如何在 CentOS 7 服务器上运行的 OpenVPN 中为用户和管理员定义单独的角色? 具体来说,只能允许用户执行https
,而必须允许管理员同时执行https
和ssh
。
迄今为止的进展:
翻译中@garethTheRed 建议的链接中的说明,我定义了以下步骤。我还完成了步骤一、二和三。但我不知道如何完成第四步。 有人可以展示如何将第四步从 iptables 转换为firewalld,并确认其他步骤吗?
步骤1(完全的):根据用户类别创建虚拟IP地址映射:
Class Virtual IP range Allowed Services
employees 10.8.0.0/24 https
administrator 10.8.1.0/24 ssh, https
第二步(完全的):在/etc/openvpn/server.conf中,
define the Employee IP address pool:
server 10.8.0.0 255.255.255.0
Add a route for the System Administrator IP range:
route 10.8.1.0 255.255.255.0
Specify client configuration directory to assign a fixed IP forAdministrator:
client-config-dir ccd
第三步(完全的):在新目录/etc/openvpn/ccd
和新配置文件中/etc/openvpn/ccd/sysadmin
:
Define the fixed IP address for the Administrator VPN client:
mkdir ccd
cd ccd
nano sysadmin1
type the following into /etc/openvpn/ccd/sysadmin1:
ifconfig-push 10.8.1.1 10.8.1.2
第四步(我如何在防火墙中执行此操作,以便用户只能https
并且管理员可以ssh
和https
?):
First, define a static unit number for our tun interface:
dev tun0 //where does this go?
Establish firewall rules for the employees and administrator (convert these to firewalld):
# Employee rule // MUST ONLY BE ALLOWED TO https
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.66.4.4 -j ACCEPT
# Sysadmin rule //MUST BE ALLOWED TO ssh AND https
iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.66.4.0/24 -j ACCEPT
注意:当我输入 时firewall-cmd --list-all
,到目前为止整个防火墙配置的总和定义如下:
public (default, active)
interfaces: enp3s0
sources:
services: dhcpv6-client openvpn smtp
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
我想以任何需要的方式更改防火墙配置,以便为此用例提供最佳安全性。
我如何修改上述内容才能使其正常工作?
编辑:
阅读@garethTheRed 的有用答案后,我有三个问题/观察结果:
1.) There is no `tun` device on the firewall, but yet I am able
to connect to the VPN from the client with
`openvpn --config /path/to/client.ovpn` with the firewall
configured only as shown by the results of `firewall-cmd --list-all`.
So why is it necessary to define a `tun` device in the firewall?
2.) `ip addr` shows that I was logged in as 10.8.0.6. How can I
force being logged in as a fixed address, such as 10.8.1.1 defined
in Step Three above?
3.) What privileges/access does a user really have when they log in to the
server via OpenVPN when the firewall is configured as shown in the
results of `firewall-cmd --list-all` above? Are they be able to do
anything other than https without a password anyway? ssh would
require knowledge of both a password and a username.
编辑#2
在 @garethTheRed 非常有用的答案中定义的内部区域中,内部区域的用户似乎可以访问以下服务dhcpv6-client
、ipp-client
、mdns
、samba-client
和ssh
。这篇文章中的用例还包括https
.
因此,此帖子的解决方案似乎包括:
1.) setting up rules blocking the `10.8.0.0/24` ip range from
`dhcpv6-client`, `ipp-client`, `mdns`, `samba-client`, and `ssh`,
while allowing access to `https`.
2.) retaining access by the `10.8.1.0/24` ip range to all services
defined in the internal zone.
3.) creating and installing separate client certificates for the
two classes of users (administrator and user)? Each class,
and therefore each certificate, must have a Canonical Name (CN)
that matches the names of config files added to `/etc/openvpn/ccd`.
Openvpn should then use the config file whose name matches the CN.
This config file should be set to configure the network address
that will be allocated to the clients in that class
@garethTheRed's words are used here in #3.
但这三件事还需要完成这个要求吗?我该如何完成这三件事?
答案1
您可以修改区域并添加丰富的规则ssh
它会阻止除特定范围之外的所有流量 -员工子网。
tun
通过列出所有区域来查找您的界面所在的区域:
firewall-cmd --list-all-zones | less
在输出中,您应该看到类似以下内容的内容:
internal (active)
interfaces: tun0
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
您可能会发现该tun
设备(tun0
在上面的示例中)与您的以太网适配器位于同一区域。虽然这可行,但如果将它们分开,管理起来会更容易。
从区域中删除不需要的服务是明智之举internal
- 就您而言,删除所有服务,但ssh
还要添加http
:
firewall-cmd --zone=internal --permanent --add-service=http
firewall-cmd --zone=internal --permanent --remove-service=dhcpv6-client
对要删除的其他服务重复最后一个命令。确保不要删除ssh
!当您这样做时,external
也从您的区域中删除多余的服务。
tun
将接口所在zone的zone定义文件复制到/etc/firewalld/zones
.例如,如果tun
设备位于Internal
区域中:
sudo cp /usr/lib/firewalld/zones/internal.xml /etc/firewalld/zones
编辑复制的文件并在关闭之前添加以下内容</zone>
:
<rule family="ipv4">
<source invert="True" address="10.8.0.0"/>
<service name="ssh"/>
<reject/>
</rule>
最后,运行firewall-cmd --reload
以应用规则。
警告: 如果这不起作用,你可以把自己锁在门外 :-o
替代选项:
另一个更简单的选项是配置sshd
为仅接受来自给定网络地址的连接 - 10.8.0.0
。
更简单的选择是完全放弃 VPN,仅使用防火墙。如果(且仅当)你的雇员(或您的外部路由器)有一个静态 IP 地址,然后只需配置丰富的规则仅允许其 IP 地址或网络地址访问服务,ssh
同时拒绝所有其他 IP 地址。