[已解决]openvpn中NAT关于Susefirewall2防火墙设定（VPS）

laibin · 2015年09月9日 08:41

如题，vps 主机在国外，具有一个物理网卡 etho 实际地址，以及一个 tun0 虚拟网卡地址，openvpn 已经架设完毕，现在希望利用这个 vps 主机 NAT 以达到 xx 目的……^_^，看了几天 Susefireall2，感觉这个防火墙还是有点搞不定，客户端还是上不了网站，当然，可能跟自己对 openVPN 原理理解不够有关，下面是 SuSEfirewall2 的配置文件以及 iptables-save 的输出记录，大家踊跃指出错误，多交流。

:~ # grep -v ^# /etc/sysconfig/SuSEfirewall2 | grep -v '"]"]' | grep -v ^$
FW_DEV_EXT="eth0"
FW_DEV_INT="tun0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="16.5.0.0/255.255.255.128"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="ssh"
FW_SERVICES_INT_TCP="ssh"
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
FW_SERVICES_ACCEPT_EXT="0/0,udp,2692"
FW_SERVICES_ACCEPT_INT="16.5.0.0/255.255.255.128,tcp,22"
FW_SERVICES_ACCEPT_RELATED_EXT="0/0,udp,2692"
FW_FORWARD="16.5.0.0/255.255.255.128,0/0"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_KERNEL_SECURITY="yes"
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_IPSEC_TRUST="no"
FW_ZONE_DEFAULT=''
FW_LOAD_MODULES="nf_conntrack_netbios_ns"


Have a lot of fun...
host:~ # iptables-save
# Generated by iptables-save v1.4.21 on Wed Sep  9 16:43:24 2015
*nat
:PREROUTING ACCEPT [19:1722]
:INPUT ACCEPT [1:52]
:OUTPUT ACCEPT [8:583]
:POSTROUTING ACCEPT [8:583]
-A POSTROUTING -s 16.5.0.0/25 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Sep  9 16:43:24 2015
# Generated by iptables-save v1.4.21 on Wed Sep  9 16:43:24 2015
*raw
:PREROUTING ACCEPT [96:9361]
:OUTPUT ACCEPT [68:8641]
-A PREROUTING -i lo -j CT --notrack
-A OUTPUT -o lo -j CT --notrack
COMMIT
# Completed on Wed Sep  9 16:43:24 2015
# Generated by iptables-save v1.4.21 on Wed Sep  9 16:43:24 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [73:9373]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -i tun0 -j input_int
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun0 -j forward_int
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -s 16.5.0.0/25 -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_ext -s 16.5.0.0/25 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -d 16.5.0.0/25 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -d 16.5.0.0/25 -i eth0 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -m pkttype --pkt-type broadcast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -s 16.5.0.0/25 -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_int -s 16.5.0.0/25 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_int -d 16.5.0.0/25 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A forward_int -s 16.5.0.0/25 -i tun0 -o eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_int -m pkttype --pkt-type multicast -j DROP
-A forward_int -m pkttype --pkt-type broadcast -j DROP
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -j reject_func
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p udp -m udp --sport 2692 -m conntrack --ctstate RELATED -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p udp -m udp --dport 2692 -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 2692 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Wed Sep  9 16:43:24 2015

laibin · 2015年09月10日 10:45

有前辈指点一下吗

不稳固的支点 · 2015年09月15日 17:51

看 wiki

来自我的 XT1077 上的 Tapatalk

hottea · 2015年09月16日 03:15

歪个楼. 我去, 开心树朋友!!!

不稳固的支点 · 2015年09月16日 04:56

→_→

来自我的 XT1077 上的 Tapatalk

laibin · 2015年09月16日 05:39

wiki 上关于 openVPN 搭建的防火墙部分采用的是 iptables 方式加入到启动项中，SUSE 中防火墙布置更多采用 SuSEfirewall2 脚本来管理，经过自己试验，上面防火墙的配置是没有问题的，好像是自己的客户端电脑不知道那里出问题了，连不上，换成其他电脑就好了。