我有一个wireguard 服务器,可以控制对AWS 中服务器网络的访问。通过wireguard 连接的客户端的地址为10.11.0.{2-5}。我有 4 个客户端以完全访问权限访问 LAN - LAN 位于 10.1.255.255 上。这很好用。
现在我想添加一个只能访问少量服务器的客户端。
所以我在 wg0.conf 中添加了一些 PostUp 命令,并使用 iptables 将这个客户端限制在这些服务器上。
[注意我更喜欢使用 PostUp 命令而不是单独的 postup.sh 文件,因为它将自定义内容保存在一个地方。]
以下是 iptables 命令。客户端 10.11.0.{2,3,4,5} 应该能够访问所有内容。客户端 10.11.0.6 应该只能访问三个特定的 IP 地址。正在发生的事情是客户端 .6 仍然可以访问所有内容。
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.11.0.0/16
# Add a WIREGUARD_wg0 chain
PostUp = iptables -N WIREGUARD_wg0
PostUp = iptables -A FORWARD -j WIREGUARD_wg0
# Accept traffic from valid Wireguard client IP addresses
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.2,10.11.0.3,10.11.0.4,10.11.0.5 -i %i -j ACCEPT
# This client can only access these servers.
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.6 -i %i -d 10.1.1.101,10.1.1.151,10.1.0.101 -j ACCEPT
PostUp = iptables -A WIREGUARD_wg0 -s 10.11.0.6 -i %i -j DROP
# Drop everything else coming through the Wireguard interface
PostUp = iptables -A WIREGUARD_wg0 -i %i -j DROP
# Return to FORWARD chain
PostUp = iptables -A WIREGUARD_wg0 -j RETURN
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE -s 10.11.0.0/16
# Flush and delete the WIREGUARD_wg0 chain
PostDown = iptables -D FORWARD -j WIREGUARD_wg0
PostDown = iptables -F WIREGUARD_wg0
PostDown = iptables -X WIREGUARD_wg0
这是之后的状态wg-quick down wg0:
/etc/wireguard# iptables-save -c
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:06:20 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[42:2688] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[122:7896] -A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Sep 3 21:06:20 2022
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:06:20 2022
*filter
:INPUT ACCEPT [33:3296]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:4668]
[4503:562848] -A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Sat Sep 3 21:06:20 2022
然后之后wg-quick up wg0:
/etc/wireguard# iptables-save -c
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:07:01 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[42:2688] -A POSTROUTING -s 10.11.0.0/16 -o eth0 -j MASQUERADE
[122:7896] -A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
COMMIT
# Completed on Sat Sep 3 21:07:01 2022
# Generated by iptables-save v1.8.4 on Sat Sep 3 21:07:01 2022
*filter
:INPUT ACCEPT [15:1036]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:2920]
:WIREGUARD_wg0 - [0:0]
[4503:562848] -A FORWARD -i wg0 -j ACCEPT
[0:0] -A FORWARD -j WIREGUARD_wg0
[0:0] -A WIREGUARD_wg0 -s 10.11.0.2/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.3/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.4/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.5/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.1.101/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.1.151/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -d 10.1.0.101/32 -i wg0 -j ACCEPT
[0:0] -A WIREGUARD_wg0 -s 10.11.0.6/32 -i wg0 -j DROP
[0:0] -A WIREGUARD_wg0 -i wg0 -j DROP
[0:0] -A WIREGUARD_wg0 -j RETURN
COMMIT
# Completed on Sat Sep 3 21:07:01 2022
谁能建议我错过了什么?非常感谢。保罗。