 알려주십시오.
침해가 발생한 경우 연락 주시기 바랍니다[email protected] 삭제
몇 마디 만하겠습니다