OpenVPN 与 UFW

OpenVPN 与 UFW

我在已经安装 UFW 的服务器上安装了 Openvpn,并在vi /etc/sysctl.conf 应用更改时启用了 ip 转发sysctl -p

我还启用了转发功能 echo 1 > /proc/sys/net/ipv4/ip_forward

使用 IP 表进行转发

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

允许 ufw

ufw allow 1194/udp  
ufw allow 1194/tcp

我重新启动了服务器、openvpn 和所有但客户端没有连接,但如果我禁用 ufw 使用ufw disable连接则成功。

以下是内容/etc/default/ufw

# /etc/default/ufw                                                                                                                                                                                                                                                                  
#                                                                                                                                                                                                                                                                                   

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback                                                                                                                                                                                                         
# accepted). You will need to 'disable' and then 'enable' the firewall for                                                                                                                                                                                                          
# the changes to take affect.                                                                                                                                                                                                                                                       
IPV6=yes                                                                                                                                                                                                                                                                            

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if                                                                                                                                                                                                      
# you change this you will most likely want to adjust your rules.                                                                                                                                                                                                                   
DEFAULT_INPUT_POLICY="DROP"                                                                                                                                                                                                                                                         

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if                                                                                                                                                                                                     
# you change this you will most likely want to adjust your rules.                                                                                                                                                                                                                   
DEFAULT_OUTPUT_POLICY="ACCEPT"                                                                                                                                                                                                                                                      

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that                                                                                                                                                                                                       
# if you change this you will most likely want to adjust your rules                                                                                                                                                                                                                 
DEFAULT_FORWARD_POLICY="ACCEPT"                                                                                                                                                                                                                                                     

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please                                                                                                                                                                                                        
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for                                                                                                                                                                                                        
# details                                                                                                                                                                                                                                                                           
DEFAULT_APPLICATION_POLICY="SKIP"                                                                                                                                                                                                                                                   

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw                                                                                                                                                                                                        
# manage the built-in chains too. Warning: setting this to 'yes' will break                                                                                                                                                                                                         
# non-ufw managed firewall rules                                                                                                                                                                                                                                                    
MANAGE_BUILTINS=no                                                                                                                                                                                                                                                                  

#                                                                                                                                                                                                                                                                                   
# IPT backend                                                                                                                                                                                                                                                                       
#                                                                                                                                                                                                                                                                                   
# only enable if using iptables backend                                                                                                                                                                                                                                             
IPT_SYSCTL=/etc/ufw/sysctl.conf                                                                                                                                                                                                                                                     

# Extra connection tracking modules to load. Complete list can be found in                                                                                                                                                                                                          
# net/netfilter/Kconfig of your kernel source. Some common modules:                                                                                                                                                                                                                 
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support                                                                                                                                                                                                               
# nf_conntrack_netbios_ns: NetBIOS (samba) client support                                                                                                                                                                                                                           
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT                                                                                                                                                                                                                   
# nf_conntrack_ftp, nf_nat_ftp: active FTP support                                                                                                                                                                                                                                  
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)                                                                                                                                                                                                                        
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"     

以下是内容/etc/ufw/before.rules

   #                                                                                                                                                                                                                                                                                   
# rules.before                                                                                                                                                                                                                                                                      
#                                                                                                                                                                                                                                                                                   
# Rules that should be run before the ufw command line added rules. Custom                                                                                                                                                                                                          
# rules should be added to one of these chains:                                                                                                                                                                                                                                     
#   ufw-before-input                                                                                                                                                                                                                                                                
#   ufw-before-output                                                                                                                                                                                                                                                               
#   ufw-before-forward                                                                                                                                                                                                                                                              
#                                                                                                                                                                                                                                                                                   

# START OPENVPN RULES                                                                                                                                                                                                                                                               
# NAT table rules                                                                                                                                                                                                                                                                   
*nat                                                                                                                                                                                                                                                                                
:POSTROUTING ACCEPT [0:0]                                                                                                                                                                                                                                                           
# Allow traffic from OpenVPN client to eth0                                                                                                                                                                                                                                         
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE                                                                                                                                                                                                                                 
COMMIT                                                                                                                                                                                                                                                                              
# END OPENVPN RULES       

 .                                                                                                                                                                                                                                                     
 .                                                                                                                                                                                                                                  
 .                                                                                                                                                                                                                                                                                   

#openvpn                                                                                                                                                                                                                                                                            
-A ufw-before-input -i tun+ -j ACCEPT                                                                                                                                                                                                                                               
-A ufw-before-output -i tun+ -j ACCEPT                                                                                                                                                                                                                                              
-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT                                                                                                                                                                                                                                      
-A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT                                                                                                                                                                                                                                      
# don't delete the 'COMMIT' line or these rules won't be processed                                                                                                                                                                                                                  
COMMIT                         

相关内容