客观的
给定 Raspberry Pi 上的以下接口:
- eth0 (192.168.0.0/24) - 专用网络(即 NAT)
- wlan0 (192.168.10.0/24) - 可访问互联网的公共网络(即 LAN)
- tun0 (VPN) - VPN 连接
建立防火墙从而实现以下目标:
- 拒绝所有入站流量:
wlan0,tun0(阻止传入连接) - 将所有出站流量路由
eth0至tun0(阻止“横向”连接;即无 LAN 访问)- 如果
tun0已关闭,则不允许eth0使用wlan0(即 VPN Killswitch)
- 如果
主流例子
我已经在 UFW 上看到过许多“VPN Killswitch”示例,它们都共享一个通用配置:
# Defaults
ufw default deny outgoing
ufw default deny incoming
# Allow local over ethernet (without VPN)
sudo ufw allow out to 192.168.0.0/24 # Allow out to LAN
sudo ufw allow in to 192.168.0.0/24 # Allow in to LAN
# Allow outgoing over ethernet to VPN
sudo ufw allow out to [VPN] port 1194 proto udp
# Allow outgoing over tun0
sudo ufw allow out on tun0 # Allow out over VPN
资料来源:
- https://forums.whirlpool.net.au/archive/2561726
- https://www.reddit.com/r/VPN/comments/4ik46m/vpn_killswitch_setup_using_ufw/
- https://www.youtube.com/watch?v=x9fb2UAWkBE
- https://github.com/andreisid/bash/blob/master/killswitch.sh
我的 NAT 示例(替代)
当然,在我的应用程序中,我有一个中间设备(Raspberry Pi),它充当路由器、防火墙、DNS 和 DHCP 服务器以及 VPN 客户端,因此设置略有不同。然而,NAT 表 ( ) 似乎/etc/ufw/before.rules处理这些ufw allow out/in to 192.168.0.0/24语句,并且几乎按原样路由来自(第二个目标项)的eth0所有出站流量:tun0
# NAT table to "forward" private network to VPN tunnel
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE
COMMIT
这应该将来自专用网络 ( eth0) 的任何内容“转发”到 VPN 隧道 ( tun0) 中,对吗?或者我FORWARD在这里也需要条款吗?
之后,我现在不确定是否还需要配置其他任何内容,例如:
# Set defaults (also see /etc/default/ufw)
sudo ufw default deny incoming
sudo ufw default deny outgoing
# Allow incoming requests to DNS/DHCP services (UDP) on eth0 interface only (i.e. Private Network -> Pi:43,67/udp)
sudo ufw allow in on eth0 from any to any port 53,67 proto udp
# Allow incoming requests to SSH service (TCP) on eth0 interface only (i.e. Private Network -> Pi:22/tcp)
sudo ufw allow in on eth0 from any to any port 22 proto tcp
# Allow outbound on wlan0 interface for VPN traffic only (i.e. Pi -> LAN:1194)
sudo ufw allow out on wlan0 from any to any port 1194 proto udp
# Allow all outbound traffic on eth0 (i.e. Pi -> Private Network)
sudo ufw allow out on eth0
# Allow all outbound traffic on VPN tunnel only (i.e. Pi -> VPN)
sudo ufw allow out on tun0
在我单独使用 NAT 表进行的测试(traceroute、ping等)中,当我断开 VPN 连接时,我可以看到我的出站互联网连接在 Raspberry Pi 处停止。然而,我仍在尝试确认的是这是否涵盖了所有可能的泄漏场景(即 DNS 等)。
注意:我也在使用,dnsmasq所以Raspberry Pi也是DHCP服务器向专用网络上的客户端发布的DNS服务器。我想知道我需要做的只是配置dnsmasq为tun0仅转发 DNS 查询(如果可能的话),或者选择转发到公共 DNS(即 8.8.8.8、8.8.4.4)。此外,截至目前,此设置仍然阻止我的出站连接,但发出sudo ufw allow out on wlan0恢复该连接(VPN Killswitch 仍然有效)。所以我觉得我已经很接近了,也许还需要一些规则。
非常感谢有人花时间查看这些细节并提供反馈!
答案1
所以我想我会保留这个答案,因为我相信我可能刚刚找到了缺失的部分(感谢/var/log/ufw.log),除非其他人另有看法:
# Allow DNS queries
# [UFW BLOCK] IN= OUT=wlan0 SRC=192.168.10.x DST=192.168.10.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=50892 DF PROTO=UDP SPT=22617 DPT=53 LEN=46
sudo ufw allow out on wlan0 from any to any port 53 proto udp
所以我当前的规则集现在看起来像这样(注意默认的传出):
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing)
New profiles: skip
To Action From
-- ------ ----
53,67/udp on eth0 ALLOW IN Anywhere
22/tcp on eth0 ALLOW IN Anywhere
1194/udp ALLOW OUT Anywhere on wlan0
Anywhere ALLOW OUT Anywhere on eth0
Anywhere ALLOW OUT Anywhere on tun0
53/udp ALLOW OUT Anywhere on wlan0
命令:
# Allow incoming requests to DNS/DHCP services (UDP) on eth0 interface only (i.e. Private Network -> Pi:43,67/udp)
sudo ufw allow in on eth0 from any to any port 53,67 proto udp
# Allow incoming requests to SSH service (TCP) on eth0 interface only (i.e. Private Network -> Pi:22/tcp)
sudo ufw allow in on eth0 from any to any port 22 proto tcp
# Allow outbound on wlan0 interface for DNS and VPN traffic only (i.e. Pi -> LAN:1194)
sudo ufw allow out on wlan0 from any to any port 53,1194 proto udp
# Allow all outbound traffic on eth0 (i.e. Pi -> Private Network)
sudo ufw allow out on eth0
# Allow all outbound traffic on VPN tunnel only (i.e. Pi -> VPN)
sudo ufw allow out on tun0
# Set defaults (also see /etc/default/ufw)
sudo ufw default deny incoming
sudo ufw default deny outgoing
这也与我/etc/ufw/before.rules在原始帖子中提到的 NAT 表条目相结合,用于处理eth0 -> tun0“路由”。
最后,我的/etc/dnsmasq.conf包含以下单个server条目:
# Force VPN by selecting public DNS
server=8.8.8.8
# Do not read from /etc/resolv.conf and friends for system DNS
no-resolv
# Do not poll /etc/resolv.conf and friends for system DNS
no-poll
通过 VPN 和配置(隐含 DHCP)发送到 8.8.8.8 的确认请求traceroute,客户端将默认使用 Pi 作为其 DNS,而 Pi 又使用此配置。
这是一个包装!