web-dev-qa-db-ja.com

私のiptableルールはVPN接続を許可していません

ArchlinuxサーバーにOpenVPNをインストールし、iptableルールを変更して、ポート1194での着信トラフィックを許可し、それをtun0インターフェイスに転送しました。 iptablesを無効化/停止すると、OpenVPNクライアントがサーバーに接続します。ただし、iptablesが有効になっている場合、クライアントはサーバーに接続できません。クライアントは「サーバーの応答を待っています」と読みます。

私のiptable rules

#!/bin/bash

## Flush all current rules from iptables
iptables -F
iptables -t nat -F

## Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P INPUT ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

## Create two user-defined chains that we will use to open up ports in the firewall
iptables -N TCP
iptables -N UDP

## Allow local traffic
iptables -A INPUT -i lo -j ACCEPT

## Accept packets belonging to established and related connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

## Accept all new incoming ICMP echo requests, also known as pings
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

## Attach the TCP and UDP chains to the INPUT chain to handle all new incoming connections
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

## Reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst

## For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

#### BEGIN - Tricking port scanners ####
## SYN scans
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst

## UDP scans
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable

## Restore the Final Rule
iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
#### END - Tricking port scanners ####

## Allow SSH connections on tcp port 22
iptables -A TCP -p tcp --dport 22 -j ACCEPT

## To accept incoming TCP connections on port 80 for a web server
iptables -A TCP -p tcp --dport 80 -j ACCEPT

## To accept incoming TCP connections on port 443 for a web server (HTTPS)
iptables -A TCP -p tcp --dport 443 -j ACCEPT

## Allow VPN
iptables -A TCP -p tcp --dport 1194 -j ACCEPT
iptables -A TCP -p udp --dport 1194 -j ACCEPT

### Setting up a NAT gateway
## Use another chain in the filter table
iptables -N fw-interfaces

## Set up a rule with the conntrack match, identical to the one in the INPUT chain
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

## To enable forwarding for trusted interfaces
iptables -A FORWARD -j fw-interfaces

## The remaining packets are denied with an ICMP message
iptables -A FORWARD -j REJECT --reject-with icmp-Host-unreach
iptables -P FORWARD DROP

### Setting up the nat table
## Setting up the POSTROUTING chain
iptables -A fw-interfaces -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

## Save settings
#/sbin/service iptables save
iptables-save -c > /etc/iptables/iptables.rules

## If you edit the configuration file manually, you have to reload it
systemctl reload iptables

## List rules
iptables -L -n -v

私のifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.105  netmask 255.255.255.0  broadcast 192.168.0.255
        ether b8:27:eb:a3:be:07  txqueuelen 1000  (Ethernet)
        RX packets 3396  bytes 288974 (282.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2229  bytes 440341 (430.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 0  (Local Loopback)
        RX packets 4  bytes 304 (304.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 304 (304.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

IP転送が有効になっている:

> sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Iptableルールの何が問題になっているのか、またはサーバー/ OpenVPN構成に関する詳細情報が必要な場合はお知らせください。 thisthis を試しましたが、うまくいきませんでした。

1
Rlearner

Xavier Lucasのコメントのおかげで、この問題を修正した方法は次のとおりです。 iptablesの次の行を変更しました。

## Allow VPN
iptables -A UDP -p udp --dport 1194 -j ACCEPT
1
Rlearner