我有一个iptables和一个PPTP VPN的问题,我已经阅读了有关听到和网上的相关话题,但仍然无法得到它的工作! 我试图在本地networking上的ubuntu服务器上设置PPTP,强制客户端通过VPNlogin以获取Internet访问权限。 Ubuntu的服务器直接连接到互联网。
在我的rc.local我有以下转发和接受gre
# PPTP IP forwarding sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A INPUT -p gre -j ACCEPT sudo iptables -A OUTPUT -p gre -j ACCEPT
这显示在我的iptables列表中,所以我知道它在那里。
我使用服务器上的CSF作为我的防火墙,如果这是禁用的,我可以连接到VPN,并通过它浏览互联网,如果CSF启用我要么“断开通信设备”,或者我可以连接,但没有互联网接入通过VPN。
这也有一个奇怪的问题,它不时似乎通过防火墙工作!
我打开了以下端口:
TCP_IN = ...47,53,80,92,110,143,443,465,587,993,995,1723,7777.. TCP_OUT = ...47,53,80,92,110,113,443,1723,25565,7777... UDP_IN = 20,21,47,53,1723,27015,27025 UDP_OUT = 20,21,47,53,113,123,1723,27015, 27025
你有什么build议如何解决这个问题? 你需要更多的信息吗?
非常感谢您的时间,
请求的附加信息:
iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 7377 749K LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 5631 786K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- !lo * 130.88.13.7 0.0.0.0/0 udp spts:1024:65535 dpt:53 0 0 ACCEPT tcp -- !lo * 130.88.13.7 0.0.0.0/0 tcp spts:1024:65535 dpt:53 3 626 ACCEPT udp -- !lo * 130.88.13.7 0.0.0.0/0 udp spt:53 dpts:1024:65535 0 0 ACCEPT tcp -- !lo * 130.88.13.7 0.0.0.0/0 tcp spt:53 dpts:1024:65535 0 0 ACCEPT udp -- !lo * 130.88.13.7 0.0.0.0/0 udp spt:53 dpt:53 0 0 ACCEPT udp -- !lo * 130.88.149.93 0.0.0.0/0 udp spts:1024:65535 dpt:53 0 0 ACCEPT tcp -- !lo * 130.88.149.93 0.0.0.0/0 tcp spts:1024:65535 dpt:53 431 71632 ACCEPT udp -- !lo * 130.88.149.93 0.0.0.0/0 udp spt:53 dpts:1024:65535 0 0 ACCEPT tcp -- !lo * 130.88.149.93 0.0.0.0/0 tcp spt:53 dpts:1024:65535 0 0 ACCEPT udp -- !lo * 130.88.149.93 0.0.0.0/0 udp spt:53 dpt:53 5021 561K INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 4255 519K ACCEPT all -- !lo * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 1 64 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:47 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 61 3648 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 1 64 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:92 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995 3 192 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1723 2 128 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7777 89 5340 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25565 84 5040 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:27015 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21433 103 6180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25566 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:23456 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6667 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:47 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1723 435 19275 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:27015 389 16837 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:27025 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:6667 2 122 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 11 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 3 1127 73207 LOGDROPIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 8150 710K LOCALOUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner GID match 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 owner UID match 0 123 7380 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 5631 786K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 436 32454 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp spt:53 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp spt:53 6572 649K INVALID tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 6852 636K ACCEPT all -- * !lo 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:47 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 148 8880 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:92 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113 2 120 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1723 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25565 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7777 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:27015 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21433 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:23456 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 30 1800 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2082 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:92 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25555 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6667 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:47 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:113 52 3952 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1723 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:27015 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:27025 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:6667 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 0 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 11 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 3 3 183 LOGDROPOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 Chain INVALID (2 references) pkts bytes target prot opt in out source destination 19 844 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20 9 360 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW Chain INVDROP (10 references) pkts bytes target prot opt in out source destination 28 1204 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOCALINPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- !lo * 10.1.2.0/24 0.0.0.0/0 461 31652 ACCEPT all -- !lo * 78.129.132.155 0.0.0.0/0 6901 714K DSHIELD all -- !lo * 0.0.0.0/0 0.0.0.0/0 6831 695K SPAMHAUS all -- !lo * 0.0.0.0/0 0.0.0.0/0 Chain LOCALOUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * !lo 0.0.0.0/0 10.1.2.0/24 600 32952 ACCEPT all -- * !lo 0.0.0.0/0 78.129.132.155 Chain LOGDROPIN (1 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:68 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139 76 18810 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520 979 50908 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520 26 1056 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' 41 2173 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* ' 72 3489 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOGDROPOUT (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* ' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* ' 3 183 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
iptables -nvL -t nat
pez@brave:~$ sudo iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 42112 packets, 3106K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 716 packets, 43090 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 0 0 MASQUERADE all -- * venet0 10.10.0.0/24 0.0.0.0/0 31176 2345K MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
解决scheme总结,在/ etc / csf /添加如下内容创build新文件csfpre:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -p gre -j ACCEPT iptables -A OUTPUT -p gre -j ACCEPT iptables -A FORWARD -i ppp+ -o eth0 -p ALL -j ACCEPT iptables -A FORWARD -i eth0 -o ppp+ -p ALL -j ACCEPT
从我所能看到的来看,你似乎没有启用GRE协议。 你有端口47 TCP允许,但是这不是一样的。 你关于GRE的rc.local
规则看起来不错,但可能被覆盖,所以在你的防火墙系统中添加这些规则。
您还有一个用于转发数据包的DROP策略 – 将此规则添加为最小值:
iptables -A FORWARD -i ppp+ -j ACCEPT
这使得能够转发所有以ppp
开头的接口,这对于基于PPTP的VPN来说应该足够了。
另外,你可能已经这样做了,但检查你使用sysctl net.ipv4.ip_forward
启用了数据包转发 – 它应该是1。
注意TCP 1723的数据包数量(第一列)是0.尝试连接并检查它是否boost。 但是首先启用GRE,否则当然不起作用。