为反向 VPN 设置正确的 iptables 规则

tag-icon tag-icon vpn iptables wireguard
为反向 VPN 设置正确的 iptables 规则

我设置了一个 VPS 作为我自己托管的邮件服务器的反向 vpn,想知道我提出的这些规则是否合理并且是否适合我正在做的事情。

邮件服务器(mailcow docker 容器)位于 nat 后面,并托管其他几个 Web 应用程序。vps 上有一个反向代理(也是一个 docker 容器),用于位于 vps 上的应用程序,邮件服务器上还有另一个反向代理,用于一些私人访问 Web 应用程序。邮件服务器本身列在 VPS 上的反向代理中。

我的问题是:就防火墙规则而言,这是“正确”的设置吗?我可以使用邮件服务器 wg0.conf 中的显式 IP 地址使其与邮件服务器一起工作……但我看过的每个教程都有“客户端”(即本例中的邮件服务器)0.0.0.0/0,但当我尝试实际使用它时,它不会传递任何流量。我对 iptables 完全不了解,所以我需要更了解的人的指导,看看我是否做对了,如果不对……该如何修复?

VPS 是 Oracle linux 8。邮件服务器是 Rocky linux 8。Docker 在两台主机上运行。两者也在内核级别(而不是在容器中)运行 wireguard。

以下是我从网上的各种帖子中拼凑起来的 bash 脚本,用于在 vps 上为 wireguard 设置 iptables 规则:

#!/bin/bash
set -x

# set up install and uninstall directives
A=-A
I=-I
if [[ "$1" == "down" ]]; then
  A=-D
  I=-D
fi

ip4_localip=10.0.0.11
ip4_wg_subnet=10.20.100
ip4_source=$ip4_wg_subnet.10
ip4_dest=$ip4_wg_subnet.11

# SET PUBLIC IP INTERFACE NAME
ni=enp0s3
# SET WIREGUARD INTERFACE NAME
wg=wg0
# SET FORWARDED PORTS
TCP_PORTS="25 110 143 465 587 993 995 4190"

# Accept it all.
# Per docker manual: iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT
# to preserve linux routing capabilities.
# Docker requires forwards to be on its own chain, use DOCKER-USER instead of FORWARD
sudo iptables $I DOCKER-USER -i $wg -o $ni -j ACCEPT
sudo iptables $I DOCKER-USER -s $ip4_wg_subnet.0/24 -j ACCEPT
sudo iptables $I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT

for p in $TCP_PORTS
do
    # Allow traffic on specified ports.
    sudo iptables $A DOCKER-USER -i $ni -o $wg -p tcp --syn --dport $p -m conntrack --ctstate NEW -j ACCEPT
    # Forward traffic from public network to wireguard on specified ports
    sudo iptables -t nat $A PREROUTING -i $ni -p tcp --dport $p -j DNAT --to-destination $ip4_dest
    # Forward traffic from wireguard back to public network on specified ports
    sudo iptables -t nat $A POSTROUTING -o $wg -p tcp --dport $p -d $ip4_dest -j SNAT --to-source $ip4_source
done

# Source nat.
sudo iptables -t nat $A POSTROUTING -s $ip4_wg_subnet.0/24 ! -d $ip4_wg_subnet.0/24 -j SNAT --to $ip4_localip

# Masquerade.
sudo iptables -t nat $A POSTROUTING -o $wg -j MASQUERADE

这是我的 VPS 的 wg0.conf:

[Interface]
Address = 10.20.100.10/24
MTU = 1280
PrivateKey = KEY
ListenPort = 51820

PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp = /etc/wireguard/scripts/vps-load-wg-iptables.sh
PostDown = /etc/wireguard/scripts/vps-load-wg-iptables.sh down
PostDown = sysctl -w net.ipv4.ip_forward=0

[Peer]
PublicKey = KEY
PresharedKey = KEY
AllowedIPs = 10.20.100.11/32, 10.20.1.11/32
PersistentKeepalive = 20

这是邮件服务器的 wg0.conf:

[Interface]
Address = 10.20.100.11/32
MTU = 1280
PrivateKey = KEY

PreUp = sysctl -w net.ipv4.ip_forward=1
PostDown = sysctl -w net.ipv4.ip_forward=0

[Peer]
PublicKey = KEY
PresharedKey = KEY
AllowedIPs = 10.20.100.10/32, 10.0.0.11/32
Endpoint = VPS_PUBLIC_IP:51820
PersistentKeepalive = 20

感谢您的帮助!

