为反向 VPN 设置正确的 iptables 规则

为反向 VPN 设置正确的 iptables 规则

我设置了一个 VPS 作为我自己托管的邮件服务器的反向 vpn,想知道我提出的这些规则是否合理并且是否适合我正在做的事情。

邮件服务器(mailcow docker 容器)位于 nat 后面,并托管其他几个 Web 应用程序。vps 上有一个反向代理(也是一个 docker 容器),用于位于 vps 上的应用程序,邮件服务器上还有另一个反向代理,用于一些私人访问 Web 应用程序。邮件服务器本身列在 VPS 上的反向代理中。

我的问题是:就防火墙规则而言,这是“正确”的设置吗?我可以使用邮件服务器 wg0.conf 中的显式 IP 地址使其与邮件服务器一起工作……但我看过的每个教程都有“客户端”(即本例中的邮件服务器)0.0.0.0/0,但当我尝试实际使用它时,它不会传递任何流量。我对 iptables 完全不了解,所以我需要更了解的人的指导,看看我是否做对了,如果不对……该如何修复?

VPS 是 Oracle linux 8。邮件服务器是 Rocky linux 8。Docker 在两台主机上运行。两者也在内核级别(而不是在容器中)运行 wireguard。

以下是我从网上的各种帖子中拼凑起来的 bash 脚本,用于在 vps 上为 wireguard 设置 iptables 规则:

#!/bin/bash
set -x

# set up install and uninstall directives
A=-A
I=-I
if [[ "$1" == "down" ]]; then
  A=-D
  I=-D
fi

ip4_localip=10.0.0.11
ip4_wg_subnet=10.20.100
ip4_source=$ip4_wg_subnet.10
ip4_dest=$ip4_wg_subnet.11

# SET PUBLIC IP INTERFACE NAME
ni=enp0s3
# SET WIREGUARD INTERFACE NAME
wg=wg0
# SET FORWARDED PORTS
TCP_PORTS="25 110 143 465 587 993 995 4190"

# Accept it all.
# Per docker manual: iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT
# to preserve linux routing capabilities.
# Docker requires forwards to be on its own chain, use DOCKER-USER instead of FORWARD
sudo iptables $I DOCKER-USER -i $wg -o $ni -j ACCEPT
sudo iptables $I DOCKER-USER -s $ip4_wg_subnet.0/24 -j ACCEPT
sudo iptables $I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT

for p in $TCP_PORTS
do
    # Allow traffic on specified ports.
    sudo iptables $A DOCKER-USER -i $ni -o $wg -p tcp --syn --dport $p -m conntrack --ctstate NEW -j ACCEPT
    # Forward traffic from public network to wireguard on specified ports
    sudo iptables -t nat $A PREROUTING -i $ni -p tcp --dport $p -j DNAT --to-destination $ip4_dest
    # Forward traffic from wireguard back to public network on specified ports
    sudo iptables -t nat $A POSTROUTING -o $wg -p tcp --dport $p -d $ip4_dest -j SNAT --to-source $ip4_source
done

# Source nat.
sudo iptables -t nat $A POSTROUTING -s $ip4_wg_subnet.0/24 ! -d $ip4_wg_subnet.0/24 -j SNAT --to $ip4_localip

# Masquerade.
sudo iptables -t nat $A POSTROUTING -o $wg -j MASQUERADE

这是我的 VPS 的 wg0.conf:

[Interface]
Address = 10.20.100.10/24
MTU = 1280
PrivateKey = KEY
ListenPort = 51820

PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp = /etc/wireguard/scripts/vps-load-wg-iptables.sh
PostDown = /etc/wireguard/scripts/vps-load-wg-iptables.sh down
PostDown = sysctl -w net.ipv4.ip_forward=0

[Peer]
PublicKey = KEY
PresharedKey = KEY
AllowedIPs = 10.20.100.11/32, 10.20.1.11/32
PersistentKeepalive = 20

这是邮件服务器的 wg0.conf:

[Interface]
Address = 10.20.100.11/32
MTU = 1280
PrivateKey = KEY

PreUp = sysctl -w net.ipv4.ip_forward=1
PostDown = sysctl -w net.ipv4.ip_forward=0

[Peer]
PublicKey = KEY
PresharedKey = KEY
AllowedIPs = 10.20.100.10/32, 10.0.0.11/32
Endpoint = VPS_PUBLIC_IP:51820
PersistentKeepalive = 20

感谢您的帮助!

