我有两台运行 18.04.6 桌面版的服务器。我无法从不同的子网(IPsec 站点到 VPN)访问它们。在我看来,内置防火墙不允许来自其子网范围之外的地址的连接。我可以访问 Windows PC 和 QNAP NAS,所以我认为 Ubuntu 服务器中的默认防火墙设置是问题所在。注意:两台服务器都有多个 VLAN 接口,我尝试访问的子网是 VLAN。
Ufw 规则
root@ns04:~# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 192.168.3.0/24
[ 2] Anywhere ALLOW IN 192.168.1.0/24
[ 3] Anywhere ALLOW IN 172.30.13.0/24
[ 4] Samba ALLOW IN Anywhere
[ 5] Bind9 ALLOW IN Anywhere
[ 6] 22/tcp ALLOW IN Anywhere
[ 7] 67 ALLOW IN Anywhere
[ 8] 68 ALLOW IN Anywhere
[ 9] Anywhere ALLOW OUT Anywhere (out)
[10] Samba (v6) ALLOW IN Anywhere (v6)
[11] Bind9 (v6) ALLOW IN Anywhere (v6)
[12] 22/tcp (v6) ALLOW IN Anywhere (v6)
[13] 67 (v6) ALLOW IN Anywhere (v6)
[14] 68 (v6) ALLOW IN Anywhere (v6)
[15] Anywhere (v6) ALLOW OUT Anywhere (v6) (out)
root@ns04:~#
IP广告
ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:01:2e:6b:2f:e7 brd ff:ff:ff:ff:ff:ff
inet 172.30.3.254/24 brd 172.30.3.255 scope global dynamic enp2s0
valid_lft 137844sec preferred_lft 137844sec
inet6 wwww:xxxx:yyyy:zzzz:403a:fcea:711c:8530/64 scope global temporary dynamic
valid_lft 86231sec preferred_lft 14231sec
inet6 wwww:xxxx:yyyy:zzzz:e135:7f9c:b29f:5abf/64 scope global temporary deprecated dynamic
valid_lft 86231sec preferred_lft 0sec
inet6 wwww:xxxx:yyyy:zzzz:9c9d:ad17:ea63:bfdb/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86231sec preferred_lft 14231sec
inet6 fe80::4504:f36d:fb1b:907a/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: enp2s0.4@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:01:2e:6b:2f:e7 brd ff:ff:ff:ff:ff:ff
inet 172.30.4.254/24 brd 172.30.4.255 scope global enp2s0.4
valid_lft forever preferred_lft forever
inet6 wwww:xxxx:yyyy:zzz4:7584:e7fc:17b4:ea5e/64 scope global temporary dynamic
valid_lft 86339sec preferred_lft 14339sec
inet6 wwww:xxxx:yyyy:zzz4:c0f0:42d3:9869:5852/64 scope global temporary deprecated dynamic
valid_lft 86339sec preferred_lft 0sec
inet6 wwww:xxxx:yyyy:zzz4:201:2eff:fe6b:2fe7/64 scope global dynamic mngtmpaddr
valid_lft 86339sec preferred_lft 14339sec
inet6 fe80::201:2eff:fe6b:2fe7/64 scope link
valid_lft forever preferred_lft forever
4: enp2s0.5@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:01:2e:6b:2f:e7 brd ff:ff:ff:ff:ff:ff
inet 172.30.5.254/24 brd 172.30.5.255 scope global enp2s0.5
valid_lft forever preferred_lft forever
inet6 wwww:xxxx:yyyy:zzz5:b89d:2a36:bdd4:65ff/64 scope global temporary dynamic
valid_lft 86080sec preferred_lft 14080sec
inet6 wwww:xxxx:yyyy:zzz5:1991:2647:2778:79b/64 scope global temporary deprecated dynamic
valid_lft 86080sec preferred_lft 0sec
inet6 wwww:xxxx:yyyy:zzz5:201:2eff:fe6b:2fe7/64 scope global dynamic mngtmpaddr
valid_lft 86080sec preferred_lft 14080sec
inet6 fe80::201:2eff:fe6b:2fe7/64 scope link
valid_lft forever preferred_lft forever
5: enp2s0.7@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:01:2e:6b:2f:e7 brd ff:ff:ff:ff:ff:ff
inet 172.30.7.254/24 brd 172.30.7.255 scope global enp2s0.7
