使用iptables
下列命令清理后,我的 OpenVPN 客户端立即启动,没有任何错误:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
当我发出iptables-restore
加载rules.v4
[以下]时,我收到以下错误:
Wed Sep 11 02:09:30 2019 UDP link local: (not bound)
Wed Sep 11 02:09:30 2019 UDP link remote: [AF_INET]188.120.224.182:1194
Wed Sep 11 02:09:30 2019 write UDP: Operation not permitted (code=1)
Wed Sep 11 02:09:32 2019 write UDP: Operation not permitted (code=1)
Wed Sep 11 02:09:37 2019 write UDP: Operation not permitted (code=1)
iptables
这些配置在具有相同版本和 Debian 内核的相同服务器上运行:
/etc/openvpn/server.conf
client remote 188.120.200.100 dev tun nobind tls-client ca /etc/openvpn/client/ca.crt cert /etc/openvpn/client/tornado.com.crt key /etc/openvpn/client/tornado.com.key comp-lzo log-append /var/log/openvpn/openvpn.log verb 3 ping-restart 10 #ifconfig 10.9.8.2 10.9.8.1 #persist-key #persist-tun
/etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Sun Jul 14 02:18:04 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable -A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 2222 -j ACCEPT -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 1194 -j ACCEPT -A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT -A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 695 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 3128 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 6667 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9001 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9030 -j ACCEPT -A INPUT -i tun0 -j ACCEPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i tun0 -j ACCEPT -A FORWARD -s 10.9.8.0/24 -i tun0 -o eth0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 10.9.8.26/32 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 2222 -j ACCEPT -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 1194 -j ACCEPT -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 695 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 6667 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9001 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9030 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: " -A OUTPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Sun Jul 14 02:18:04 2019 # Generated by iptables-save v1.6.0 on Sun Jul 14 02:18:04 2019 *nat :PREROUTING ACCEPT [4915297:1580921207] :INPUT ACCEPT [5132:265999] :OUTPUT ACCEPT [128157:9331722] :POSTROUTING ACCEPT [46763:3069634] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.8.26 -A POSTROUTING -s 10.9.8.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 80 -j SNAT --to-source 188.120.231.206 -A POSTROUTING -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 80 -j SNAT --to-source 188.120.231.207 -A POSTROUTING -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 443 -j SNAT --to-source 188.120.231.206 -A POSTROUTING -s 10.9.8.26/32 -o eth0 -p udp -m udp --dport 695 -j SNAT --to-source 188.120.231.206 -A POSTROUTING -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 3128 -j SNAT --to-source 188.120.231.206 -A POSTROUTING -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 6667 -j SNAT --to-source 188.120.231.206 -A POSTROUTING -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 9001 -j SNAT --to-source 188.120.231.206 -A POSTROUTING -s 10.9.8.26/32 -o eth0 -p tcp -m tcp --dport 9030 -j SNAT --to-source 188.120.231.206 COMMIT # Completed on Sun Jul 14 02:18:04 2019
我怎样才能使我的配置起作用?
答案1
首先,您的 openvpn 实例充当客户端(即使 conf 文件名为“server.conf”)。
为了使其工作,您需要从配置文件中删除 nobind 参数。