我最近安装了 Ubuntu Server 18.10,并想开放一些端口(即 SSH、HTTP)以供公众访问。但是,由于我的 ISP 的限制(我的 ISP 在 CGNAT 上,不允许我打开端口),我将 Ubuntu 服务器连接到 VPN,这样我就可以通过 OpenVPN 将端口转发到我的本地计算机。
我已经能够正确连接到 OpenVPN 服务器,并且我的 VPN 已经允许端口转发,并且已经从 VPN 转发了端口。我还可以使用 VPN 的公共 IP 地址 ping Ubuntu 服务器。但是,尽管转发了 VPN 服务器上的端口,我还是无法连接到 Ubuntu 服务器的端口 (22/80)。
我需要在 Ubuntu 服务器上做些什么才能使其正常工作?我正在尝试了解 iptables 和 ufw,并尝试了互联网上的几个主题,但似乎无法使其正常工作。我不是网络专家,所以我希望你能指导我如何设置 ufw 和/或 iptables,以允许我的 Ubuntu 服务器的端口可供我的 VPN 的公共 IP 访问。
希望有人能帮助我。谢谢!
以下是我的 ufw status、iptables 和 ifconfig 的输出,供参考:
ufw 状态
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
22 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
iptables
$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
KUBE-NODEPORT-NON-LOCAL all -- anywhere anywhere /* Ensure that non-local NodePort traffic can flow */
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
Chain KUBE-NODEPORT-NON-LOCAL (1 references)
target prot opt source destination
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
是否配置
$ sudo ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:a9:b0:c9:f2 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fee1:76a8 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:e1:76:a8 txqueuelen 1000 (Ethernet)
RX packets 86235 bytes 129085349 (129.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21648 bytes 3799697 (3.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 20111 bytes 4496081 (4.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20111 bytes 4496081 (4.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet xx.xx.xx.xx netmask xx.xx.xx.xx destination xx.xx.xx.xx
inet6 xx:xx:xx:xx:xx:xx prefixlen xx scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 85482 bytes 118463837 (118.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21444 bytes 1207429 (1.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
网络状态
$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 xx.xx.xx.xxx 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 ens33
xx.xx.xx.xx 192.168.1.1 255.255.255.255 UGH 0 0 0 ens33
xx.xx.xx.xx 0.0.0.0 255.255.255.192 U 0 0 0 tun0
128.0.0.0 xx.xx.xx.xx 128.0.0.0 UG 0 0 0 tun0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ens33