iptables 用于将单个用户路由到 tun0 上的 openvpn,并拒绝 eth0 访问?

tag-icon tag-icon iptables openvpn
iptables 用于将单个用户路由到 tun0 上的 openvpn,并拒绝 eth0 访问?

我正在尝试通过 openvpn 路由一个用户的流量。如果 vpn 出现故障,他们的流量将被拒绝。我想使用附加到 openvpn 的脚本来执行此操作。

在我的测试中,这适用于通过 vpn 路由用户,直到我使用 DROP iptable...然后用户失去所有连接并且其他规则被忽略..

这一切都在 debian stretch 上。

我在这里找到了一个很好的综合指南:https://www.niftiestsoftware.com/2011/08/28/making-all-network-traffic-for-a-linux-user-use-a-specific-network-interface/comment-page-1/

在大多数情况下,它运行良好,但我遇到了与以前相同的问题。我可以将用户的流量路由到 vpn,但如果 vpn 不存在,它就会返回到 eth0 或其他地方。

如果我尝试使用相当于“允许tun0,不允许eth0”的方式阻止这种情况,我最终会阻止 tun0 和 eth0”

iptables -A OUTPUT -o eth0 -m owner --uid-owner $VPNUSER -j REJECT 与……相冲突

iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o tun0 -m owner --uid-owner $VPNUSER -j ACCEPT

我在这里做错了什么?

下面是我的第一次尝试,但现在我遵循上面链接的格式:

iptables -F OUTPUT
iptables -I OUTPUT -m owner --uid-owner foo -j MARK --set-mark 42
iptables -I OUTPUT -d 10.20.0.0/24 -m owner --uid-owner foo
iptables -I OUTPUT -d VPNSERVERIP -p udp -j ACCEPT -m owner --uid-owner foo
iptables -I OUTPUT -j DROP -m owner --uid-owner foo
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

然后再做一些其他的事情来让路由正常工作......

ip rule add fwmark 42 table 42

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 0 > $f
    done;
ip route add default via $(ifconfig -a tun0 | grep -o 'destination [^ ]*' | cut -d \  -f 2) table 42

毕竟这iptables -L OUTPUT看起来像这样:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             owner UID match foo
ACCEPT     udp  --  anywhere             VPNSERVERIP       owner UID match foo
           all  --  anywhere             10.20.0.0/24         owner UID match foo
MARK       all  --  anywhere             anywhere             owner UID match foo MARK set 0x2a

答案1

这可能会有所帮助:

https://www.privateinternetaccess.com/forum/discussion/3615/howto-ubuntu-debian-block-all-traffic-on-the-eth-card-and-use-only-the-vpn-updated

他们阻止了所有到 eth0 的流量,然后允许一些流量稍后通过(DNS,ping)

戈尔德施泰因

2014 年 8 月一般隐私讨论

帖子:4

(更新)

大家好你们好,

我试图构建一个解决方案,将 Debian 或 Ubuntu 机器转变为只能通过 VPN 访问互联网(以避免断开连接或 OpenVPN 崩溃时出现任何错误)。

供您参考,我使用配置了 PIA 配置文件的 OpenVPN,并且我假设您的计算机上只有 eth0。

1/ 当接口启动时,禁用流量

/etc/网络/接口

   auto eth0

   iface eth0 inet dhcp

       pre-up iptables-restore < /etc/iptables.rules

然后:/etc/iptables.rules

   *filter

   # Default Policy

   :INPUT DROP [0:0]

   :FORWARD DROP [0:0]

   :OUTPUT DROP [0:0]

   # Broadcast without logging

   -A INPUT -m pkttype --pkt-type broadcast -j DROP -m comment --comment "Block Broadcast INPUT (No log)"

   -A INPUT -m pkttype --pkt-type multicast -j DROP -m comment --comment "Block Multicast INPUT (No Log)"

   # Allow localhost

   -A INPUT  -i lo -m comment --comment "Accept localhost Input" -j ACCEPT

   -A OUTPUT -o lo -m comment --comment "Accept localhost Output" -j ACCEPT

   ## Allow to connect to upd 1194 (openvpn)

   -A OUTPUT -p udp --dport 1194 -j ACCEPT -m comment --comment "Allow my computer to query the DNS server"

   -A INPUT  -p udp --sport 1194 -m state --state ESTABLISHED -j ACCEPT  -m comment --comment "Allow the server to reply (related to lport)"

   # Allow DNS

   -A OUTPUT -p udp -d 209.222.18.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow my machine to connect to the DNS1"

    -A INPUT  -p udp -s 209.222.18.222 --sport 53 -m state --state ESTABLISHED     -j ACCEPT -m comment --comment "Allow the DNS1 to answer"

   -A OUTPUT -p udp -d 209.222.18.218 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow my machine to connect to the DNS2"

   -A INPUT  -p udp -s 209.222.18.218 --sport 53 -m state --state ESTABLISHED     -j ACCEPT -m comment --comment "Allow the DNS2 to answer"

   # Logging

   -A INPUT -m limit --limit 10/min -j LOG --log-prefix "FW DROP INPUT: " --log-level 7 -m comment --comment "Log Input"

