服务器 Gind.cn
  1. 服务器 Gind.cn
  3. iptables + OpenVPN:转发到子网和一些外部IP
Intereting Posts
amazon实例运行良好,但通过ssh,webmailauthenticationlogin时速度非常慢 什么是我的Ubuntu服务器pipe理员密码? 升级Apache到Apache2? 在OSX以外的系统中禁用Hfsplus分区的日志logging? 查看IIS应用程序响应 在低MEM VM上为PHPconfigurationFastCGI 为什么ip6tables -A INPUT -j DROP阻塞出站服务器连接 用Clonezilla恢复Windows分区将无法启动 如何设置多个Web和数据库服务器? 同一台机器上的VPN和MySQL服务器 将Windows 2008 SBS备份到iSCSI磁盘 邮件服务器和文件共享解决scheme所需的build议 如何监视IIS 6中的文件下载 向用户显示进程列表以及谁在运行它们 如何快速检测被安装的文件系统遮盖的文件?

iptables + OpenVPN:转发到子网和一些外部IP

我有一个OpenVPN(CentOS)服务器,它运作良好。 它只将内部stream量(10.0.0.0/8)转发到我的服务器,所以不是整个互联网。 但是我想扩展它。 我有一些静态外部IP(ABCD&EFGH),只能从VPN服务器访问。 我也想转发这些IP。 所以我的用户可以通过VPN访问它。 所以新的设置:内部IP(10.0.0.0/8)和这两个IP(ABCD&EFGH)。

这是我目前的configuration:

OpenVPN的: 

port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/VPN.crt key /etc/openvpn/easy-rsa/2.0/keys/VPN.key dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem server 10.8.8.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/ipp.txt #These are the routes that will be sent over the VPN that are pushed to the clients. push "route 10.0.0.0 255.0.0.0" push "route ABCD 255.255.255.255" push "route EFGH 255.255.255.255" keepalive 10 120 comp-lzo persist-key persist-tun client-to-client log-append /var/log/myovpn/openvpn.log verb 4 crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem

iptables的: 

 :FORWARD DROP [0:0] :OUTPUT ACCEPT [1393521:120551935] :DROPLOG - [0:0] :allowedhosts - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -s 127.0.0.1/32 -i eth0 -j DROP -A INPUT -d 127.0.0.1/32 -i eth0 -j DROP -A INPUT -s 127.0.0.1/32 -j ACCEPT -A INPUT -d 127.0.0.1/32 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j allowedhosts -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s xxxx/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -j DROPLOG -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 127.0.0.1/32 -i eth0 -j DROP -A FORWARD -d 127.0.0.1/32 -i eth0 -j DROP -A FORWARD ! -s 10.0.0.0/8 -i eth1 -j DROP -A FORWARD -i tun+ -j ACCEPT -A FORWARD -i eth1 -j ACCEPT -A FORWARD -o eth0 -m state --state NEW -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT -A OUTPUT -o eth1 -m state --state NEW -j ACCEPT -A DROPLOG -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A DROPLOG -j REJECT --reject-with icmp-port-unreachable -A allowedhosts -s xxxx/32 -m comment --comment "allowed ip" -j ACCEPT COMMIT # Completed on Thu Jul 16 13:13:34 2015 # Generated by iptables-save v1.4.21 on Thu Jul 16 13:13:34 2015 # Generated by iptables-save v1.4.21 on Thu Jul 16 13:13:34 2015 *nat :PREROUTING ACCEPT [3942:251263] :INPUT ACCEPT [44:2243] :OUTPUT ACCEPT [44410:2858926] :POSTROUTING ACCEPT [3220:222144] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -s 10.0.0.0/8 -o eth1 -j MASQUERADE COMMIT # Completed on Thu Jul 16 13:13:34 2015

我想我需要一个新的防火墙规则。 你能帮忙吗?

使用ifconfig 

 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet xxxx netmask 255.255.255.0 broadcast 23.253.106.255 inet6 xxxx prefixlen 64 scopeid 0x0<global> inet6 xxxx prefixlen 64 scopeid 0x20<link> ether bc:76:4e:04:d8:13 txqueuelen 1000 (Ethernet) RX packets 1871664 bytes 541085711 (516.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2171798 bytes 331050940 (315.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.108.122.108 netmask 255.255.224.0 broadcast 10.208.159.255 inet6 fe80::be76:4eff:fe04:f40c prefixlen 64 scopeid 0x20<link> ether bc:76:4e:04:f4:0c txqueuelen 1000 (Ethernet) RX packets 3168141 bytes 793689948 (756.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3690025 bytes 515363508 (491.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 54393 bytes 7579709 (7.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 54393 bytes 7579709 (7.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.8.1 netmask 255.255.255.255 destination 10.8.8.2 inet6 fe80::4b8a:aff0:dfae:4f13 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 153964 bytes 24201835 (23.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 158255 bytes 43833100 (41.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

由于您通过VPN网关推送新的IPS,您需要设置正确的路由。 有关路由表的更多信息,路由-n输出将有所帮助。 随意改变你的喜好,所以不要透露给我们。