iptables 每个用户分割隧道泄漏 udp 数据包

2024-6-2 • tag-icon

我遵循了这里的指南： https://gist.github.com/GAS85/4e40ece16ffa748e7138b9aa4c37ca52

我为本地流量添加了一些规则，但是我的设置仍然在防火墙未明确允许的端口（6881）上向标准网络泄漏 udp 数据包，并且无法正确地将流量引导至 VPN。

# Generated by iptables-save v1.8.7 on Tue Mar 28 08:17:46 2023
*mangle
:PREROUTING ACCEPT [815888:3446674394]
:INPUT ACCEPT [815869:3446672358]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [291767:5488397080]
:POSTROUTING ACCEPT [291835:5488406564]
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT ! -d 192.168.50.13/32 -m owner --uid-owner 1050 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d 192.168.50.13/32 -p udp -m udp --dport 53 -m owner --uid-owner 1050 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d 192.168.50.13/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 1050 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -s 192.168.50.13/32 -p tcp -m tcp -m multiport --sports 6800,58846 -m owner --uid-owner 1050 -j MARK --set-xmark 0x0/0xffffffff
-A OUTPUT ! -s 192.168.50.13/32 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Tue Mar 28 08:17:47 2023
# Generated by iptables-save v1.8.7 on Tue Mar 28 08:17:47 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 58846 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7878 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8989 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 111 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 2049 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 4045 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 1110 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -m owner --uid-owner 1050 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1050 -j ACCEPT
-A OUTPUT ! -s 192.168.50.13/32 -o ens3 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 58846 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 7878 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 8989 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 4045 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1110 -j ACCEPT
COMMIT
# Completed on Tue Mar 28 08:17:47 2023
# Generated by iptables-save v1.8.7 on Tue Mar 28 08:17:47 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Tue Mar 28 08:17:47 2023

这确实很奇怪，因为使用 TCP 作为用户 1050 进行测试会产生正确的行为。所有 TCP 流量都通过 VPN 而不是标准网络。那么为什么我的防火墙或网关会将 UDP 流量泄漏到标准网络？

相关内容