理解 iptables 的问题(它们的行为与我的预期相反)

tag-icon tag-icon iptables routing wireguard
理解 iptables 的问题(它们的行为与我的预期相反)

我有一个wireguard intergafce wg1,我称之为PostUp = /etc/wireguard/postup.sh。我的 postup.sh 看起来像这样:

WIREGUARD_INTERFACE=wg1
WIREGUARD_LAN=10.0.0.0/24
MASQUERADE_INTERFACE=eth0
CHAIN_NAME=WIREGUARD_wg1
WIREGUARD_CLIENT=10.0.0.2
WIREGUARD_DNS=192.168.178.47

iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN

# Add a WIREGUARD_wg0 chain to the FORWARD chain
iptables -N $CHAIN_NAME
iptables -A FORWARD -j $CHAIN_NAME

# Accept related or established traffic
iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow traffic to router and DNS gateway
iptables -A $CHAIN_NAME -s $WIREGUARD_CLIENT -d 192.168.178.1 -j ACCEPT
iptables -A $CHAIN_NAME -s $WIREGUARD_CLIENT -d 192.168.178.47 -j ACCEPT

# Accept outgoing connections to any IP address (public because of rule above)
iptables -A $CHAIN_NAME -s $WIREGUARD_CLIENT -i $WIREGUARD_INTERFACE -j ACCEPT

# Accept outgoing connections to HTTP(S) ports to any IP address (public because of rule above)
iptables -A $CHAIN_NAME -s $WIREGUARD_CLIENT -i $WIREGUARD_INTERFACE -d 0.0.0.0/0 -p tcp -m multiport --dports 80,443 -j ACCEPT

# Drop traffic to your any private IP address
iptables -A $CHAIN_NAME -s $WIREGUARD_CLIENT -i $WIREGUARD_INTERFACE -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j DROP

# Drop everything else coming through the Wireguard interface
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP

# Return to FORWARD chain
iptables -A $CHAIN_NAME -j RETURN

我希望连接的客户端能够进行网页浏览,但不允许从wireguard 服务器运行的网络访问任何IP。但情况恰恰相反:客户端可以访问 IP,甚至可以使用本地 DNS,但无法访问互联网上的任何页面。

的输出iptables -L -v -n是:

Chain INPUT (policy ACCEPT 6449 packets, 1002K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 338 packets, 60782 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2772 1683K WIREGUARD_wg1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 8419 packets, 5997K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain WIREGUARD_wg1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  877 1535K ACCEPT     0    --  *      wg1     0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  446 48489 ACCEPT     0    --  *      *       10.0.0.2             192.168.178.1         
  103  6958 ACCEPT     0    --  *      *       10.0.0.2             192.168.178.47        
 1346 92153 ACCEPT     0    --  wg1    *       10.0.0.2             0.0.0.0/0           
    0     0 ACCEPT     6    --  wg1    *       10.0.0.2             0.0.0.0/0            multiport dports 80,443
    0     0 DROP       0    --  wg1    *       10.0.0.2             10.0.0.0/8          
    0     0 DROP       0    --  wg1    *       10.0.0.2             172.16.0.0/12       
    0     0 DROP       0    --  wg1    *       10.0.0.2             192.168.0.0/16      
    0     0 DROP       0    --  wg1    *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

根据我的理解,输出显示了我所期望的。但我想我缺乏理解。您可以给我任何提示或帮助来实现我的目标:应该只允许客户访问互联网,而不能访问其他任何内容。我的 wg0 接口允许一切正常工作,因此它不是“更大”的网络问题。

感谢您提前提供任何帮助:)

相关内容