当服务器连接到 OpenVPN 时允许访问我的服务器的端口(Ubuntu Server 18.10)

当服务器连接到 OpenVPN 时允许访问我的服务器的端口(Ubuntu Server 18.10)

我最近安装了 Ubuntu Server 18.10,并想开放一些端口(即 SSH、HTTP)以供公众访问。但是,由于我的 ISP 的限制(我的 ISP 在 CGNAT 上,不允许我打开端口),我将 Ubuntu 服务器连接到 VPN,这样我就可以通过 OpenVPN 将端口转发到我的本地计算机。

我已经能够正确连接到 OpenVPN 服务器,并且我的 VPN 已经允许端口转发,并且已经从 VPN 转发了端口。我还可以使用 VPN 的公共 IP 地址 ping Ubuntu 服务器。但是,尽管转发了 VPN 服务器上的端口,我还是无法连接到 Ubuntu 服务器的端口 (22/80)。

我需要在 Ubuntu 服务器上做些什么才能使其正常工作?我正在尝试了解 iptables 和 ufw,并尝试了互联网上的几个主题,但似乎无法使其正常工作。我不是网络专家,所以我希望你能指导我如何设置 ufw 和/或 iptables,以允许我的 Ubuntu 服务器的端口可供我的 VPN 的公共 IP 访问。

希望有人能帮助我。谢谢!

以下是我的 ufw status、iptables 和 ifconfig 的输出,供参考:

ufw 状态

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)

iptables

$ sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
KUBE-FIREWALL  all  --  anywhere             anywhere
KUBE-NODEPORT-NON-LOCAL  all  --  anywhere             anywhere             /* Ensure that non-local NodePort traffic can flow */
ufw-before-logging-input  all  --  anywhere             anywhere
ufw-before-input  all  --  anywhere             anywhere
ufw-after-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-reject-input  all  --  anywhere             anywhere
ufw-track-input  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-before-forward  all  --  anywhere             anywhere
ufw-after-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-reject-forward  all  --  anywhere             anywhere
ufw-track-forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
KUBE-FIREWALL  all  --  anywhere             anywhere
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-before-output  all  --  anywhere             anywhere
ufw-after-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
ufw-reject-output  all  --  anywhere             anywhere
ufw-track-output  all  --  anywhere             anywhere

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain KUBE-FIREWALL (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000

Chain KUBE-NODEPORT-NON-LOCAL (1 references)
target     prot opt source               destination

Chain ufw-after-forward (1 references)
target     prot opt source               destination

Chain ufw-after-input (1 references)
target     prot opt source               destination
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination

Chain ufw-after-output (1 references)
target     prot opt source               destination

Chain ufw-before-forward (1 references)
target     prot opt source               destination

是否配置

$ sudo ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:a9:b0:c9:f2  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.254  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::20c:29ff:fee1:76a8  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:e1:76:a8  txqueuelen 1000  (Ethernet)
        RX packets 86235  bytes 129085349 (129.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21648  bytes 3799697 (3.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 20111  bytes 4496081 (4.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20111  bytes 4496081 (4.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet xx.xx.xx.xx  netmask xx.xx.xx.xx  destination xx.xx.xx.xx
        inet6 xx:xx:xx:xx:xx:xx  prefixlen xx  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 85482  bytes 118463837 (118.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21444  bytes 1207429 (1.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

网络状态

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         xx.xx.xx.xxx    128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 ens33
xx.xx.xx.xx      192.168.1.1     255.255.255.255 UGH       0 0          0 ens33
xx.xx.xx.xx    0.0.0.0         255.255.255.192 U         0 0          0 tun0
128.0.0.0       xx.xx.xx.xx    128.0.0.0       UG        0 0          0 tun0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 ens33

相关内容