答案1

经过进一步的捣鼓,现在它按预期工作了。邮件服务器现在报告了正确的 IP,并且来自代理的其他网络流量也到达了需要去的地方。希望它能帮助其他人 :)

更新的 Bash 脚本:

#!/bin/bash
set -x

# set up install and uninstall directives
A=-A
I=-I
if [[ "$1" == "down" ]]; then
  A=-D
  I=-D
fi

ip4_localip=10.0.0.11
ip4_wg_subnet=10.20.100
ip4_source=$ip4_wg_subnet.10
ip4_dest=$ip4_wg_subnet.11

# SET PUBLIC IP INTERFACE NAME
ni=enp0s3
# SET WIREGUARD INTERFACE NAME
wg=wg0
# SET FORWARDED PORTS
TCP_PORTS="25 110 143 465 587 993 995 4190"

# Accept it all.
# Per docker manual, Docker requires forwards to be on its chain
# use DOCKER-USER instead of FORWARD
sudo iptables $I DOCKER-USER -s $ip4_wg_subnet.0/24 -j ACCEPT
sudo iptables $I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT
# Source nat.
sudo iptables -t nat $A POSTROUTING -s $ip4_wg_subnet.0/24 ! -d $ip4_wg_subnet.0/24 -j SNAT --to $ip4_localip
# Masquerade.
sudo iptables -t nat $A POSTROUTING -o $wg -j MASQUERADE

for p in $TCP_PORTS
do
    # Allow traffic on specified ports.
    sudo iptables $A DOCKER-USER -i $ni -o $wg -p tcp --syn --dport $p -m conntrack --ctstate NEW -j ACCEPT
    # Forward traffic from public network to wireguard on specified ports
    sudo iptables -t nat $A PREROUTING -i $ni -p tcp --dport $p -j DNAT --to-destination $ip4_dest
    # Forward traffic from wireguard back to public network on specified ports
    sudo iptables -t nat $A POSTROUTING -o $wg -p tcp --dport $p -d $ip4_dest -j SNAT --to-source $ip4_source
done

更新了 VPS 的 wg0.conf:编辑:邮件服务器的真实本地 IP 不需要位于 vps wg0.conf 中;路由允许使用 >only< 来自 vps 的 wireguard IP 范围。使用邮件服务器的 wireguard IP 作为 vps 代理中通过 http 将内容发送到邮件服务器的主机条目的目标。

[Interface]
Address = 10.20.100.10/24
MTU = 1280
PrivateKey = KEY
ListenPort = 51820

PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp = /etc/wireguard/scripts/vps-load-wg-iptables.sh
PostDown = /etc/wireguard/scripts/vps-load-wg-iptables.sh down
PostDown = sysctl -w net.ipv4.ip_forward=0

[Peer]
PublicKey = KEY
PresharedKey = KEY
AllowedIPs = 10.20.100.11/32
PersistentKeepalive = 20

更新了邮件服务器的 wg0.conf:

[Interface]
Address = 10.20.100.11/24
MTU = 1280
PrivateKey = KEY

PreUp = sysctl -w net.ipv4.ip_forward=1
PostDown = sysctl -w net.ipv4.ip_forward=0

[Peer]
PublicKey = KEY
PresharedKey = KEY
AllowedIPs = 0.0.0.0/0
Endpoint = VPS_PUBLIC_IP:51820
PersistentKeepalive = 20

相关内容