ArchlinuxサーバーにOpenVPNをインストールし、iptableルールを変更して、ポート1194
での着信トラフィックを許可し、それをtun0
インターフェイスに転送しました。 iptablesを無効化/停止すると、OpenVPNクライアントがサーバーに接続します。ただし、iptablesが有効になっている場合、クライアントはサーバーに接続できません。クライアントは「サーバーの応答を待っています」と読みます。
私のiptable rules
:
#!/bin/bash
## Flush all current rules from iptables
iptables -F
iptables -t nat -F
## Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P INPUT ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
## Create two user-defined chains that we will use to open up ports in the firewall
iptables -N TCP
iptables -N UDP
## Allow local traffic
iptables -A INPUT -i lo -j ACCEPT
## Accept packets belonging to established and related connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
## Accept all new incoming ICMP echo requests, also known as pings
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
## Attach the TCP and UDP chains to the INPUT chain to handle all new incoming connections
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
## Reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
## For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
#### BEGIN - Tricking port scanners ####
## SYN scans
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
## UDP scans
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
## Restore the Final Rule
iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
#### END - Tricking port scanners ####
## Allow SSH connections on tcp port 22
iptables -A TCP -p tcp --dport 22 -j ACCEPT
## To accept incoming TCP connections on port 80 for a web server
iptables -A TCP -p tcp --dport 80 -j ACCEPT
## To accept incoming TCP connections on port 443 for a web server (HTTPS)
iptables -A TCP -p tcp --dport 443 -j ACCEPT
## Allow VPN
iptables -A TCP -p tcp --dport 1194 -j ACCEPT
iptables -A TCP -p udp --dport 1194 -j ACCEPT
### Setting up a NAT gateway
## Use another chain in the filter table
iptables -N fw-interfaces
## Set up a rule with the conntrack match, identical to the one in the INPUT chain
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## To enable forwarding for trusted interfaces
iptables -A FORWARD -j fw-interfaces
## The remaining packets are denied with an ICMP message
iptables -A FORWARD -j REJECT --reject-with icmp-Host-unreach
iptables -P FORWARD DROP
### Setting up the nat table
## Setting up the POSTROUTING chain
iptables -A fw-interfaces -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
## Save settings
#/sbin/service iptables save
iptables-save -c > /etc/iptables/iptables.rules
## If you edit the configuration file manually, you have to reload it
systemctl reload iptables
## List rules
iptables -L -n -v
私のifconfig
:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.105 netmask 255.255.255.0 broadcast 192.168.0.255
ether b8:27:eb:a3:be:07 txqueuelen 1000 (Ethernet)
RX packets 3396 bytes 288974 (282.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2229 bytes 440341 (430.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 0 (Local Loopback)
RX packets 4 bytes 304 (304.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 304 (304.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
IP転送が有効になっている:
> sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Iptableルールの何が問題になっているのか、またはサーバー/ OpenVPN構成に関する詳細情報が必要な場合はお知らせください。 this と this を試しましたが、うまくいきませんでした。
Xavier Lucasのコメントのおかげで、この問題を修正した方法は次のとおりです。 iptables
の次の行を変更しました。
## Allow VPN
iptables -A UDP -p udp --dport 1194 -j ACCEPT