因此,我尝试使用以下方法限制对端口 5432 (postgres) 的访问联邦快递并且无法这样做。连接仍然被允许
sudo ufw deny 5432/tcp
sudo ufw route deny in on wg0 from 10.0.10.2
root@vpn-prod:/home/ubuntu# ufw status verbose
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
51820/udp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
51820/udp (v6) ALLOW IN Anywhere (v6)
5432/tcp DENY OUT Anywhere
5432/tcp (v6) DENY OUT Anywhere (v6)
Anywhere DENY FWD 10.0.10.2 on wg0
所以我从 wireguard 客户端连接到服务器。从那里有10.120.0.149运行 postgres 的内部 IP。
以下是服务器上的 tcpdump:
root@vpn-prod:/var/log# sudo tcpdump -envi wg0: net 10.120.0.0/16
tcpdump: listening on wg0:, link-type RAW (Raw IP), capture size 262144 bytes
21:36:18.948194 ip: (tos 0x0, ttl 64, id 23874, offset 0, flags [DF], proto TCP (6), length 60)
10.0.10.2.37056 > 10.120.0.149.5432: Flags [S], cksum 0xd974 (correct), seq 3860575203, win 64860, options [mss 1380,sackOK,TS val 2547481248 ecr 0,nop,wscale 7], length 0
21:36:18.948370 ip: (tos 0x0, ttl 254, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.120.0.149.5432 > 10.0.10.2.37056: Flags [S.], cksum 0x7eb2 (correct), seq 888276479, ack 3860575204, win 28960, options [mss 1460,sackOK,TS val 2284266370 ecr 2547481248,nop,wscale 10], length 0
21:36:18.979477 ip: (tos 0x0, ttl 64, id 23875, offset 0, flags [DF], proto TCP (6), length 52)
10.0.10.2.37056 > 10.120.0.149.5432: Flags [.], cksum 0x1c88 (correct), ack 1, win 507, options [nop,nop,TS val 2547481279 ecr 2284266370], length 0
21:36:18.986946 ip: (tos 0x0, ttl 64, id 23876, offset 0, flags [DF], proto TCP (6), length 60)
10.0.10.2.37056 > 10.120.0.149.5432: Flags [P.], cksum 0x0167 (correct), seq 1:9, ack 1, win 507, options [nop,nop,TS val 2547481287 ecr 2284266370], length 8
21:36:18.987075 ip: (tos 0x0, ttl 254, id 35821, offset 0, flags [DF], proto TCP (6), length 52)
10.120.0.149.5432 > 10.0.10.2.37056: Flags [.], cksum 0x1e30 (correct), ack 9, win 29, options [nop,nop,TS val 2284266408 ecr 2547481287], length 0
我在 ufw.log 中没有看到任何有关 ips 的内容:10.0.10.2(wireguard 对等体)或 10.120.0.149(postgres)。看起来 ufw 对 wg0 接口上的流量没有任何作用
root@vpn-prod:/var/log# ip -brief a s
lo UNKNOWN 127.0.0.1/8 ::1/128
ens5 UP 10.120.101.242/22 fe80::30:deff:feb2:dc11/64
wg0 UNKNOWN 10.0.10.1/32
root@vpn-prod:/var/log# wg show
interface: wg0
public key: HIDDEN
private key: (hidden)
listening port: 51820
peer: HIDDEN....=
preshared key: (hidden)
endpoint: 71.200.111.100:51820
allowed ips: 10.0.10.2/32
latest handshake: 55 seconds ago
transfer: 56.29 KiB received, 143.69 KiB sent
persistent keepalive: every 25 seconds
我的 iptables
root@vpn-prod:/var/log# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6139 581K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
6139 581K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
373 39936 ACCEPT all -- wg0 * 0.0.0.0/0 0.0.0.0/0
271 125K ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
271 125K ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4792 999K ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
4792 999K ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
188 13856 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
188 13856 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
188 13856 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
188 13856 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
26 2241 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
271 125K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
262 22619 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5819 555K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9 252 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 252 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
36 2310 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
13 1012 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
13 1012 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
37 2751 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
40 3296 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT] "
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
262 22619 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
4342 962K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
188 13856 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
2 56 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT INVALID] "
2 56 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
13 1012 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
106 6360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
81 7412 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- wg0 * 10.0.10.2 0.0.0.0/0
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
root@vpn-prod:/var/log#
服务器上的 wg0.conf
root@vpn-prod:/var/log# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.10.1/32
PrivateKey = HIDDEN
ListenPort = 51820
PostUp = sysctl -w -q net.ipv4.ip_forward=1
PostUp = sysctl -w -q net.ipv6.conf.all.forwarding=1
PostUp = iptables -P FORWARD DROP
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostUp = ip6tables -P FORWARD DROP
PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = sysctl -w -q net.ipv4.ip_forward=0
PostDown = sysctl -w -q net.ipv6.conf.all.forwarding=0
PostDown = iptables -P FORWARD ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
PostDown = ip6tables -P FORWARD ACCEPT
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
[Peer]
# friendly_name = my-desktop
PublicKey = HIDDEN
PresharedKey = HIDDEN
AllowedIPs = 10.0.10.2/32
PersistentKeepalive = 25
root@vpn-prod:/var/log#
我也尝试了以下方法,但也没有用:
ufw route deny in on wg0 to 10.120.0.0/16 from any
ufw route deny to 10.120.0.0/16 from any
ufw route deny in on ens5 to 10.120.0.0/16 from any