valid_lft forever preferred_lft forever
inet6 wwww:xxxx:yyyy:zzz7:502:cf3d:1526:2907/64 scope global temporary dynamic
valid_lft 86111sec preferred_lft 14111sec
inet6 wwww:xxxx:yyyy:zzz7:2475:a5f6:3698:3f44/64 scope global temporary deprecated dynamic
valid_lft 86111sec preferred_lft 0sec
inet6 wwww:xxxx:yyyy:zzz7:201:2eff:fe6b:2fe7/64 scope global dynamic mngtmpaddr
valid_lft 86111sec preferred_lft 14111sec
inet6 fe80::201:2eff:fe6b:2fe7/64 scope link
valid_lft forever preferred_lft forever
6: enp2s0.8@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:01:2e:6b:2f:e7 brd ff:ff:ff:ff:ff:ff
inet 172.30.8.254/24 brd 172.30.8.255 scope global enp2s0.8
valid_lft forever preferred_lft forever
inet6 fdea:0:0:8::254/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::201:2eff:fe6b:2fe7/64 scope link
valid_lft forever preferred_lft forever
7: enp2s0.9@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:01:2e:6b:2f:e7 brd ff:ff:ff:ff:ff:ff
inet 172.30.9.254/24 brd 172.30.9.255 scope global enp2s0.9
valid_lft forever preferred_lft forever
inet6 wwww:xxxx:yyyy:zzz9:896e:cbd5:e835:a490/64 scope global temporary dynamic
valid_lft 86099sec preferred_lft 14099sec
inet6 wwww:xxxx:yyyy:zzz9:edae:d6e7:6503:e08a/64 scope global temporary deprecated dynamic
valid_lft 86099sec preferred_lft 0sec
inet6 wwww:xxxx:yyyy:zzz9:201:2eff:fe6b:2fe7/64 scope global dynamic mngtmpaddr
valid_lft 86099sec preferred_lft 14099sec
inet6 fe80::201:2eff:fe6b:2fe7/64 scope link
valid_lft forever preferred_lft forever
8: enp2s0.10@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:01:2e:6b:2f:e7 brd ff:ff:ff:ff:ff:ff
inet 172.30.10.254/24 brd 172.30.10.255 scope global enp2s0.10
valid_lft forever preferred_lft forever
inet6 fe80::201:2eff:fe6b:2fe7/64 scope link
valid_lft forever preferred_lft forever
9: enp2s0.11@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:01:2e:6b:2f:e7 brd ff:ff:ff:ff:ff:ff
inet 172.30.11.254/24 brd 172.30.11.255 scope global enp2s0.11
valid_lft forever preferred_lft forever
inet6 fe80::201:2eff:fe6b:2fe7/64 scope link
valid_lft forever preferred_lft forever
10: enp2s0.12@enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:01:2e:6b:2f:e7 brd ff:ff:ff:ff:ff:ff
inet 172.30.12.254/24 brd 172.30.12.255 scope global enp2s0.12
valid_lft forever preferred_lft forever
inet6 fe80::201:2eff:fe6b:2fe7/64 scope link
valid_lft forever preferred_lft forever
root@ns04:/etc/ufw#
IP 路由
root@ns04:/etc/ufw#
root@ns04:/etc/ufw# ip route
default via 172.30.3.1 dev enp2s0
default via 172.30.3.1 dev enp2s0 proto dhcp metric 20100
169.254.0.0/16 dev enp2s0.4 scope link metric 1000
172.30.3.0/24 dev enp2s0 proto kernel scope link src 172.30.3.254
172.30.3.0/24 dev enp2s0 proto kernel scope link src 172.30.3.254 metric 100
172.30.4.0/24 dev enp2s0.4 proto kernel scope link src 172.30.4.254
172.30.5.0/24 dev enp2s0.5 proto kernel scope link src 172.30.5.254
172.30.7.0/24 dev enp2s0.7 proto kernel scope link src 172.30.7.254
