我有一个 wireguard 服务器,用于控制对 AWS 中服务器网络的访问。通过 wireguard 连接的客户端的地址为 10.11.0.{2-5}。我有 4 个客户端可以完全访问 LAN - LAN 位于 10.1.255.255。一切正常。
现在我想添加一个只能访问少数服务器的客户端。
因此我在 wg0.conf 中添加了一些 PostUp 命令,并使用 iptables 将此客户端限制到这些服务器。
[请注意,我更喜欢使用 PostUp 命令而不是单独的 postup.sh 文件,因为它将自定义内容保存在一个地方。]
以下是 iptables 命令。客户端 10.11.0.{2,3,4,5} 应该能够访问所有内容。客户端 10.11.0.6 应该只能访问三个特定的 IP 地址。实际情况是,客户端 .6 仍然可以访问所有内容。
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.11.0.0/16
# Add a WIREGUARD_wg0 chain
PostUp = iptables -N WIREGUARD_wg0
PostUp = iptables -A FORWARD -j WIREGUARD_wg0
# Accept traffic from valid Wireguard client IP addresses
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.2,10.11.0.3,10.11.0.4,10.11.0.5 -i %i -j ACCEPT
# This client can only access these servers.
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.6 -i %i -d 10.1.1.101,10.1.1.151,10.1.0.101 -j ACCEPT
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.6 -i %i -j DROP
# Drop everything else coming through the Wireguard interface
PostUp = iptables -A WIREGUARD_wg0 -i %i -j DROP
# Return to FORWARD chain
PostUp = iptables -A WIREGUARD_wg0 -j RETURN
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE -s 10.11.0.0/16
# Flush and delete the WIREGUARD_wg0 chain
PostDown = iptables -D FORWARD -j WIREGUARD_wg0
PostDown = iptables -F WIREGUARD_wg0
PostDown = iptables -X WIREGUARD_wg0
以下是之后的状态wg-quick down wg0
:
/etc/wireguard# iptables-save -c
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:06:20 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[42:2688] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[122:7896] -A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Sep 3 21:06:20 2022
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:06:20 2022
*filter
:INPUT ACCEPT [33:3296]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:4668]
[4503:562848] -A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Sat Sep 3 21:06:20 2022
然后wg-quick up wg0
:
/etc/wireguard# iptables-save -c
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:07:01 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[42:2688] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[122:7896] -A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Sep 3 21:07:01 2022
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:07:01 2022
*filter
:INPUT ACCEPT [15:1036]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:2920]
:WIREGUARD_wg0 - [0:0]
[4503:562848] -A FORWARD -i wg0 -j ACCEPT
[0:0] -A FORWARD -j WIREGUARD_wg0
[0:0] -A WIREGUARD_wg0 -s 10.11.0.2/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.3/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.4/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.5/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.1.101/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.1.151/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.0.101/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -i wg0 -j DROP
[0:0] -A WIREGUARD_wg0 -i wg0 -j DROP
[0:0] -A WIREGUARD_wg0 -j RETURN
COMMIT
# Completed on Sat Sep 3 21:07:01 2022
有人能指出我遗漏了什么吗?非常感谢。保罗。
答案1
正如用户 1686 和 A. B 所怀疑的那样,您有一条旧规则,它接受进入接口的所有流量wg0
- 这是链中的第一个规则FORWARD
,在跳转到您的WIREGUARD_wg0
链之前:
[4503:562848] -A FORWARD -i wg0 -j ACCEPT
删除它以使链中的过滤WIREGUARD_wg0
生效:
iptables -D FORWARD -i wg0 -j ACCEPT