我有一台本地机器,它连接到 VPN 以访问互联网,并且配置为除了通过 VPN 之外它根本无法访问互联网,尽管可以正常访问本地网络。我想允许互联网上的人们连接到我的公共(非 VPN) IP 的特定端口 (80),同时仍然不允许任何其他没有 VPN 的互联网访问。
$ route -nee
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
0.0.0.0 255.255.255.252 0.0.0.0 UG 0 0 0 tun0 0 0 0
10.8.0.1 255.255.255.252 255.255.255.255 UGH 0 0 0 tun0 0 0 0
10.8.0.4 0.0.0.0 255.255.255.252 U 0 0 0 tun0 0 0 0
VPN_PUBLIC_IP 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0 0 0 0
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 0 0 0
255.255.255.252 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 0 0 0
(我的局域网是 192.168.1。,VPN使用10.8.0。子网,其中 10.8.0.1 为 VPN)
目前我还没有用 iptables 配置任何规则
我已经将路由器上的 80 端口转发到盒子上,但目前请求根本无法到达 Apache(或者至少它们没有显示在任何日志中)。但是,我可以从 LAN 上的另一台计算机正确访问 Apache,如果我从 VPN 转发端口
有什么简单的方法可以做到这一点?
编辑:
端口 80 上的 tcpdump 输出:
# tcpdump -i eth0 dst port 80 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:13:52.052868 IP (tos 0x0, ttl 52, id 47824, offset 0, flags [DF], proto TCP (6), length 60)
BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x83dc (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771183 ecr 0,nop,wscale 8], length 0
23:13:53.051954 IP (tos 0x0, ttl 52, id 47825, offset 0, flags [DF], proto TCP (6), length 60)
BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x82e2 (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771433 ecr 0,nop,wscale 8], length 0
23:13:55.056213 IP (tos 0x0, ttl 52, id 47826, offset 0, flags [DF], proto TCP (6), length 60)
BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x80ed (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771934 ecr 0,nop,wscale 8], length 0
iptables -vnL:
# iptables -vnL
Chain INPUT (policy ACCEPT 16 packets, 1445 bytes)
pkts bytes target prot opt in out source destination
274K 52M LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
271K 52M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
271K 52M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
1779 162K ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
290 16952 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
523 33197 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
523 33197 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
523 33197 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 13 packets, 1372 bytes)
pkts bytes target prot opt in out source destination
260K 643M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
260K 643M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
答案1
您需要执行基于源(策略)的路由(SU 上有很多关于它的帖子,例如这一。您可能会发现初始数据包已到达您的 Web 服务器,但响应却从 VPN 而不是 WAN 接口发送回。
为了解决这个问题,您需要第二个路由表,它根据目标地址引导流量。