PPTP VPN iptables 防火墙问题 csf

PPTP VPN iptables 防火墙问题 csf

我在使用 iptables 和 PPTP VPN 时遇到了问题,我在网上和网上都读过相关主题,但仍然无法让它工作!我试图在我们本地网络上的 ubuntu 服务器上设置 PPTP,以强制客户端必须通过 VPN 登录才能访问互联网。ubuntu 服务器直接连接到互联网。

在我的 rc.local 中,我有以下内容来转发和接受 gre

# PPTP IP forwarding
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A INPUT -p gre -j ACCEPT
sudo iptables -A OUTPUT -p gre -j ACCEPT

它出现在我的 iptables 列表中,所以我知道它在那里。

我在服务器上使用 CSF 作为防火墙,如果禁用它,我可以连接到 VPN 并通过它浏览互联网,如果启用了 CSF,我要么“被通信设备断开连接”,要么我可以连接但无法通过 VPN 访问互联网。

这也有一个奇怪的问题,即它时不时似乎可以通过防火墙工作!

我打开了以下端口:

TCP_IN = ...47,53,80,92,110,143,443,465,587,993,995,1723,7777..
TCP_OUT = ...47,53,80,92,110,113,443,1723,25565,7777...
UDP_IN = 20,21,47,53,1723,27015,27025
UDP_OUT = 20,21,47,53,113,123,1723,27015, 27025

您对如何解决此问题有什么建议吗?您是否需要更多信息?

非常感谢你的宝贵时间,


根据要求提供的额外信息:

iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7377  749K LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
 5631  786K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  !lo    *       130.88.13.7          0.0.0.0/0           udp spts:1024:65535 dpt:53 
    0     0 ACCEPT     tcp  --  !lo    *       130.88.13.7          0.0.0.0/0           tcp spts:1024:65535 dpt:53 
    3   626 ACCEPT     udp  --  !lo    *       130.88.13.7          0.0.0.0/0           udp spt:53 dpts:1024:65535 
    0     0 ACCEPT     tcp  --  !lo    *       130.88.13.7          0.0.0.0/0           tcp spt:53 dpts:1024:65535 
    0     0 ACCEPT     udp  --  !lo    *       130.88.13.7          0.0.0.0/0           udp spt:53 dpt:53 
    0     0 ACCEPT     udp  --  !lo    *       130.88.149.93        0.0.0.0/0           udp spts:1024:65535 dpt:53 
    0     0 ACCEPT     tcp  --  !lo    *       130.88.149.93        0.0.0.0/0           tcp spts:1024:65535 dpt:53 
  431 71632 ACCEPT     udp  --  !lo    *       130.88.149.93        0.0.0.0/0           udp spt:53 dpts:1024:65535 
    0     0 ACCEPT     tcp  --  !lo    *       130.88.149.93        0.0.0.0/0           tcp spt:53 dpts:1024:65535 
    0     0 ACCEPT     udp  --  !lo    *       130.88.149.93        0.0.0.0/0           udp spt:53 dpt:53 
 5021  561K INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
 4255  519K ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    1    64 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:47 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
   61  3648 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
    1    64 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:92 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:389 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995 
    3   192 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1723 
    2   128 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:7777 
   89  5340 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 
   84  5040 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:27015 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21433 
  103  6180 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25566 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:23456 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6667 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:47 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1723 
  435 19275 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27015 
  389 16837 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27025 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:6667 
    2   122 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 
    0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 0 limit: avg 1/sec burst 5 
    0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 11 
    0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 3 
 1127 73207 LOGDROPIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 8150  710K LOCALOUTPUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      lo      0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner GID match 8 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner UID match 0 
  123  7380 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
 5631  786K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
  436 32454 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           tcp spt:53 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           udp spt:53 
 6572  649K INVALID    tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
 6852  636K ACCEPT     all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:47 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
  148  8880 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:92 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:113 
    2   120 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:389 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1723 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:7777 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:27015 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21433 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:23456 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306 
   30  1800 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2082 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:92 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25555 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6667 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:47 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:113 
   52  3952 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1723 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27015 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27025 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:6667 
    0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 0 
    0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 11 
    0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 3 
    3   183 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0                    

Chain INVALID (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   19   844 INVDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x30/0x20 
    9   360 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW 

Chain INVDROP (10 references)
 pkts bytes target     prot opt in     out     source               destination         
   28  1204 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  !lo    *       10.1.2.0/24          0.0.0.0/0           
  461 31652 ACCEPT     all  --  !lo    *       78.129.132.155       0.0.0.0/0           
 6901  714K DSHIELD    all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
 6831  695K SPAMHAUS   all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            10.1.2.0/24         
  600 32952 ACCEPT     all  --  *      !lo     0.0.0.0/0            78.129.132.155      

Chain LOGDROPIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:67 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:68 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:68 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:111 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:113 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:135:139 
   76 18810 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:135:139 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:500 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:500 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:513 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:513 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:520 
  979 50908 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
   26  1056 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' 
   41  2173 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* ' 
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* ' 
   72  3489 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPOUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* ' 
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* ' 
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* ' 
    3   183 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0 

iptables -nvL -t nat

pez@brave:~$ sudo iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 42112 packets, 3106K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 716 packets, 43090 bytes)
 pkts bytes target     prot opt in     out     source               destination          
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
    0     0 MASQUERADE  all  --  *      venet0  10.10.0.0/24         0.0.0.0/0           
31176 2345K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

解决方案总结,在/etc/csf/中创建了新的文件csfpre,添加了以下内容:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -p gre -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -p ALL -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -p ALL -j ACCEPT

答案1

据我所知,您似乎没有启用 GRE 协议。您允许使用端口 47 TCP,但情况不一样。您rc.local关于 GRE 的规则似乎没问题,但可能已被覆盖,因此请在防火墙系统中添加这些规则。

您还具有用于转发数据包的 DROP 策略 - 至少添加此规则:

iptables -A FORWARD -i ppp+ -j ACCEPT

这将启用所有以 开头的接口的转发ppp,这对于基于 PPTP 的 VPN 来说已经足够了。

此外,您可能已经这样做了,但请检查您是否已启用数据包转发sysctl net.ipv4.ip_forward- 它应该是 1。

请注意,TCP 1723 的数据包数(第一列)为 0。尝试连接并检查它是否正常。但当然,请先启用 GRE,否则它将无法正常工作。

相关内容