UFW 未过滤同一 (tun0) 接口上的 FORWARD 流量

tag-icon tag-icon firewall openvpn iptables ufw ubuntu-22.04
UFW 未过滤同一 (tun0) 接口上的 FORWARD 流量

我有一台运行 OpenVPN 的 Ubuntu 22.04 服务器,我想使用 UFW 过滤 tun0 接口上客户端之间的访问。

据我所知,这一切都与 UFW 内的 FORWARDING 链有关。

管理诸如允许 INPUT 链上的 SSH 之类的规则可以正常工作。

/etc/defaults/ufw

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=no

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=yes

#
# IPT backend
#
# only enable if using iptables backend
#IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. IPT_MODULES should typically be
# empty for new installations and modules added only as needed. See
# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
# be found in net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
# nf_conntrack_sane: sane support
IPT_MODULES=""

系统控制-p

net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

ufw 状态

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
1394/udp                   ALLOW       Anywhere

10.24.0.101                DENY FWD    10.24.0.100 on tun0
10.24.0.100                DENY FWD    10.24.0.101 on tun0

iptables -L ufw 用户转发

Chain ufw-user-forward (1 references)
target     prot opt source               destination
DROP       all  --  10.24.0.100          10.24.0.101
DROP       all  --  10.24.0.101          10.24.0.100

从 10.24.0.100 ping 10.24.0.101

PING 10.24.0.101 (10.24.0.101) 56(84) bytes of data.
64 bytes from 10.24.0.101: icmp_seq=1 ttl=127 time=9.04 ms
64 bytes from 10.24.0.101: icmp_seq=2 ttl=127 time=11.1 ms

消息 | grep tun0

614.626053] [UFW AUDIT] IN=tun0 OUT=tun0 MAC= SRC=10.24.0.100 DST=10.24.0.101 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=6816 DF PROTO=ICMP TYPE=8 CODE=0 ID=39 SEQ=1

无论我做什么/尝试什么,tun0 接口上都没有任何过滤。

编辑:

刚刚发现与 UFW 有关,当仅使用 iptables 和 iptables 时,过滤在 FORWARDING 接口上起作用。

我想使用 UFW……

相关内容