我为我家搭建了自己的 Debian 10 路由器,主要是为了让它成为使用 openvpn 的永远在线 VPN 路由器,同时充当 DHCP 服务器,并使用 dnscrypt-proxy 加密 DNS。一段时间以来,一切都运行良好,直到我获得了 amazon prime 订阅,它会识别 vpn 并阻止我。让 amazon prime 正常工作的唯一方法是关闭 vpn,但我不想这样做。
有没有办法使用 nftables 防火墙绕过 VPN 将流量路由到 amazon prime(primevideo.com 或 13.32.45.99)?目前我只允许来自 LAN 的出站流量通过 vpn 退出,但一定有一种方法也可以允许通过 WAN 接口仅往返于此站点的流量。
VPN使用openvpn称为tun0。
来自 LAN 的互联网是通过 WAN1 接口(除非 VPN 已启动,当其通过 tun0 路由时)。
以下是 VPN 启动时 nftables 的脚本:
#!/bin/sh
nft flush ruleset
nft add table nat
nft add chain nat prerouting { type nat hook prerouting priority 0\; policy accept\;}
nft add rule nat prerouting udp dport 53 ip saddr 192.168.1.0/24 dnat 192.168.1.1:53
nft add chain nat postrouting { type nat hook postrouting priority 100\; policy accept\;}
nft add rule nat postrouting oifname tun0 masquerade
nft add table filter
nft add chain filter input { type filter hook input priority 0\; policy drop\;}
nft add rule filter input iif lo accept
nft add rule filter input tcp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter input udp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter input icmp type echo-request accept
nft add rule filter input icmp type time-exceeded accept
nft add rule filter input ct state related,established accept
nft add chain filter output { type filter hook output priority 0\; policy drop\;}
nft add rule filter output oif lo accept
nft add rule filter output tcp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter output udp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter output icmp type echo-request accept
nft add rule filter output icmp type time-exceeded accept
nft add rule filter output ct state new,related,established accept
nft add chain filter forward { type filter hook forward priority 0\; policy accept\;}
nft add rule filter forward ct state related,established accept
这是 NFT 规则集
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
udp dport domain ip saddr 192.168.1.0/24 dnat to 192.168.1.1:domain
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "tun0" masquerade
}
}
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
tcp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
udp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
icmp type echo-request accept
icmp type time-exceeded accept
ct state established,related accept
}
chain output {
type filter hook output priority 0; policy drop;
oif "lo" accept
tcp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
udp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
icmp type echo-request accept
icmp type time-exceeded accept
ct state established,related,new accept
}
chain forward {
type filter hook forward priority 0; policy accept;
ct state established,related accept
}
}
路由器是 Debian Buster。NFT 版本是 nftables v0.9.0(Fearless Fosdick)
任何帮助都将不胜感激。谢谢