我在 Fedora 20 上安装了 OpenVPN 服务器(服务器桥),但无法使其工作。我几乎可以肯定这是防火墙问题。
我正在尝试从 OSX 客户端进行连接,但在服务器上配置桥接器之前,我可以连接(仅连接到 VPN 服务器,无需访问任何内容),但是一旦我配置了桥接器接口(使用这脚本),然后我就无法再连接了。我已将其配置为服务器桥,并遵循以下 HOW-TOFedora和OpenVPN 以太网桥。
防火墙配置使用 iptables 来解释:
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
然而,在 Fedora 20 中,默认情况下,它安装了防火墙,所以,有人能告诉我使用 的等效命令firewall-cmd吗?我读过防火墙指南,但我不清楚如何实现它(我是一名开发人员,不是系统管理员)。
我知道我可以安装 iptables,但我希望它能与firewalld 一起工作。
更新:在阅读了firewall-cmd手册页之后,我尝试使用选项应用前面的命令--passthrough,即:
# firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT
# firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i br0 -j ACCEPT
# firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT
命令成功执行,但是不起作用,我也尝试使用eb代替,ipv4结果相同。
输出ifconfig类似于:
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.40 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::c9:aff:fe02:d953 prefixlen 64 scopeid 0x20<link>
ether 02:c9:09:02:d9:53 txqueuelen 0 (Ethernet)
RX packets 11276 bytes 1374285 (1.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 899 bytes 240110 (234.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::c9:afa:fe02:d953 prefixlen 64 scopeid 0x20<link>
ether 03:c9:0a:02:d9:53 txqueuelen 1000 (Ethernet)
RX packets 13548 bytes 1942379 (1.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1162 bytes 269258 (262.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 117 base 0xc000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 16436
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 6883 bytes 2061608 (1.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6883 bytes 2061608 (1.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
p2p0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet6 fe80::9831:16ff:fe81:3658 prefixlen 64 scopeid 0x20<link>
ether 9a:3b:16:84:36:58 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap0: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500
ether d6:6c:20:12:f3:b6 txqueuelen 100 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.41 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 fe80::9a5b:16ff:fe81:3658 prefixlen 64 scopeid 0x20<link>
ether 98:3b:11:81:36:58 txqueuelen 1000 (Ethernet)
RX packets 2643 bytes 230523 (225.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5512 bytes 1726039 (1.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
答案1
Firewalld 已经预先配置了一些服务,可以通过以下命令查看:
firewall-cmd --get-services
(配置文件/usr/lib/firewalld/services/openvpn.xml)
如果你看到 openvpn 已经是可用服务,你可以使用以下命令启用它:
firewall-cmd --add-service openvpn
答案2
我最初问题的答案是:
# firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT
# firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i br0 -j ACCEPT
# firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT
然后,如果你执行:
# firewall-cmd --permanent --direct --get-all-passthroughs
你会得到这个:
ipv4 -A INPUT -i tap0 -j ACCEPT
ipv4 -A INPUT -i br0 -j ACCEPT
ipv4 -A FORWARD -i br0 -j ACCEPT
但是仍然存在问题,我无法连接到 VPN 服务器,因此欢迎任何想法/线索。