在 iptables 中附加规则后端口不会打开

tag-icon tag-icon iptables openvpn port nmap
在 iptables 中附加规则后端口不会打开

我有一台服务器,正在尝试为 OpenVPN 设置它。我已遵循所有步骤,但我发现当我尝试在 Windows 中连接到它时,它不允许我,只是挂在连接上,所以我做了 nmap 扫描,发现端口 1194 未打开,因此我自然而然地附加了打开 1194 的规则:

iptables -A INPUT -i eth0 -p tcp --dport 1194 -j ACCEPT

接下来是service iptables save,并且service iptables restart都成功执行。

然后我再试一次,但没有效果,另一个 nmap 扫描显示端口 1194 已关闭。

以下是 iptables 配置:

# Generated by iptables-save v1.4.7 on Thu Oct 31 09:47:38 2013
*nat
:PREROUTING ACCEPT [27410:3091993]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [5042:376160]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -j SNAT --to-source 41.185.26.238
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 31 09:47:38 2013
# Generated by iptables-save v1.4.7 on Thu Oct 31 09:47:38 2013
*filter
:INPUT ACCEPT [23571:2869068]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27558:3656524]
:vl - [0:0]
-A INPUT -p tcp -m tcp --dport 5252 -m comment --comment "SSH Secure" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -$
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m comment --comment "HTTP" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -m comment --comment "HTTPS" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m comment --comment "HTTP Encrypted" -j ACCEP$
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j A$
COMMIT
# Completed on Thu Oct 31 09:47:38 2013

我的 nmap 扫描来自:

  • 本地主机:

    nmap localhost

Starting Nmap 5.51 ( http://nmap.org ) at 2013-10-31 09:53 SAST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000011s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
443/tcp  open  https
1723/tcp open  pptp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

  • 远程电脑:

    nmap [server ip]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-31 09:53 SAST
Nmap scan report for rla04-nix1.wadns.net (41.185.26.238)
Host is up (0.025s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8008/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 15.70 seconds

所以,我不知道是什么原因造成的,任何帮助都将不胜感激!

首次回答后更新:::

[root@RLA04-NIX1 ~]#iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

[root@RLA04-NIX1 ~]# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT [root@RLA04-NIX1 ~]#iptables -A FORWARD -j REJECT

[root@RLA04-NIX1 ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

[root@RLA04-NIX1 ~]# service iptables save iptables: 将防火墙规则保存到 /etc/sysconfig/iptables:[ OK ]

[root@RLA04-NIX1 ~]# service iptables restart iptables: 刷新防火墙规则:[ OK ] iptables: 将链设置为策略接受:过滤 nat [ OK ] iptables: 卸载模块:[ OK ] iptables: 应用防火墙规则:[ OK ]

[root@RLA04-NIX1 ~]# lsof -i :1194 -bash: lsof: 未找到命令

iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5252 /* SSH Secure */ 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 state NEW,RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 /* SSH */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 /* HTTP */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 /* HTTPS */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 /* HTTP Encrypted */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1723 
ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1194 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  10.8.0.0/24          0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  10.8.0.0/24          0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 state RELATED,ESTABLISHED 

Chain vl (0 references)
target     prot opt source               destination         
[root@RLA04-NIX1 ~]# nmap localhostt

Starting Nmap 5.51 ( http://nmap.org ) at 2013-10-31 11:13 SAST

远程电脑

nmap [server ip]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-31 11:11 SAST
Nmap scan report for rla04-nix1.wadns.net (41.185.26.238)
Host is up (0.020s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8008/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 4.18 seconds

本地主机

nmap localhost

Starting Nmap 5.51 ( http://nmap.org ) at 2013-10-31 11:13 SAST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000011s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
443/tcp  open  https
1723/tcp open  pptp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

扫描 UDP 端口后更新

抱歉,我是菜鸟,我还在学习,但是这里是输出:

nmap -sU [server ip]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-31 11:33 SAST
Nmap scan report for [server address] ([server ip])
Host is up (0.021s latency).
Not shown: 997 open|filtered ports
PORT      STATE  SERVICE
53/udp    closed domain
123/udp   closed ntp
33459/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 8.57 seconds

顺便说一句,自本文开始以来没有做出任何更改(除了 iptables 更改)

答案1

你是仍然通过在 TCP 端口扫描模式下运行 nmap 来检查 UDP 服务。 这绝对行不通。 如果您坚持使用 nmap 来验证新的防火墙漏洞(而我自己,我只需启动一个客户端并查看它是否连接),至少在 UDP 模式下运行它,使用nmap -sU

编辑:好的,现在您至少在检查 UDP,但您还假设 1194 是自动扫描端口之一。试试看nmap -sU -p 1194 [server ip]。无论如何,这是您唯一感兴趣的。您能确认 OpenVPN 服务器守护程序正在运行吗?如果没有运行,就没什么可谈的了。请考虑我之前的建议:运行 OpenVPN 客户端作为连接测试。它将为您提供比 nmap 更有用的信息,因为它可以以一种会引起响应的方式与服务进行通信,并会就此提供有用的报告。

答案2

默认情况下,VPN 将使用 UDP 端口 1194 进行通信,您可以通过运行来检查这一点lsof -i :1194,您将看到 VPN 是否使用 TCP 或 UDP 进行通信(取决于您的 VPN 配置)。

在基本的服务器安装中,这些 iptables 规则足以使 VPN 正常工作:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

最后,您需要在 sysctl 中启用 ip_forward:
echo 1 > /proc/sys/net/ipv4/ip_forward

相关内容