172.30.8.0/24 dev enp2s0.8 proto kernel scope link src 172.30.8.254
172.30.9.0/24 dev enp2s0.9 proto kernel scope link src 172.30.9.254
172.30.10.0/24 dev enp2s0.10 proto kernel scope link src 172.30.10.254
172.30.11.0/24 dev enp2s0.11 proto kernel scope link src 172.30.11.254
172.30.12.0/24 dev enp2s0.12 proto kernel scope link src 172.30.12.254
root@ns04:/etc/ufw#
注意:192.168.1.0/24 是远程站点
172.30.5.0/24 是远程连接到的本地 vlan 子网。
另外两个 /24 用于本地测试
看来我需要将 ufw 之前的文件中的 ufw-not-local 和/或 ufw-before-input 进行更改。
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
我需要让 samba 从 192.168.1.0/24 运行。
SSH 和 ping 也会有帮助
子网扫描
Generated by Angry IP Scanner 3.7.6
https://angryip.org
Scanned 172.30.5.0 - 172.30.5.255
Jan 10, 2022 2:39:16 PM
IP Ping Hostname Ports NetBIOS Info MAC Address MAC Vendor
172.30.5.1 4 ms router.home.test 80,443 [n/a] [n/a] [n/a]
172.30.5.8 4 ms 3n008.home.test 80,443,8080 [n/a] [n/a] [n/a]
172.30.5.27 6 ms tp-share 80,443 WORKGROUP\TP-SHARE@TP-SHARE [00-00-00-00-00-00][n/a] [n/a]
172.30.5.28 3 ms 3n028.home.test 80 [n/a] [n/a] [n/a]
172.30.5.128 3 ms 3n128.home.test 80 [n/a] [n/a] [n/a]
172.30.5.135 3 ms 3n135.home.test 80 [n/a] [n/a] [n/a]
172.30.5.139 7 ms 3n139.home.test [n/a] [n/a] [n/a] [n/a]
172.30.5.165 6 ms 3n165.home.test 80,443 [n/a] [n/a] [n/a]
172.30.5.166 4 ms 3n166.home.test 80,443 [n/a] [n/a] [n/a]
172.30.5.170 6 ms 3n170.home.test [n/a] [n/a] [n/a] [n/a]
172.30.5.177 3 ms 3n177.home.test 80 [n/a] [n/a] [n/a]
172.30.5.196 3 ms sq05.home.test 80,443,8080 WORKGROUP\SQ05@SQ05 [00-00-00-00-00-00][n/a] [n/a]
172.30.5.197 3 ms sq04.home.test 80,443,8080 WORKGROUP\SQ04@SQ04 [00-00-00-00-00-00][n/a] [n/a]
172.30.5.202 6 ms pc02.home.test [n/a] [n/a] [n/a] [n/a]
172.30.5.1 是路由器 (edgerouter x)
172.30.5.8 是 HP 打印机
172.30.5.27 是 TP-link 路由器作为接入点
172.30.5.28是openwrt路由器作为接入点
172.30.5.202 是 Windows 8 PC
172.30.5.253 和 .254 是 Ubuntu 服务器(缺失)
ping 无响应
C:\Windows\system32>tracert 172.30.5.254
Tracing route to 2ns4.home.test [172.30.5.254]
over a maximum of 30 hops:
1 4 ms 4 ms 4 ms 172.30.13.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * ^C
C:\Windows\system32>tracert 172.30.5.27
Tracing route to tp-share [172.30.5.27]
over a maximum of 30 hops:
1 4 ms 4 ms 4 ms 172.30.13.1
2 7 ms 7 ms 8 ms tp-share [172.30.5.27]
Trace complete.
C:\Windows\system32>
来自 172.30.13.41 的跟踪
C:\Windows\system32>tracert 172.30.5.254
Tracing route to 2ns4.home.test [172.30.5.254]
over a maximum of 30 hops:
1 3 ms 3 ms 3 ms 172.30.13.1
2 * * * Request timed out.
3 * * * Request timed out.
4 ^C
C:\Windows\system32>tracert 172.30.5.253
Tracing route to 2ns3.home.test [172.30.5.253]
over a maximum of 30 hops:
1 4 ms 4 ms 4 ms 172.30.13.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * ^C
C:\Windows\system32>
C:\Windows\system32>tracert 172.30.5.27
Tracing route to tp-share [172.30.5.27]
over a maximum of 30 hops:
1 4 ms 4 ms 4 ms 172.30.13.1
2 8 ms 7 ms 7 ms tp-share [172.30.5.27]
Trace complete.
