我想为 OpenVPN 配置 ufw(简单防火墙)。
仅允许通过 OpenVPN 进行连接。其他一切都应被阻止。因此,如果 OpenVPN 断开连接 -> 没有互联网!我在网上找到了这个脚本,我想知道它是否足够好。或者我必须添加更多规则?
#!/bin/bash
###########################################
# Created by Thomas Butz #
# E-Mail: btom1990(at)googlemail.com #
# Feel free to copy & share this script #
###########################################
# Adapt this value to your config!
VPN_DST_PORT=3478
# Don't change anything beyond this point
###########################################
# Check for root priviliges
if [[ $EUID -ne 0 ]]; then
printf "Please run as root:\nsudo %s\n" "${0}"
exit 1
fi
# Reset the ufw config
ufw --force reset
# let all incoming traffic pass
ufw default allow incoming
# and block outgoing by default
ufw default deny outgoing
# Every communiction via VPN is considered to be safe
ufw allow out on tun0
# Don't block the creation of the VPN tunnel
ufw allow out $VPN_DST_PORT
# Don't block DNS queries
ufw allow out 53
# Allow local IPv4 connections
ufw allow out to 10.0.0.0/8
ufw allow out to 172.16.0.0/12
ufw allow out to 192.168.0.0/16
# Allow IPv4 local multicasts
ufw allow out to 224.0.0.0/24
ufw allow out to 239.0.0.0/8
# Allow local IPv6 connections
ufw allow out to fe80::/64
# Allow IPv6 link-local multicasts
ufw allow out to ff01::/16
# Allow IPv6 site-local multicasts
ufw allow out to ff02::/16
ufw allow out to ff05::/16
# Enable the firewall
ufw enable
答案1
配置可以更加严格
ufw --force reset
ufw default deny incoming # Use the VPN tunnel for all traffic
ufw default deny outgoing
ufw allow out on tun0
ufw allow in on tun0
ufw allow out $port/$protocol # e.g. 1234/udp, depending on your OpenVPN client config
# Prefer resolved hosts to connect to your VPN, enable only if your VPN provider doesn't give you that option
#ufw allow out 53
# Allow local IPv4 connections, enable as needed, set specific IPs or tighter subnet masks if possible
#ufw allow out to 10.0.0.0/8
#ufw allow out to 172.16.0.0/12
#ufw allow out to 192.168.0.0/16
# Allow IPv4 local multicasts
#ufw allow out to 224.0.0.0/24
#ufw allow out to 239.0.0.0/8
# Allow local IPv6 connections
#ufw allow out to fe80::/64
# Allow IPv6 link-local multicasts
#ufw allow out to ff01::/16
# Allow IPv6 site-local multicasts
#ufw allow out to ff02::/16
#ufw allow out to ff05::/16
# Enable the firewall
ufw enable
答案2
强烈建议您不要使用这两个命令:
ufw allow incoming
ufw default allow in on tun0
允许进入违背了防火墙的初衷。需要“允许进入 tun0”才能接收返回数据包,这种说法是错误的。您只想接收您请求的连接,而不是允许全世界连接到您。允许离开即可实现这一点。测试下面建议的配置并查看。
以下是一系列用于防火墙的 UFW 命令的示例:
sudo ufw enable
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0
sudo ufw allow out on eth0 to any port 53,1197 proto udp
sudo ufw allow out on wlan0 to any port 53,1197 proto udp
sudo ufw status verbose
示例结果:
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
Anywhere ALLOW OUT Anywhere on tun0
53,1197/udp ALLOW OUT Anywhere on eth0
53,1197/udp ALLOW OUT Anywhere on wlan0
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
53,1197/udp (v6) ALLOW OUT Anywhere (v6) on eth0
53,1197/udp (v6) ALLOW OUT Anywhere (v6) on wlan0
注意:-您的接口可能不同,例如 ubuntu 16.12 使用 eno1 和 wlp3s0b1。使用命令“ifconfig”查看您的实际接口。-1197 UDP 是相当默认的,但您可能需要为您的 VPN 更改它(例如 443 TCP)。-我通常会删除 ipv6(sudo ufw delete 4,重复 x3)
其作用:-它允许通过 VPN 隧道进行出站连接,同时阻止除 VPN 隧道和以太网/wifi 上的 DNS 连接之外的所有内容。以下是有关 DNS 问题的警告。
警告:此示例允许 DNS 请求在 53 上发出,以便 openvpn(例如 vpn.somevpnprovider.com)可以请求 IP 地址并建立连接。代价是 DNS 泄漏的可能性。使用 dnsleaktest.com 确保您的 VPN 设置可以隧道传输您的 DNS 请求。对于谨慎/偏执的人,请跳过允许在 53 上发出,而是关闭防火墙进行连接,然后在连接后重新打开。出于我的 VPN 原因,我选择不这样做,因为我很可能会完全忘记防火墙(例如,如果 openvpn 配置错误,DNS 无论如何都会泄漏)。