我有一个运行 OpenVPN 访问服务器的 VPS 和一个运行 OpenVPN 客户端的 Raspberry Pi。客户端已连接到服务器,我想通过服务器通过 SSH 访问客户端。因此,我使用以下两个规则将服务器上的端口 667 转发到客户端上的端口 22:
sudo iptables -t nat -I PREROUTING 1 -d {WAN-IP} -p tcp --dport 667 -j DNAT --to-dest 172.27.200.2:22
sudo iptables -t nat -I POSTROUTING 1 -d 172.27.200.2 -p tcp --dport 667 -j SNAT --to-source {WAN-IP}
但是,连接尝试挂起了。tcpdump 显示 [S] 数据包来自发起连接的源,但服务器端没有响应 - 甚至没有“连接被拒绝”。我也无法从客户端 ping 服务器的 VPN-IP。清除服务器现有的 iptables 规则,然后应用新规则可以解决此问题,但会破坏 VPN 的功能,导致客户端无法访问互联网。
这些是导致连接挂起的 iptables 规则。有什么方法可以解决这个问题而不破坏 VPN 的功能?
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere {WANIP} tcp dpt:667 to:172.27.200.2:22
AS0_NAT_PRE_REL_EST all -- anywhere anywhere state RELATED,ESTABLISHED
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere 172.27.200.2 tcp dpt:667 to:172.27.232.1
AS0_NAT_POST_REL_EST all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_NAT_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
Chain AS0_NAT (3 references)
target prot opt source destination
SNAT all -- anywhere anywhere to:{WAN-IP}
ACCEPT all -- anywhere anywhere
Chain AS0_NAT_POST_REL_EST (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_NAT_PRE (1 references)
target prot opt source destination
AS0_NAT all -- anywhere anywhere mark match 0x8000000/0x8000000
AS0_NAT_TEST all -- anywhere 169.254.0.0/16
AS0_NAT_TEST all -- anywhere 192.168.0.0/16
AS0_NAT_TEST all -- anywhere 172.16.0.0/12
AS0_NAT_TEST all -- anywhere 10.0.0.0/8
AS0_NAT all -- anywhere anywhere
Chain AS0_NAT_PRE_REL_EST (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_NAT_TEST (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere mark match 0x4000000/0x4000000
ACCEPT all -- anywhere 172.27.200.0/24
ACCEPT all -- anywhere 172.27.224.0/20
AS0_NAT all -- anywhere anywhere
密钥:VPS WAN-IP = {WANIP},VPS VPN-IP = 172.27.232.1,客户端 VPN-IP = 172.27.200.2
编辑:这是 iptables-save 的结果。
# Generated by iptables-save v1.8.7 on Tue Aug 2 05:18:22 2022
*mangle
:PREROUTING ACCEPT [3503:176762]
:INPUT ACCEPT [9309:2594148]
:FORWARD ACCEPT [16:920]
:OUTPUT ACCEPT [8990:4483087]
:POSTROUTING ACCEPT [8994:4483331]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Tue Aug 2 05:18:22 2022
# Generated by iptables-save v1.8.7 on Tue Aug 2 05:18:22 2022
*filter
:INPUT ACCEPT [3179:157338]
:FORWARD ACCEPT [1:52]
:OUTPUT ACCEPT [8988:4482919]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 172.27.224.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
-A AS0_IN_POST -d 172.27.200.2/32 -j ACCEPT
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Tue Aug 2 05:18:22 2022
# Generated by iptables-save v1.8.7 on Tue Aug 2 05:18:22 2022
*nat
:PREROUTING ACCEPT [3273:165446]
:INPUT ACCEPT [3268:165034]
:OUTPUT ACCEPT [224:15606]
:POSTROUTING ACCEPT [225:15658]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -d {WAN-IP}/32 -p tcp -m tcp --dport 667 -j DNAT --to-destination 172.27.200.2:22
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -d 172.27.200.2/32 -p tcp -m tcp --dport 667 -j SNAT --to-source {WAN-IP}
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A AS0_NAT -o ens3 -j SNAT --to-source {WAN-IP}
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
-A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 172.27.200.0/24 -j ACCEPT
-A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Tue Aug 2 05:18:22 2022
EDIT2:我使用这篇文章中指出的三个规则在完全重置、未修改的服务器实例上使其工作:https://unix.stackexchange.com/questions/449853/port-forwarding-using-openvpn-client