C:\Windows\system32>
问题在于客户端与服务器位于不同的子网
同一子网中的客户端
答案1
感谢 Thomas 建议路由。我的问题是 Ubuntu 服务器中的路由设置。当请求来自非本地子网时,子网的路由必须是相同的接口(真实或虚拟)。就我而言,我将默认路由更改为指向 VPN 隧道使用的子网(VLAN5)(在两台服务器上)。通过此更改,使用 ufw 的服务器和不使用 ufw 的服务器都可以使用 samba 和 ping。
更改后的默认路由。ip route add default via 172.30.5.1
如果您无法更改默认路由,则静态路由也应该有效。
这是我修改后的设置 VLAN 的脚本。
root@ns04:~# cd /usr/local/bin
root@ns04:/usr/local/bin# cat st-vlans
#!/bin/sh
sleep 1
dot_ip=$1
# echo $dot_ip
# set dev0_name address
dev0_name=$(ls /sys/class/net/ | sort | grep -m 1 en)
if [ "$dev0_name" = "" ]
then
dev0_name=$(ls /sys/class/net/ | sort | grep -m 1 eth)
fi
if [ "$dev0_name" = "" ]
then
exit 1
fi
#
# enable WOL - requres installing ethtool
#
ethtool -s $dev0_name wol g
#
# set dot_ip (last octet)
#
read host_name < /etc/hostname
#
if [ "$dot_ip" = "" ]
then
case $host_name in
"ns01") dot_ip=251;;
"ns02") dot_ip=252;;
"ns03") dot_ip=253;;
"ns04") dot_ip=254;;
# *) dot_ip=250;;
esac
fi
# exit if no ip address
if [ "$dot_ip" = "" ]
then
exit 2
fi
# ls /sys/class/net/ | sort | grep enp -m 1 > /tmp/eth-name.txt
# read dev0_name < /tmp/eth-name.txt
#
# add VLANS
ip link add link $dev0_name name $dev0_name.4 type vlan id 4
if [ "$host_name" != "ns01" ]
then
ip link add link $dev0_name name $dev0_name.5 type vlan id 5
fi
ip link add link $dev0_name name $dev0_name.4 type vlan id 4
ip link add link $dev0_name name $dev0_name.7 type vlan id 7
ip link add link $dev0_name name $dev0_name.8 type vlan id 8
ip link add link $dev0_name name $dev0_name.9 type vlan id 9
ip link add link $dev0_name name $dev0_name.10 type vlan id 10
ip link add link $dev0_name name $dev0_name.11 type vlan id 11
ip link add link $dev0_name name $dev0_name.12 type vlan id 12
#
# set addresses
if [ "$dot_ip" != "" ]
then
sleep 5
ip addr add 172.30.3.$dot_ip/24 broadcast 172.30.3.255 dev $dev0_name
#
ip addr add 172.30.4.$dot_ip/24 brd 172.30.4.255 dev $dev0_name.4
ip link set dev $dev0_name.4 up
#
if [ "$host_name" != "ns01" ]
then
ip addr add 172.30.5.$dot_ip/24 brd 172.30.5.255 dev $dev0_name.5
ip link set dev $dev0_name.5 up
ip route add default via 172.30.5.1
fi
#
ip addr add 172.30.4.$dot_ip/24 brd 172.30.4.255 dev $dev0_name.4
ip link set dev $dev0_name.4 up
#
ip addr add 172.30.7.$dot_ip/24 brd 172.30.7.255 dev $dev0_name.7
ip link set dev $dev0_name.7 up
#
ip addr add 172.30.8.$dot_ip/24 brd 172.30.8.255 dev $dev0_name.8
ip addr add fdea:0:0:8::$dot_ip/64 dev $dev0_name.8
ip link set dev $dev0_name.8 up
#
ip addr add 172.30.9.$dot_ip/24 brd 172.30.9.255 dev $dev0_name.9
ip link set dev $dev0_name.9 up
#
ip addr add 172.30.10.$dot_ip/24 brd 172.30.10.255 dev $dev0_name.10
ip link set dev $dev0_name.10 up
#
ip addr add 172.30.11.$dot_ip/24 brd 172.30.11.255 dev $dev0_name.11
ip link set dev $dev0_name.11 up
#
ip addr add 172.30.12.$dot_ip/24 brd 172.30.12.255 dev $dev0_name.12
ip link set dev $dev0_name.12 up
fi
#
# set eth1 address
if [ "$host_name" = "ns01" ]
then
ip addr add 172.30.5.$dot_ip/24 broadcast 172.30.5.255 dev eth1
fi
exit 0
# ip addr add 2001:470:xxxx:1::$dot_ip/64 dev $dev0_name
# ip route add default via 2001:470:bccf:1::1
#
root@ns04:/usr/local/bin#
Thanks to Thomas for suggesting routing.
My problem was my routing settings in the Ubuntu servers.
