我已经在 centos 8 上使用 Strongswan 包配置了 Ikev2 VPN 服务器 Road Warrior,并且工作正常。当客户端连接时,他们使用远程站点互联网进行浏览,如何允许客户端使用他们的互联网位于我的 IP 表和防火墙规则下方。
iptables-S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N LIBVIRT_INP
-N LIBVIRT_OUT
-N LIBVIRT_FWO
-N LIBVIRT_FWI
-N LIBVIRT_FWX
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
iptables -S 输入
-P INPUT ACCEPT
-A INPUT -j LIBVIRT_INP
iptables -S 输出
-P OUTPUT ACCEPT
-A OUTPUT -j LIBVIRT_OUT
iptables-L
Chain INPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_INP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_OUT all -- anywhere anywhere
Chain LIBVIRT_INP (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:bootpc
Chain LIBVIRT_FWO (1 references)
target prot opt source destination
ACCEPT all -- 192.168.122.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LIBVIRT_FWI (1 references)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
防火墙-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno1 enp0s20f0u14
sources:
services: cockpit dhcpv6-client http https ipsec openvpn ssh
ports: 500/udp 4500/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule protocol value="esp" accept
rule protocol value="ah" accept
iptables-保存
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*nat
:PREROUTING ACCEPT [27115:3345403]
:INPUT ACCEPT [69:9680]
:POSTROUTING ACCEPT [3405:252395]
:OUTPUT ACCEPT [214:16188]
:LIBVIRT_PRT - [0:0]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*filter
:INPUT ACCEPT [65756:14700930]
:FORWARD ACCEPT [78940:39400265]
:OUTPUT ACCEPT [48913:35869992]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWX - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*security
:INPUT ACCEPT [47156:11962633]
:FORWARD ACCEPT [78894:39398425]
:OUTPUT ACCEPT [48920:35871732]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*raw
:PREROUTING ACCEPT [150103:54480128]
:OUTPUT ACCEPT [48922:35872348]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*mangle
:PREROUTING ACCEPT [150103:54480128]
:INPUT ACCEPT [65757:14700982]
:FORWARD ACCEPT [78940:39400265]
:OUTPUT ACCEPT [48923:35872484]
:POSTROUTING ACCEPT [127964:75288423]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
答案1
使用分割隧道;将路由设置为 0.0.0.0 以通过本地网络路由,并将到办公网络(10.0.0.0?)的路由设置为通过 VPN 路由。