这些 iptables 规则有什么问题?

tag-icon tag-icon networking iptables firewall
这些 iptables 规则有什么问题?

以下是我谷歌搜索后得到的结果:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain

这就是我所做的:

答:由于我使用的是 Debian,所以我安装了 iptables-persistent。

B.我sudo /etc/iptables/rules.v4用以下内容替换了其中的默认值:

*filter
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT #allow loopback access
-A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
-A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
-A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
-A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A FORWARD -i eth+ -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
-t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
-A OUTPUT -o eth+ ! -d 111.222.333.444 -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects
COMMIT

C. 我将更改保存到 /etc/iptables/rules.v4 并重新启动计算机。请注意,111.222.333.444 是位于 XYZ 国家/地区的 VPN 服务器的 IP 地址示例

D. 重新启动后,我无法连接到 VPN 服务器。 rules.v4 的内容有问题

相关内容