   -A FORWARD -m limit --limit 10/min -j LOG --log-prefix "FW DROP FORWARD: " --log-level 7 -m comment --comment "Log Forward"

   -A OUTPUT -m limit --limit 10/min -j LOG --log-prefix "FW DROP OUTPUT: " --log-level 7 -m comment --comment "Log Output"

   # Ping

   -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ping to Outside"

   COMMIT

然后,如果你不启动 VPN,你将一无所有,除了 localhost、DNS 和 OpenVPN

要应用更改:

   # ifdown eth0

   # ifup eth0

当你启动 VPN 时,为了避免 DNS 泄漏,我会启动一个脚本

我必须“破解”/etc/default/openvpn 文件以在其顶部添加:

   # A pre script for Private Internet Access

/etc/openvpn/before_start.sh

/etc/openvpn/before_start.sh 包含:

   #!/bin/bash

   DNS1=209.222.18.222

   DNS2=209.222.18.218

   ## Change the DNS to avoid DNS Leak

   echo "nameserver $DNS1" > /etc/resolv.conf

   echo "nameserver $DNS2" >> /etc/resolv.conf

然后进入 /etc/openvpn/vpn.conf,我在最后添加了(不要忘记删除 nobind,因为我强制使用本地端口)

   lport 1194

   ipchange up_script.sh

   down down_script.sh

查找 up_script.sh(我已经改进了它,添加了日志并删除了所有广播地址,但我现在没有这个文件)。防火墙规则之所以存在,是因为我之前不知道公共 IP。网关许可仅用于满足我的个人需求,您可以将其删除

   #!/bin/bash

   # Firewall Rules

   IP=$(echo $1 | sed 's/\[AF_INET\]//g')

   GW=$(/sbin/ip route | awk '/default/ { print $3 }')

   IPT=iptables

   # Start

   logger "ovpn: Got public IP $IP"

   # tun interfaces (VPN)

   $IPT -A INPUT  -i tun+ -j ACCEPT -m comment --comment "Accept TUN Input"

   $IPT -A OUTPUT -o tun+ -j ACCEPT -m comment --comment "Accept TUN Output"

   # Allow traffic with my VPN server

   $IPT -A INPUT  -s $IP -j ACCEPT -m comment --comment "Accept PIA Input"

   $IPT -A OUTPUT -d $IP -j ACCEPT -m comment --comment "Accept PIA Output"

   # Allow my gateway on eth0

   $IPT -A OUTPUT -d $GW -o eth+ -j ACCEPT -m comment --comment "Accept My Gateway"

然后down_script.sh

   #!/bin/bash

   GW=$(/sbin/ip route | awk '/default/ { print $3 }')

   IPT=iptables

   # Push DNS again

   echo "nameserver 127.0.0.1" > /etc/resolv.conf

   # Restart my interface !

   ifdown -a

   ifup -a

那么您对此有什么看法?

G。

答案2

我使用以下配置使它工作:

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -m pkttype --pkt-type broadcast -m comment --comment "Block Broadcast INPUT (No log)" -j DROP
-A INPUT -m pkttype --pkt-type multicast -m comment --comment "Block Multicast INPUT (No Log)" -j DROP
-A INPUT -i lo -m comment --comment "Accept localhost Input" -j ACCEPT
-A INPUT -p udp -m udp --sport 1194 -m state --state ESTABLISHED -m comment --comment "Allow the server to reply (related to lport)" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state ESTABLISHED -m comment --comment "Allow the DNS1 to answer" -j ACCEPT
-A INPUT -s 8.8.4.4/32 -p udp -m udp --sport 53 -m state --state ESTABLISHED -m comment --comment "Allow the DNS2 to answer" -j ACCEPT
-A INPUT -m limit --limit 10/min -m comment --comment "Log Input" -j LOG --log-prefix "FW DROP INPUT: " --log-level 7
-A INPUT -i tun+ -m comment --comment "Accept TUN Input" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 10/min -m comment --comment "Log Forward" -j LOG --log-prefix "FW DROP FORWARD: " --log-level 7
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s $EXTERNALIP -o $EXT_INT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT ! -s $EXTERNALIP/32 -o $EXT_INT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1003 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1003 -j ACCEPT
-A OUTPUT ! -s $EXTERNALIP/32 -o $EXT_INT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m comment --comment "Accept localhost Output" -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1194 -m comment --comment "Allow my computer to query the DNS server" -j ACCEPT
-A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT
-A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o $EXT_INT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
-A OUTPUT -o $EXT_INT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -m comment --comment "Allow my machine to connect to the DNS1" -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -m comment --comment "Allow my machine to connect to the DNS2" -j ACCEPT
-A OUTPUT -m limit --limit 10/min -m comment --comment "Log Output" -j LOG --log-prefix "FW DROP OUTPUT: " --log-level 7
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ping to Outside" -j ACCEPT
-A OUTPUT -o tun+ -m comment --comment "Accept TUN Output" -j ACCEPT
-A f2b-sshd -j RETURN

相关内容