如何允许 VPN 客户端使用本地互联网进行浏览

如何允许 VPN 客户端使用本地互联网进行浏览

我已经在 centos 8 上使用 Strongswan 包配置了 Ikev2 VPN 服务器 Road Warrior,并且工作正常。当客户端连接时,他们使用远程站点互联网进行浏览,如何允许客户端使用他们的互联网位于我的 IP 表和防火墙规则下方。

iptables-S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N LIBVIRT_INP
-N LIBVIRT_OUT
-N LIBVIRT_FWO
-N LIBVIRT_FWI
-N LIBVIRT_FWX
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT

iptables -S 输入

-P INPUT ACCEPT
-A INPUT -j LIBVIRT_INP

iptables -S 输出

-P OUTPUT ACCEPT
-A OUTPUT -j LIBVIRT_OUT

iptables-L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_INP  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_FWX  all  --  anywhere             anywhere            
LIBVIRT_FWI  all  --  anywhere             anywhere            
LIBVIRT_FWO  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_OUT  all  --  anywhere             anywhere            

Chain LIBVIRT_INP (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootpc

Chain LIBVIRT_FWO (1 references)
target     prot opt source               destination         
ACCEPT     all  --  192.168.122.0/24     anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWI (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere  

      

防火墙-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1 enp0s20f0u14
  sources: 
  services: cockpit dhcpv6-client http https ipsec openvpn ssh
  ports: 500/udp 4500/udp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule protocol value="esp" accept
    rule protocol value="ah" accept

iptables-保存

# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*nat
:PREROUTING ACCEPT [27115:3345403]
:INPUT ACCEPT [69:9680]
:POSTROUTING ACCEPT [3405:252395]
:OUTPUT ACCEPT [214:16188]
:LIBVIRT_PRT - [0:0]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*filter
:INPUT ACCEPT [65756:14700930]
:FORWARD ACCEPT [78940:39400265]
:OUTPUT ACCEPT [48913:35869992]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWX - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*security
:INPUT ACCEPT [47156:11962633]
:FORWARD ACCEPT [78894:39398425]
:OUTPUT ACCEPT [48920:35871732]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*raw
:PREROUTING ACCEPT [150103:54480128]
:OUTPUT ACCEPT [48922:35872348]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*mangle
:PREROUTING ACCEPT [150103:54480128]
:INPUT ACCEPT [65757:14700982]
:FORWARD ACCEPT [78940:39400265]
:OUTPUT ACCEPT [48923:35872484]
:POSTROUTING ACCEPT [127964:75288423]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 28 12:39:48 2021

答案1

使用分割隧道;将路由设置为 0.0.0.0 以通过本地网络路由,并将到办公网络(10.0.0.0?)的路由设置为通过 VPN 路由。

相关内容