Oracle 免费套餐:Wireguard 和 iptables

Oracle 免费套餐:Wireguard 和 iptables

问题:流量无法从“客户端”到“服务器”并返回。

配置:

“服务器”:

[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = [redacted]

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = [redacted]
AllowedIPs = 10.8.0.2/32

“客户”:

[Interface]
Address = 10.8.0.2/24
PrivateKey = [redacted]
PostUp = ping -c1 10.8.0.1
DNS = 1.1.1.1

[Peer]
PublicKey = [redacted]
Endpoint = [redacted]:51820
AllowedIPs = 0.0.0.0/0, ::/0

/etc/iptables/rules.v4:

# CLOUD_IMG: This file was created/modified by the Cloud Image build process
# iptables configuration for Oracle Cloud Infrastructure
    
# See the Oracle-Provided Images section in the Oracle Cloud Infrastructure
# documentation for security impact of modifying or removing these rule
    
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:49013] 
:InstanceServices - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 64738 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 64738 -j ACCEPT
    
# I added the following rule manually. The preceding 5 rules and were either
# added by Oracle (22) or dockers (the other ports). All else is added by Oracle. 
-A INPUT -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT
#
    
# Commenting out the following two lines makes everything work, but defeats 
# the point of iptables.
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
#
    
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.4.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with tcp-reset
-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with icmp-port-unreachable
COMMIT

评论:

我可以在两个对等点之间建立wireguard 连接和 ping,但我无法从“客户端”对等点到“服务器”对等点以及互联网和返回。

“客户端:

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
[#] ping -c1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=169 ms

--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 168.716/168.716/168.716/0.000 ms

$ curl -4 ifconfig.me
curl: (6) Could not resolve host: ifconfig.me

“客户端”/etc/resolv.conf:

# Generated by resolvconf
nameserver 1.1.1.1

“服务器”/etc/resolv.conf:

nameserver 127.0.0.53
options edns0 trust-ad
search vcn[redacted].oraclevcn.com

正如上面的评论中提到的,注释掉 /etc/iptables/rules.v4 中的 INPUT REJECT 规则可以解决问题,但如果我理解正确的话,从防火墙安全的角度来看,这是不可取的。

如果我没记错的话,curl 错误提示存在 DNS 问题。

我在 oracle 云配置中有以下入口规则:

入口规则

我有以下出口规则:

出口规则

我是 iptables、网络和系统管理员的新手,所以我已经为此苦苦挣扎了一段时间。我在互联网上没有找到太多可以阐明我在这里到底缺少什么的东西,只是让我走到这一步的零碎的东西。

我想我已经将问题范围缩小到了 iptables 的配置,但我不知道该怎么做。

非常感谢任何关于问题到底是什么以及好的(和安全的)解决方案是什么的建议!

谢谢!

答案1

插入这两条iptables规则-A FORWARD -j reject服务器文件中的规则/etc/iptables/rules.v4

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT

如果运行sudo iptables-save,您将看到活动 iptables 规则的列表。PostUp附加了服务器 wg 配置文件中脚本中的 iptables 规则中设定的规则/etc/iptables/rules.vp4。请注意,您可以通过使用 iptables-I标志而不是-AwgPostUp脚本中的标志来更改此设置 - 该-I标志将规则插入链的顶部(或在指定索引处,默认为 0),而该-A标志将规则附加到链的顶部。底部。

答案2

许多(大多数?)配置wireguard 的指南并没有过多提及在“服务器”wg0.conf 文件中添加除PostUp/PostDown NAT 规则之外的防火墙规则。

就我而言(Oracle 免费套餐),我需要在 wg 端口的 INPUT 链中一条规则,以及 FORWARD 链的两条规则,以便允许 wg 端口上的数据包通过“服务器”移动到其目的地互联网。

这些是我手动添加的规则/etc/iptables/rules.v4

-A INPUT -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT

这些规则必须位于 INPUT 和 FORWARD 链中的任何 REJECT 规则之前,否则它们将被忽略。

此外,必须在 Oracle 仪表板中为 wg 端口设置入口规则。

有了所有这些规则,数据包通过 wg 隧道从“客户端”对等点到“服务器”对等点到 Internet 并返回的路径就开放了。

相关内容