将 SSH 端口转发到我的服务器,但是当服务器处于 VPN 状态时不起作用,不对称路由?

tag-icon tag-icon linux vpn port-forwarding iptables
将 SSH 端口转发到我的服务器,但是当服务器处于 VPN 状态时不起作用,不对称路由?

我想从互联网打开到我的服务器的 SSH,因此我在路由器上设置了端口转发规则,将端口 22 转发到我的服务器外部:22,只要我的服务器未连接到 VPN,就可以正常工作。我认为发生了非对称路由,其中​​ SSH 连接进入我的本地 IP 地址,而响应通过 VPN 发出,这有道理吗?

是否可以使用 iptables 更改网关,例如“如果 src 端口是 22,则在接口 br0 上使用网关 192.168.10.1 而不是默认网关”?

服务器 IP:192.168.10.10

网关:192.168.10.1

接口:br0

ip a:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
    link/ether 30:85:a9:a9:19:53 brd ff:ff:ff:ff:ff:ff
3: enp11s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 30:85:a9:a9:16:b3 brd ff:ff:ff:ff:ff:ff
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 62:c4:b2:98:46:f6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.10/24 brd 192.168.10.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::60c4:b2ff:fe98:46f6/64 scope link
       valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:28:c4:e5:e2 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: br-aad69972cc43: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:b8:6b:d5:01 brd ff:ff:ff:ff:ff:ff
    inet 172.30.0.1/16 brd 172.30.255.255 scope global br-aad69972cc43
       valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.10.0.5/16 brd 10.10.255.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fdda:d0d0:cafe:1196::1003/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::7ff9:6b31:c261:212b/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

iptables 配置:

GATEWAY="192.168.10.1"
IP="192.168.10.10"

# Remove current rules
iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain

# Drop by default
iptables -P OUTPUT DROP
iptables -P INPUT  DROP

# Allow loopack
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo

# Allow DNS-client request to 1.1.1.1
iptables -A OUTPUT -p udp -s $IP --sport 1024:65535 -d 1.1.1.1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 1.1.1.1 --sport 53 -d $IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $IP --sport 1024:65535 -d 1.1.1.1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 1.1.1.1 --sport 53 -d $IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow DNS-client request to 8.8.8.8
iptables -A OUTPUT -p udp -s $IP --sport 1024:65535 -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d $IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $IP --sport 1024:65535 -d 8.8.8.8 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 8.8.8.8 --sport 53 -d $IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# Allows internal traffic from on interface br0
iptables -A INPUT --src 192.168.10.0/24 -j ACCEPT -i br0
iptables -A OUTPUT -d 192.168.10.0/24 -j ACCEPT -o br0

# Allow ssh connections from everywhere, limit connection to 1/minute
iptables -A INPUT -i br0 -p tcp --syn --dport 22 -m limit --limit 1/minute -j ACCEPT
iptables -A INPUT -i br0 -p tcp --syn --dport 22 -j DROP
iptables -A INPUT -i br0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o br0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow VPN (mullvad CZ) on interface br0 @ port 1196
iptables -A OUTPUT -j ACCEPT -d 185.156.174.170 -o br0 -p udp -m udp --dport 1196
iptables -A INPUT -j ACCEPT -s 185.156.174.170 -i br0 -p udp -m udp --sport 1196
iptables -A OUTPUT -j ACCEPT -d 185.156.174.146 -o br0 -p udp -m udp --dport 1196
iptables -A INPUT -j ACCEPT -s 185.156.174.146 -i br0 -p udp -m udp --sport 1196

# Allow everything on tun0
iptables -A INPUT -j ACCEPT -i tun0
iptables -A OUTPUT -j ACCEPT -o tun0

相关内容