答案1

经过进一步的捣鼓,现在它按预期工作了。邮件服务器现在报告了正确的 IP,并且来自代理的其他网络流量也到达了需要去的地方。希望它能帮助其他人 :)

更新的 Bash 脚本:

#!/bin/bash
set -x

# set up install and uninstall directives
A=-A
I=-I
if [[ "$1" == "down" ]]; then
  A=-D
  I=-D
fi

ip4_localip=10.0.0.11
ip4_wg_subnet=10.20.100
ip4_source=$ip4_wg_subnet.10
ip4_dest=$ip4_wg_subnet.11

# SET PUBLIC IP INTERFACE NAME
ni=enp0s3
# SET WIREGUARD INTERFACE NAME
wg=wg0
# SET FORWARDED PORTS
TCP_PORTS="25 110 143 465 587 993 995 4190"

# Accept it all.
# Per docker manual, Docker requires forwards to be on its chain
# use DOCKER-USER instead of FORWARD
sudo iptables $I DOCKER-USER -s $ip4_wg_subnet.0/24 -j ACCEPT
sudo iptables $I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT
# Source nat.
sudo iptables -t nat $A POSTROUTING -s $ip4_wg_subnet.0/24 ! -d $ip4_wg_subnet.0/24 -j SNAT --to $ip4_localip
# Masquerade.
sudo iptables -t nat $A POSTROUTING -o $wg -j MASQUERADE

for p in $TCP_PORTS
do
    # Allow traffic on specified ports.
    sudo iptables $A DOCKER-USER -i $ni -o $wg -p tcp --syn --dport $p -m conntrack --ctstate NEW -j ACCEPT
    # Forward traffic from public network to wireguard on specified ports
    sudo iptables -t nat $A PREROUTING -i $ni -p tcp --dport $p -j DNAT --to-destination $ip4_dest
    # Forward traffic from wireguard back to public network on specified ports
    sudo iptables -t nat $A POSTROUTING -o $wg -p tcp --dport $p -d $ip4_dest -j SNAT --to-source $ip4_source
done

更新了 VPS 的 wg0.conf:编辑:邮件服务器的真实本地 IP 不需要位于 vps wg0.conf 中;路由允许使用 >only< 来自 vps 的 wireguard IP 范围。使用邮件服务器的 wireguard IP 作为 vps 代理中通过 http 将内容发送到邮件服务器的主机条目的目标。

[Interface]
Address = 10.20.100.10/24
MTU = 1280
PrivateKey = KEY
ListenPort = 51820

PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp = /etc/wireguard/scripts/vps-load-wg-iptables.sh
PostDown = /etc/wireguard/scripts/vps-load-wg-iptables.sh down
PostDown = sysctl -w net.ipv4.ip_forward=0

[Peer]
PublicKey = KEY
PresharedKey = KEY
AllowedIPs = 10.20.100.11/32
PersistentKeepalive = 20

更新了邮件服务器的 wg0.conf:

[Interface]
Address = 10.20.100.11/24
MTU = 1280
PrivateKey = KEY

PreUp = sysctl -w net.ipv4.ip_forward=1
PostDown = sysctl -w net.ipv4.ip_forward=0

[Peer]
PublicKey = KEY
PresharedKey = KEY
AllowedIPs = 0.0.0.0/0
Endpoint = VPS_PUBLIC_IP:51820
PersistentKeepalive = 20

相关内容