When a request comes from a non-local subnet, the routing for the subnet must be to the same interface (real or virtual).
In my case I changed the default route to point to the subnet (VLAN5) used by the VPN tunnel(on both servers).
With this change samba and ping work for the server using ufw and the server not using ufw.
The changed default route.
ip route add default via 172.30.5.1
If you can't change the default route a static route should also work.
Here is my corrected script for setting up VLANs.
root@ns04:~# cd /usr/local/bin
root@ns04:/usr/local/bin# cat st-vlans
#!/bin/sh
sleep 1
dot_ip=$1
# echo $dot_ip
# set dev0_name address
dev0_name=$(ls /sys/class/net/ | sort | grep -m 1 en)
if [ "$dev0_name" = "" ]
then
dev0_name=$(ls /sys/class/net/ | sort | grep -m 1 eth)
fi
if [ "$dev0_name" = "" ]
then
exit 1
fi
#
# enable WOL - requres installing ethtool
#
ethtool -s $dev0_name wol g
#
# set dot_ip (last octet)
#
read host_name < /etc/hostname
#
if [ "$dot_ip" = "" ]
then
case $host_name in
"ns01") dot_ip=251;;
"ns02") dot_ip=252;;
"ns03") dot_ip=253;;
"ns04") dot_ip=254;;
# *) dot_ip=250;;
esac
fi
# exit if no ip address
if [ "$dot_ip" = "" ]
then
exit 2
fi
# ls /sys/class/net/ | sort | grep enp -m 1 > /tmp/eth-name.txt
# read dev0_name < /tmp/eth-name.txt
#
# add VLANS
ip link add link $dev0_name name $dev0_name.4 type vlan id 4
if [ "$host_name" != "ns01" ]
then
ip link add link $dev0_name name $dev0_name.5 type vlan id 5
fi
ip link add link $dev0_name name $dev0_name.4 type vlan id 4
ip link add link $dev0_name name $dev0_name.7 type vlan id 7
ip link add link $dev0_name name $dev0_name.8 type vlan id 8
ip link add link $dev0_name name $dev0_name.9 type vlan id 9
ip link add link $dev0_name name $dev0_name.10 type vlan id 10
ip link add link $dev0_name name $dev0_name.11 type vlan id 11
ip link add link $dev0_name name $dev0_name.12 type vlan id 12
#
# set addresses
if [ "$dot_ip" != "" ]
then
sleep 5
ip addr add 172.30.3.$dot_ip/24 broadcast 172.30.3.255 dev $dev0_name
#
ip addr add 172.30.4.$dot_ip/24 brd 172.30.4.255 dev $dev0_name.4
ip link set dev $dev0_name.4 up
#
if [ "$host_name" != "ns01" ]
then
ip addr add 172.30.5.$dot_ip/24 brd 172.30.5.255 dev $dev0_name.5
ip link set dev $dev0_name.5 up
ip route add default via 172.30.5.1
fi
#
ip addr add 172.30.4.$dot_ip/24 brd 172.30.4.255 dev $dev0_name.4
ip link set dev $dev0_name.4 up
#
ip addr add 172.30.7.$dot_ip/24 brd 172.30.7.255 dev $dev0_name.7
ip link set dev $dev0_name.7 up
#
ip addr add 172.30.8.$dot_ip/24 brd 172.30.8.255 dev $dev0_name.8
ip addr add fdea:0:0:8::$dot_ip/64 dev $dev0_name.8
ip link set dev $dev0_name.8 up
#
ip addr add 172.30.9.$dot_ip/24 brd 172.30.9.255 dev $dev0_name.9
ip link set dev $dev0_name.9 up
#
ip addr add 172.30.10.$dot_ip/24 brd 172.30.10.255 dev $dev0_name.10
ip link set dev $dev0_name.10 up
#
ip addr add 172.30.11.$dot_ip/24 brd 172.30.11.255 dev $dev0_name.11
ip link set dev $dev0_name.11 up
#
ip addr add 172.30.12.$dot_ip/24 brd 172.30.12.255 dev $dev0_name.12
ip link set dev $dev0_name.12 up
fi
#
# set eth1 address
if [ "$host_name" = "ns01" ]
then
ip addr add 172.30.5.$dot_ip/24 broadcast 172.30.5.255 dev eth1
fi
exit 0
# ip addr add 2001:470:xxxx:1::$dot_ip/64 dev $dev0_name
# ip route add default via 2001:470:bccf:1::1
#
root@ns04:/usr/local/bin#