我正在树莓派上设置分割隧道 VPN,并希望确保我的 VPN 接口 (tun0) 不接受任何传入流量,除了我明确打开的端口:56292。我为此使用 iptables,尽管它看起来是正确的对我来说,我似乎无法通过防火墙。我已经从网络外部以及本地主机尝试过:
cat < /dev/tcp/127.0.0.1/56292
我的iptables -L -nv看起来像这样:
Chain INPUT (policy ACCEPT 35680 packets, 6816K bytes)
pkts bytes target prot opt in out source destination
58 7392 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 60 ACCEPT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:56292
1 76 REJECT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 141K packets, 26M bytes)
pkts bytes target prot opt in out source destination
9380 3625K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 owner UID match 1001
0 0 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0 owner UID match 1001
83686 10M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 REJECT all -- * eth0 !192.168.2.50 0.0.0.0/0 reject-with icmp-port-unreachable
TCPDUMP 向我展示了这一点:
$ sudo tcpdump port 56292 -v -i tun0
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
21:37:51.114955 IP (tos 0x0, ttl 55, id 17284, offset 0, flags [DF], proto UDP (17), length 76)
188.166.15.60.39516 > 10.18.108.196.56292: UDP, length 48
21:37:51.429340 IP (tos 0x0, ttl 55, id 47156, offset 0, flags [DF], proto TCP (6), length 60)
188.166.15.60.33732 > 10.18.108.196.56292: Flags [S], cksum 0xd85f (correct), seq 2422478710, win 29200, options [mss 1357,nop,nop,TS val 1736027970 ecr 0,nop,wscale 6], length 0
21:37:51.429528 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
10.18.108.196.56292 > 188.166.15.60.33732: Flags [R.], cksum 0xc592 (correct), seq 0, ack 2422478711, win 0, length 0
答案1
您的路由器或电脑上的防火墙可能没有打开该端口。
如果您使用的是 Red Hat,这可能会有所帮助:https://superuser.com/questions/794104/how-to-permanently-disable-firewall-in-red-hat-linux