我正在关注官方 Debian Wiki 教程用于在 Debian 11 上设置 VPN 服务器。
Forward traffic to provide access to the Internet
除了最后的段落之外,一切都很顺利。
以下几行不起作用:
IF_MAIN=eth0
IF_TUNNEL=tun0
YOUR_OPENVPN_SUBNET=10.9.8.0/24
#YOUR_OPENVPN_SUBNET=10.8.0.0/16 # if using server.conf from sample-server-config
nft add rule ip filter FORWARD iifname "$IF_MAIN" oifname "$IF_TUNNEL" ct state related,established counter accept
nft add rule ip filter FORWARD oifname "$IF_MAIN" ip saddr $YOUR_OPENVPN_SUBNET counter accept
nft add rule ip nat POSTROUTING oifname "$IF_MAIN" ip saddr $YOUR_OPENVPN_SUBNET counter masquerad
这是输出:
root@server:/home/user# nft add rule ip filter FORWARD iifname "$IF_MAIN" oifname "$IF_TUNNEL" ct state related,established counter accept
Error: Could not process rule: No such file or directory
add rule ip filter FORWARD iifname enp1s0 oifname tun0 ct state related,established counter accept
^^^^^^
我在 3 个命令中遇到类似的错误。我是否遗漏了什么?教程中是否缺少某些内容?
答案1
看起来 Debian Wiki 的说明是在由(或者可能是包中包含的iptables-nft
默认存根)创建的兼容性表和链之上编写的,这是Debian 10 及更高版本上的默认版本。/etc/nftables.conf
nftables
iptables
如果您从完全空白的配置开始nftables
,则必须首先创建表和链,然后再向其中添加规则:
IF_MAIN=eth0
IF_TUNNEL=tun0
YOUR_OPENVPN_SUBNET=10.9.8.0/24
# Create a rules table for IPv4, named "custom":
nft create table ip custom
# Create a forward filter chain with the standard priority and
# iptables-resembling name "FORWARD", into the "custom" table
# created above:
# (priority filter == priority 0, see "man nft")
nft add chain ip custom FORWARD { type filter hook forward priority filter\; }
# Create a NAT filter chain with the iptables-like name "POSTROUTING" too:
nft add chain ip custom POSTROUTING { type nat hook postrouting priority srcnat\; }
# now you can start adding your filter rules
nft add rule ip custom FORWARD iifname "$IF_MAIN" oifname "$IF_TUNNEL" ct state related,established counter accept
nft add rule ip custom FORWARD oifname "$IF_MAIN" ip saddr $YOUR_OPENVPN_SUBNET counter accept
nft add rule ip custom POSTROUTING oifname "$IF_MAIN" ip saddr $YOUR_OPENVPN_SUBNET counter masquerade
这会将所有自定义规则放入一个名为 的表中custom
。如果您稍后添加一些其他创建自己的 nftables 规则的软件,它们很可能会使用自己的表,这应该消除它们意外删除您的自定义规则的可能性。您只需要检查挂钩优先级,以确保不同表中规则链的处理顺序合理,并在必要时进行调整。
注意:custom
,FORWARD
这里POSTROUTING
只是名称,您可以将其更改为您想要的任何名称,而其他所有内容都有特定的含义。
这还允许您使用一个命令立即删除或暂时停用所有自定义规则:
nft add table ip custom { flags dormant; } # temporary disable
nft add table ip custom # re-enable
nft delete table ip custom # wipe custom rules completely
在对规则集进行故障排除时,这些可能会有所帮助。
要使规则持久化:
nft list ruleset > /etc/nftables.conf # save the current rules
systemctl enable nftables.service # enable loading rules at boot