我有一个如下的设置。
RaspberryPI <==> OpenVPN Server <==> Internet <==> Client PC
RaspberryPI 有一个动态 IP 上的 SSH 服务器。它通过 OpenVPN 服务器建立隧道,因此可以通过 OpenVPN 服务器的公共 IP 访问 SSH 服务器。
我的问题是,为什么规则 1 允许客户端 PC 通过 OpenVPN 公共 IP 成功建立从 SSH 服务器的 SSH 连接,但规则 2 却不允许?
规则1:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200 -j DNAT --to-destination 10.8.0.2:22
iptables -t filter -A INPUT -p tcp -d 10.8.0.2 --dport 22 -j ACCEPT
规则2:
iptables -t nat -A PREROUTING -d OPENVPN.SERVER.PUBLIC.IP -p tcp --dport 2200 -j DNAT --to-destination 10.8.0.2:22
iptables -t filter -A INPUT -p tcp -d 10.8.0.2 --dport 22 -j ACCEPT
注意:10.8.0.2 将是 OpenVPN 为 RaspberryPI 分配的私有 IP。
我的其余保持不变的 iptable 规则如下。
[root@OpenVPN ~]# iptables -t filter -L -v -n
Chain INPUT (policy ACCEPT 13670 packets, 1610K bytes)
pkts bytes target prot opt in out source destination
2586 196K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
55 7015 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
57 7031 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 13877 packets, 2447K bytes)
pkts bytes target prot opt in out source destination
[root@OpenVPN ~]# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 860 packets, 50498 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 834 packets, 48572 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2585 packets, 197K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2588 packets, 198K bytes)
pkts bytes target prot opt in out source destination
26 1926 MASQUERADE all -- * eth0 10.8.0.0/24 0.0.0.0/0
以下是 OpenVPN 服务器上的 ifconfig 结果。
[root@OpenVPN ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 192.168.0.XX netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fXX0::c:XXXf:XXdf:XXX0 prefixlen 64 scopeid 0x20<link>
ether XX:XX:XX:XX:XX:XX txqueuelen 1000 (Ethernet)
RX packets 343049 bytes 388973010 (370.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 126179 bytes 13601264 (12.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 95 bytes 14596 (14.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 95 bytes 14596 (14.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.XX.XX netmask 255.255.255.0 destination 10.8.XX.XX
inet6 fXX0::cXXX:f7XX:XXX3:XXe8 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 64 bytes 7575 (7.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 84 bytes 8553 (8.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
答案1
这很可能是因为你的 OpenVPN 服务器的公共 IP 地址不属于该服务器。请注意 ifconfig 输出中显示的地址:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 192.168.0.XX netmask 255.255.255.0 broadcast 192.168.0.255
所以这可能意味着你的 VPN 服务器本身已经位于 NAT(大概是 1:1 NAT)之后,它实际上从未接收过具有公共 IP 地址的数据包 --d它看到的唯一地址是 192.168.0.XX。
(但请记住,ifconfig 可能会撒谎。如果 eth0 分配了多个地址,ifconfig 只会显示第一个——您需要使用ip addr才能查看所有地址。)