我正在尝试将 VPN 访问限制在 Openstack 中运行的私有网络。Wireguard 服务器位于私有网络内,流量从 Openstack 路由到其私有 IP 地址。私有网络内有一个 DNS 服务器,所有客户端都需要访问该服务器,并且每个客户端都有一个特定的服务器。客户端只能访问其特定的服务器和 DNS 服务器。管理员还应使用不同的 wireguard 接口通过 wireguard 无限制地访问私有网络。
网络
Wireguard 服务器(Ubuntu 22.04):
net.ipv4.ip_forward=1开始/etc/sysctl.conf- ens3:10.10.10.107
- wg_admin:10.42.43.1 / 端口 51821
- wg_clients:10.42.42.1 / 端口 51820
私有网络内的服务器:
- DNS 服务器:10.10.10.203
- Client1 服务器:10.10.10.133
- Client2 服务器:10.10.10.209
连接客户端/管理员:
- 客户端1:10.42.42.3
- 客户端2:10.42.42.2
- 管理员1:10.42.43.2
Wireguard 服务器配置
我正在使用两个区域: 民众:处理传入流量
$ firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: dhcpv6-client ssh ssh-custom
ports: 51821/udp 51820/udp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
电线保护:处理 wireguard 流量;限制哪些流量转发
$ firewall-cmd --zone=wireguard --list-all
wireguard (active)
target: default
icmp-block-inversion: no
interfaces: wg_admin wg_clients
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.42.42.2" destination address="10.10.10.209" masquerade
rule family="ipv4" source address="10.42.42.2" destination address="10.10.10.203" masquerade
rule family="ipv4" source address="10.42.42.3" destination address="10.10.10.203" masquerade
rule family="ipv4" source address="10.42.43.0/24" masquerade log prefix="wg_admin_masq" level="warning"
rule family="ipv4" source address="10.42.42.3" destination address="10.10.10.133" masquerade
问题
使用当前的firewalld设置,我假设从wiregurad接口进入的数据包在wireguard区域中处理。当富规则匹配时,源ip应该更改为wireguard服务器ip 10.10.10.107,然后简单地路由到客户端。但不幸的是,这不是这样工作的。
检查内核消息时我看到:
[Thu Jun 8 13:32:18 2023] "filter_FWD_wireguard_REJECT: "IN=wg_admin OUT=ens3 MAC= SRC=10.42.43.2 DST=10.10.10.203 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=31157 DF PROTO=TCP SPT=44920 DPT=53 WINDOW=64860 RES=0x00 SYN URGP=0
[Thu Jun 8 13:32:20 2023] "filter_FWD_wireguard_REJECT: "IN=wg_clients OUT=ens3 MAC= SRC=10.42.42.2 DST=10.10.10.203 LEN=82 TOS=0x00 PREC=0x00 TTL=63 ID=9462 PROTO=UDP SPT=36905 DPT=53 LEN=62
[Thu Jun 8 13:32:23 2023] "filter_FWD_wireguard_REJECT: "IN=wg_admin OUT=ens3 MAC= SRC=10.42.43.2 DST=10.10.10.203 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=50271 DF PROTO=TCP SPT=55930 DPT=53 WINDOW=64860 RES=0x00 SYN URGP=0
[Thu Jun 8 13:32:41 2023] "filter_FWD_wireguard_REJECT: "IN=wg_clients OUT=ens3 MAC= SRC=10.42.42.2 DST=10.10.10.203 LEN=92 TOS=0x00 PREC=0x00 TTL=63 ID=2910 PROTO=UDP SPT=45837 DPT=53 LEN=72
[Thu Jun 8 13:32:41 2023] "filter_FWD_wireguard_REJECT: "IN=wg_clients OUT=ens3 MAC= SRC=10.42.42.2 DST=10.10.10.203 LEN=92 TOS=0x00 PREC=0x00 TTL=63 ID=58612 PROTO=UDP SPT=53142 DPT=53 LEN=72
我的自定义日志前缀未显示,因此我假设我的丰富规则被忽略了。当我尝试 ping dns 服务器时:
$ ping 10.10.10.203
PING 10.10.10.203 (10.10.10.203) 56(84) bytes of data.
From 10.42.43.1 icmp_seq=1 Packet filtered
当我尝试 ping wireguard 服务器时:
$ ping 10.10.10.107
PING 10.10.10.107 (10.10.10.107) 56(84) bytes of data.
64 bytes from 10.10.10.107: icmp_seq=1 ttl=64 time=26.7 ms
$ ping 10.42.42.1
PING 10.42.42.1 (10.42.42.1) 56(84) bytes of data.
64 bytes from 10.42.42.1: icmp_seq=1 ttl=64 time=28.5 ms
我究竟做错了什么?
答案1
最后我自己找到了答案。允许使用防火墙进行路由和过滤的功能称为策略和后来被引入。 这Pro Custodibus 的精彩帖子还解释了使用 wireguard 和firewalld 的不同场景。
通过策略,可以将流量从一个区域路由到另一个区域,并为通过的流量设置特定的规则集。
为了实现管理员/客户端的 wireguard 接口/连接与路由到私有网络的 wireguard 服务器之间的分离,我们:
- 将 wireguard 接口分成不同的区域
- 添加一个区域,用于转发流量
- 添加了两个连接 wireguard 区域和 forward 区域的策略
- 在策略中添加规则以过滤 wireguard 流量
区域:
$ firewall-cmd --info=zone=wg_clients
wg_clients (active)
target: DROP
icmp-block-inversion: no
interfaces: wg_clients
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ firewall-cmd --info=zone=wg_admins
wg_admins (active)
target: DROP
icmp-block-inversion: no
interfaces: wg_admins
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ firewall-cmd --info=zone=forward
forward (active)
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources: 10.10.10.0/24
services:
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
政策:
$ firewall-cmd --info-policy=wg_clients2forward
wg_clients2forward (active)
priority: -1
target: REJECT
ingress-zones: wg_clients
egress-zones: forward
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="10.10.10.203" service name="dns" accept
rule family="ipv4" source address="10.42.42.3/32" destination address="10.10.10.133" service name="https" accept
rule family="ipv4" source address="10.42.42.2/32" destination address="10.10.10.209" service name="https" accept
$ firewall-cmd --info-policy=wg_admins2forward
wg_admins2forward (active)
priority: -1
target: REJECT
ingress-zones: wg_admins
egress-zones: forward
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="10.10.10.0/24" accept