问题:流量无法从“客户端”到“服务器”并返回。
配置:
“服务器”:
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = [redacted]
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
[Peer]
PublicKey = [redacted]
AllowedIPs = 10.8.0.2/32
“客户”:
[Interface]
Address = 10.8.0.2/24
PrivateKey = [redacted]
PostUp = ping -c1 10.8.0.1
DNS = 1.1.1.1
[Peer]
PublicKey = [redacted]
Endpoint = [redacted]:51820
AllowedIPs = 0.0.0.0/0, ::/0
/etc/iptables/rules.v4:
# CLOUD_IMG: This file was created/modified by the Cloud Image build process
# iptables configuration for Oracle Cloud Infrastructure
# See the Oracle-Provided Images section in the Oracle Cloud Infrastructure
# documentation for security impact of modifying or removing these rule
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:49013]
:InstanceServices - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 64738 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 64738 -j ACCEPT
# I added the following rule manually. The preceding 5 rules and were either
# added by Oracle (22) or dockers (the other ports). All else is added by Oracle.
-A INPUT -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT
#
# Commenting out the following two lines makes everything work, but defeats
# the point of iptables.
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
#
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.4.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with tcp-reset
-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with icmp-port-unreachable
COMMIT
评论:
我可以在两个对等点之间建立wireguard 连接和 ping,但我无法从“客户端”对等点到“服务器”对等点以及互联网和返回。
“客户端:
$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
[#] ping -c1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=169 ms
--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 168.716/168.716/168.716/0.000 ms
$ curl -4 ifconfig.me
curl: (6) Could not resolve host: ifconfig.me
“客户端”/etc/resolv.conf:
# Generated by resolvconf
nameserver 1.1.1.1
“服务器”/etc/resolv.conf:
nameserver 127.0.0.53
options edns0 trust-ad
search vcn[redacted].oraclevcn.com
正如上面的评论中提到的,注释掉 /etc/iptables/rules.v4 中的 INPUT REJECT 规则可以解决问题,但如果我理解正确的话,从防火墙安全的角度来看,这是不可取的。
如果我没记错的话,curl 错误提示存在 DNS 问题。
我在 oracle 云配置中有以下入口规则:
我有以下出口规则:
我是 iptables、网络和系统管理员的新手,所以我已经为此苦苦挣扎了一段时间。我在互联网上没有找到太多可以阐明我在这里到底缺少什么的东西,只是让我走到这一步的零碎的东西。
我想我已经将问题范围缩小到了 iptables 的配置,但我不知道该怎么做。
非常感谢任何关于问题到底是什么以及好的(和安全的)解决方案是什么的建议!
谢谢!
答案1
插入这两条iptables规则前-A FORWARD -j reject
服务器文件中的规则/etc/iptables/rules.v4
:
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
如果运行sudo iptables-save
,您将看到活动 iptables 规则的列表。PostUp
附加了服务器 wg 配置文件中脚本中的 iptables 规则后中设定的规则/etc/iptables/rules.vp4
。请注意,您可以通过使用 iptables-I
标志而不是-A
wgPostUp
脚本中的标志来更改此设置 - 该-I
标志将规则插入链的顶部(或在指定索引处,默认为 0),而该-A
标志将规则附加到链的顶部。底部。
答案2
许多(大多数?)配置wireguard 的指南并没有过多提及在“服务器”wg0.conf 文件中添加除PostUp/PostDown NAT 规则之外的防火墙规则。
就我而言(Oracle 免费套餐),我需要在 wg 端口的 INPUT 链中一条规则,以及 FORWARD 链的两条规则,以便允许 wg 端口上的数据包通过“服务器”移动到其目的地互联网。
这些是我手动添加的规则/etc/iptables/rules.v4
:
-A INPUT -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
这些规则必须位于 INPUT 和 FORWARD 链中的任何 REJECT 规则之前,否则它们将被忽略。
此外,必须在 Oracle 仪表板中为 wg 端口设置入口规则。
有了所有这些规则,数据包通过 wg 隧道从“客户端”对等点到“服务器”对等点到 Internet 并返回的路径就开放了。