Iptables
Oracle 免費層:Wireguard 和 iptables
問題:流量沒有從“客戶端”到“伺服器”再返回。
配置:
“伺服器”:
[Interface] Address = 10.8.0.1/24 ListenPort = 51820 PrivateKey = [redacted] PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE [Peer] PublicKey = [redacted] AllowedIPs = 10.8.0.2/32“客戶”:
[Interface] Address = 10.8.0.2/24 PrivateKey = [redacted] PostUp = ping -c1 10.8.0.1 DNS = 1.1.1.1 [Peer] PublicKey = [redacted] Endpoint = [redacted]:51820 AllowedIPs = 0.0.0.0/0, ::/0/etc/iptables/rules.v4:
# CLOUD_IMG: This file was created/modified by the Cloud Image build process # iptables configuration for Oracle Cloud Infrastructure # See the Oracle-Provided Images section in the Oracle Cloud Infrastructure # documentation for security impact of modifying or removing these rule *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [463:49013] :InstanceServices - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp --sport 123 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 64738 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 64738 -j ACCEPT # I added the following rule manually. The preceding 5 rules and were either # added by Oracle (22) or dockers (the other ports). All else is added by Oracle. -A INPUT -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT # # Commenting out the following two lines makes everything work, but defeats # the point of iptables. -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited # -A OUTPUT -d 169.254.0.0/16 -j InstanceServices -A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.4.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT -A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with tcp-reset -A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with icmp-port-unreachable COMMIT評論:
我可以在兩個對等點之間建立wireguard 連接和ping,但我無法從“客戶端”對等點到“伺服器”對等點,再到Internet 和返回。
“客戶端:
$ sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.8.0.2/24 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] resolvconf -a wg0 -m 0 -x [#] wg set wg0 fwmark 51820 [#] ip -6 route add ::/0 dev wg0 table 51820 [#] ip -6 rule add not fwmark 51820 table 51820 [#] ip -6 rule add table main suppress_prefixlength 0 [#] ip6tables-restore -n [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] iptables-restore -n [#] ping -c1 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=169 ms --- 10.8.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 168.716/168.716/168.716/0.000 ms $ curl -4 ifconfig.me curl: (6) Could not resolve host: ifconfig.me“客戶端”/etc/resolv.conf:
# Generated by resolvconf nameserver 1.1.1.1“伺服器”/etc/resolv.conf:
nameserver 127.0.0.53 options edns0 trust-ad search vcn[redacted].oraclevcn.com正如上面評論中提到的,在 /etc/iptables/rules.v4 中註釋掉 INPUT REJECT 規則可以解決問題,但如果我理解正確的話,從防火牆安全的角度來看,這是不可取的。
如果我沒記錯的話,curl 錯誤提示 DNS 問題。
我在 oracle 雲配置中有以下入口規則:
我有以下出口規則:
我是 iptables、網路和系統管理員的新手,所以我為此苦苦掙扎了一段時間。我在網際網路上沒有找到太多可以闡明我在這裡缺少什麼的東西,只是讓我走到這一步的點點滴滴。
我想我已經將問題縮小到 iptables 的配置,但我不知道該怎麼做。
任何關於這裡到底是什麼問題以及一個好的(和安全的)解決方案的建議都非常感謝!!!
謝謝!
在伺服器文件中的規則之前插入這兩個 iptables 規則:
-A FORWARD -j reject``/etc/iptables/rules.v4-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT如果您執行
sudo iptables-save,您將看到您的活動 iptables 規則列表。PostUp伺服器 wg 配置文件中腳本中的 iptables 規則附加在/etc/iptables/rules.vp4. 請注意,您可以通過使用 iptables-I標誌而不是-AwgPostUp腳本中的標誌來更改這一點——-I標誌在鏈的頂部(或在指定的索引處,預設為 0)插入規則,而-A標誌將規則附加到底部。