我正在尝试接受20983VPN 连接上端口的传入连接tun0。目前,拆分隧道工作正常,vpn通过发送来自用户的所有数据tun0。我已使用 VPN 提供商配置了端口,但无法成功接受连接。
这是我的 OpenVPNup.sh文件。
#! /bin/bash
export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.1.2"
export LOCALSUB="192.168.1.0/24"
export NETIF="eno1"
# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# my custom firewall rules. Needed for ssh, etc.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#SSH
iptables -A INPUT -s $LOCALSUB -i $NETIF -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 22 -j ACCEPT
iptables -A OUTPUT ! -s $LOCALIP -o $NETIF -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p tcp --dport 25 -j REJECT
# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
# allow forwarded ports
iptables -A INPUT -i $INTERFACE -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 20983 -j ACCEPT
iptables -A INPUT -i $INTERFACE -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 20983 -j ACCEPT
# allow IPv4 forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Start routing script
/etc/openvpn/routing.sh
exit 0
这是 的输出iptables -S。
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eno1 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 20983 -j ACCEPT
-A INPUT -i tun0 -p udp -m conntrack --ctstate NEW,ESTABLISHED -m udp --dport 20983 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -s 192.168.1.2/32 -o eno1 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT