这里是我想用来设置openvpn隧道的安全防火墙的脚本,其中我所有的互联网stream量都通过vpn。 我有以下几个问题:
#!/bin/sh # # iptables example configuration script # # Flush all current rules from iptables # iptables -F iptables -t nat -F iptables -t mangle -F # # Allow SSH connections on tcp port 22 # iptables -A INPUT -p tcp --dport 22 -j ACCEPT # # Set default policies for INPUT, FORWARD and OUTPUT chains # iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # # Set access for localhost # iptables -A INPUT -i lo -j ACCEPT # # Accept packets belonging to established and related connections # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # #Accept connections on 1194 for vpn access from clients # iptables -A INPUT -p udp --dport 1194 -j ACCEPT # #Apply forwarding for OpenVPN Tunneling # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 100.200.255.256 #Use OpenVPN server's real external IP here # #Enable forwarding # echo 1 > /proc/sys/net/ipv4/ip_forward # # Some generally optional rules. # # Accept traffic with the ACK flag set iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT # Accept responses to DNS queries iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT # Accept responses to our pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT # Accept notifications of unreachable hosts iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT # Accept notifications to reduce sending speed iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT # Accept notifications of lost packets iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT # Accept notifications of protocol problems iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT # Respond to pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT # Accept traceroutes iptables -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT # # List rules # iptables -L -v 我的networking接口:
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:11 errors:0 dropped:0 overruns:0 frame:0 TX packets:11 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1051 (1.0 KiB) TX bytes:1051 (1.0 KiB) venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:127.0.0.1 PtP:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 RX packets:95818 errors:0 dropped:0 overruns:0 frame:0 TX packets:60245 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:131291328 (125.2 MiB) TX bytes:7181804 (6.8 MiB) venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:89.148.244.198 PtP:89.148.244.198 Bcast:89.148.244.198 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 venet0:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:89.148.244.199 PtP:89.148.244.199 Bcast:89.148.244.199 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
所以问题一:任何人都可以发现在这个防火墙设置的任何明显的缺陷? 我不想把自己locking在不受pipe理的服务中,如果我要求他们为我解决这个问题,我会花钱。 不过,我希望它尽可能安全。 只要我仍然可以通过SSH连接,那么我想这不会是一场灾难。
问题二:你可能已经注意到vps有两个公共IP可供使用。 我已经find了分配给venet0:1的IP,无论什么原因,我的当前位置的延迟都较低。 所以我不清楚这一行:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 89.148.244.199
由于vps在virtuozzo中运行,我相信我必须使用SNAT将stream量从tun适配器转发到连接到Internet的适配器。 但是,因为我想要openvpn使用IP 89.148.244.199我应该改变这一行:
iptables -t nat -A POSTROUTING -o **venet0:1** -j SNAT --to-source 89.148.244.199