服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Shorewall阻止openvpnstream量?
Intereting Posts
诊断networking延迟问题 如何减lessGoogle AppEngine的服务器响应时间? 如何使用额外的专用服务器来实现冗余? 如何使用mod_headers为index.htm文件设置Cache-Control标头? Mac OS Xconfiguration文件pipe理器 Windows Server 2012 Essentials问题 不同types的DNS通配符RR可能吗? 如何将文件的内容作为命令的输出? 能够处理100Mbs的防火墙 MySQL ODBC连接器和unixODBC问题 – 乱码连接 将variables传递给命令 用户不能在XP上的networking共享上运行可执行文件 Windows Server 2012成员服务器在2003function级别的林和域上 磅,HAproxy和HAproxy日志 关于如何创buildDebian init.d脚本的文档

Shorewall阻止openvpnstream量?

我有一个debian安装与shorewallopenvpn和谷歌authenticator。 我可以得到一个VPN连接 – 但我不能通过任何stream量到本地局域网或互联网 – 我在这里错过了什么:

我的shorewallconfiguration

shorewall.conf 

IP_FORWARDING On

的/ etc /的shorewall /接口 

 net eth0 tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth1 tcpflags,dhcp,nosmurfs,routefilter,logmartians dmz eth2 tcpflags,dhcp,nosmurfs,routefilter,logmartians road tun tcpflags,logmartians,nosmurfs

在/ etc /的shorewall /区 

 fw firewall net ipv4 loc ipv4 dmz ipv4 road ipv4

在/ etc /的shorewall /规则 

 ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW VNC/ACCEPT loc all Invalid(DROP) net all tcp DNS(ACCEPT) $FW net DNS(ACCEPT) loc net SSH(ACCEPT) loc $FW SSH(ACCEPT) loc dmz Webmin/ACCEPT loc fw DNS(ACCEPT) dmz net Ping(DROP) net $FW Ping(ACCEPT) loc $FW Ping(ACCEPT) dmz $FW Ping(ACCEPT) loc dmz Ping(ACCEPT) dmz loc Ping(ACCEPT) dmz net ACCEPT $FW loc icmp ACCEPT $FW net icmp ACCEPT $FW dmz icmp ACCEPT net road all ACCEPT road net all

在/ etc /的shorewall /政策 

  loc net ACCEPT net all DROP info $FW net ACCEPT dmz net ACCEPT road net ACCEPT all all REJECT info

的/ etc /的shorewall /伪装 

 eth0 192.168.0.0/16

Openvpnconfiguration

client.ovpn 

 client dev tun proto udp remote xxx.yyy.zzz.2 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca ca.crt cert huawiphone.crt key huaweiphone.key ns-cert-type server comp-lzo verb 3 auth-user-pass

为server.conf 

 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 192.168.3.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 80.71.82.82" push "dhcp-option DNS 80.71.82.83" keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 9 plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

接口 

 eth0 Link encap:Ethernet HWaddr 00:ec:ac:ce:e0:34 inet addr:xxx.yyy.zzz.2 Bcast:xxx.yyy.zzz.127 Mask:255.255.255.128 inet6 addr: fe80::2ec:acff:fece:e034/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:20128722 errors:0 dropped:0 overruns:0 frame:0 TX packets:9698662 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29269888673 (27.2 GiB) TX bytes:879126006 (838.3 MiB) Interrupt:16 Memory:d0900000-d0920000 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.3.1 PtP:192.168.3.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:4185 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:261836 (255.6 KiB) TX bytes:0 (0.0 B)

当尝试通过vpn访问互联网时,从shorewalllogging消息 

 Apr 23 17:44:05 firewall kernel: [430997.653171] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=205 DF PROTO=UDP SPT=10225 DPT=53 LEN=45 Apr 23 17:44:05 firewall kernel: [430997.653228] Shorewall:OUTPUT:REJECT:IN= OUT=tun0 SRC=192.168.3.1 DST=192.168.3.6 LEN=93 TOS=0x00 PREC=0xC0 TTL=64 ID=19793 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.3.6 DST=8.8.8.8 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=205 DF PROTO=UDP SPT=10225 DPT=53 LEN=45 ] Apr 23 17:44:07 firewall kernel: [430999.075572] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=220 DF PROTO=UDP SPT=18202 DPT=53 LEN=57 Apr 23 17:44:07 firewall kernel: [430999.075610] Shorewall:OUTPUT:REJECT:IN= OUT=tun0 SRC=192.168.3.1 DST=192.168.3.6 LEN=105 TOS=0x00 PREC=0xC0 TTL=64 ID=20021 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.3.6 DST=8.8.8.8 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=220 DF PROTO=UDP SPT=18202 DPT=53 LEN=57 ] Apr 23 17:44:07 firewall kernel: [430999.178094] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=231 DF PROTO=UDP SPT=12211 DPT=53 LEN=40 Apr 23 17:44:07 firewall kernel: [430999.178132] Shorewall:OUTPUT:REJECT:IN= OUT=tun0 SRC=192.168.3.1 DST=192.168.3.6 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=20044 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.3.6 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=231 DF PROTO=UDP SPT=12211 DPT=53 LEN=40 ] Apr 23 17:44:07 firewall kernel: [430999.186969] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=232 DF PROTO=UDP SPT=31313 DPT=53 LEN=50

根据你的防火墙日志,你忘记了允许DNS查询。

允许端口53 udp和您的设置将更好地工作!