OpenVPN 彻底阻止 SMTP 访问服务器

tag-icon tag-icon iptables smtp openvpn
OpenVPN 彻底阻止 SMTP 访问服务器

我已经尝试了几乎所有的 iptables 规则来阻止 openvpn 服务器上的 smtp,但客户端仍然可以通过端口 25 访问远程 smtp 服务器。

我正在使用 openvpn 访问服务器。它正在创建两个接口 as0t0 和 as0t1。

所有用户都分配了来自 172.16.0.0/12 的 IP。

请帮我写什么规则可以解决这个问题。

openvpn访问服务器设置的iptables规则:

#Generated by iptables-save v1.4.7 on Sun Apr 10 13:03:56 2016
*nat
:PREROUTING ACCEPT [566:72410]
:POSTROUTING ACCEPT [36:2340]
:OUTPUT ACCEPT [36:2340]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST 
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST 
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE 
-A AS0_NAT -o eth0 -j SNAT --to-source 91.13.18.170 
-A AS0_NAT -j ACCEPT 
-A AS0_NAT_POST_REL_EST -j ACCEPT 
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT 
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST 
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST 
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST 
-A AS0_NAT_PRE -j AS0_NAT 
-A AS0_NAT_PRE_REL_EST -j ACCEPT 
-A AS0_NAT_TEST -o as0t+ -j ACCEPT 
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT 
-A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT 
-A AS0_NAT_TEST -j AS0_NAT 
COMMIT
# Completed on Sun Apr 10 13:03:56 2016
# Generated by iptables-save v1.4.7 on Sun Apr 10 13:03:56 2016
*mangle
:PREROUTING ACCEPT [146:10130]
:INPUT ACCEPT [6422:1226373]
:FORWARD ACCEPT [8289:2947415]
:OUTPUT ACCEPT [5446:2764996]
:POSTROUTING ACCEPT [13735:5712411]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST 
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN 
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT 
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff 
-A AS0_MANGLE_TUN -j ACCEPT 
COMMIT
# Completed on Sun Apr 10 13:03:56 2016
# Generated by iptables-save v1.4.7 on Sun Apr 10 13:03:56 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3970:2307554]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT 
-A INPUT -i lo -j AS0_ACCEPT 
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE 
-A INPUT -d 91.13.18.170/32 -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT 
-A INPUT -d 91.13.18.170/32 -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT 
-A INPUT -d 91.13.18.170/32 -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -p udp -m udp --dport 25 -j DROP 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -i as0t0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -i as0t1 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT 
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE 
-A FORWARD -o as0t+ -j AS0_OUT_S2C 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -i eth0 -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i as0t0 -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i as0t1 -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i lo -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i as0t+ -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i as0t0 -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i as0t1 -p tcp -m tcp --dport 25 -j DROP 
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL 
-A OUTPUT -p tcp -m tcp --dport 25 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 25 -j DROP 
-A AS0_ACCEPT -j ACCEPT 
-A AS0_IN -d 172.27.224.1/32 -j ACCEPT 
-A AS0_IN -j AS0_IN_POST 
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000 
-A AS0_IN_NAT -j ACCEPT 
-A AS0_IN_POST -o as0t+ -j AS0_OUT 
-A AS0_IN_POST -j DROP 
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN 
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN 
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN 
-A AS0_IN_PRE -j ACCEPT 
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000 
-A AS0_IN_ROUTE -j ACCEPT 
-A AS0_OUT -j AS0_OUT_POST 
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP 
-A AS0_OUT_LOCAL -j ACCEPT 
-A AS0_OUT_POST -j DROP 
-A AS0_OUT_S2C -j AS0_OUT 
-A AS0_WEBACCEPT -j ACCEPT 
COMMIT
# Completed on Sun Apr 10 13:03:56 2016

谢谢你!

答案1

您是否检查过 FORWARD 规则是否与任何 VPN 流量匹配?尝试iptables -L -n -v通过隧道发送一些数据包,以检查计数器是否在增加。

您的第四条FORWARD规则 ( -A FORWARD -j REJECT --reject-with icmp-host-prohibited) 是丢弃所有尚未被接受的流量。因此,您后面的规则(FORWARD阻止端口 25)无论如何都会被屏蔽(无法访问)。

根据您的 OpenVPN 服务器配置,OpenVPN 可能会自行路由数据包,而不是通过您的FORWARD链发送它们。

相关内容