主页 / server / 问题 / 970125
Accepted
Doug
Asked: 2019-06-05 12:07:18 +0800 CST

如何通过 OpenVPN 服务器隧道传输所有流量?

  • 772

我试图让所有流量都通过 VPN 路由,以便在我浏览互联网时显示 OpenVPN 服务器的 IP 地址。

没关系,但我们通过 PAM 模块使用基于密码的身份验证。该 PAM 模块对网站进行 HTTP 调用以验证事物。

这是我的 OpenVPN 服务器配置:

port 1194
proto udp
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret

;topology subnet
server 10.8.0.0 255.255.255.0
;route 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120

cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3

;duplicate-cn
;max-clients 30
;user nobody
;group nogroup
;mute 20
;explicit-exit-notify 1

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional

push "redirect-gateway def1"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
;push "route 10.8.0.0 255.255.255.0"

这是我的客户端 OpenVPN 配置:

client
dev tun
proto udp
remote MY_SERVERS_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
auth-user-pass

这就是 iptables --list 的样子:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  ip-10-8-0-0.ec2.internal/24  anywhere             ctstate NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

这些 iptables 条目是通过以下方式创建的:

iptables -I FORWARD -i tun0 -o eth0 \
         -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
         -j ACCEPT

iptables -t nat -I POSTROUTING -o eth0 \
          -s 10.8.0.0/24 -j MASQUERADE

这是 ifconfig 在 OpenVPN 服务器上的样子:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 172.26.12.92  netmask 255.255.240.0  broadcast 172.26.15.255
        inet6 fe80::89c:e4ff:feab:ccce  prefixlen 64  scopeid 0x20<link>
        ether 0a:9c:e4:ab:cc:ce  txqueuelen 1000  (Ethernet)
        RX packets 219194  bytes 218590052 (218.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 98397  bytes 11103942 (11.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4886  bytes 669299 (669.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4886  bytes 669299 (669.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::ef51:ccb3:ccc0:f02b  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

IP 转发已启用:

ubuntu@ip-172-26-2-31:~$ cat /proc/sys/net/ipv4/ip_forward
1

如果我的客户日志,这就是我看到的:

Wed Jun 05 07:40:02 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Jun 05 07:40:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jun 05 07:40:02 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Wed Jun 05 07:40:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:02 2019 Need hold release from management interface, waiting...
Wed Jun 05 07:40:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'state on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'log all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'echo all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'bytecount 5'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold off'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold release'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'username "Auth" "dlogan"'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'password [...]'
Wed Jun 05 07:40:04 2019 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 05 07:40:04 2019 MANAGEMENT: >STATE:1559734804,RESOLVE,,,,,,
Wed Jun 05 07:40:05 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
Wed Jun 05 07:40:05 2019 UDP link local: (not bound)
Wed Jun 05 07:40:05 2019 UDP link remote: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,WAIT,,,,,,
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,AUTH,,,,,,
Wed Jun 05 07:40:05 2019 TLS: Initial packet from [AF_INET]MY_SERVERS_PUBLIC_IP:1194, sid=ea2002fc a21451ed
Wed Jun 05 07:40:05 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=1, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=Cyber Ninjas CA, name=CyberNinjas, [email protected]
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=0, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=remote2.cyberninjas.com, name=remote2.cyberninjas.com, [email protected]
Wed Jun 05 07:40:32 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jun 05 07:40:32 2019 [remote2.cyberninjas.com] Peer Connection Initiated with [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,GET_CONFIG,,,,,,
Wed Jun 05 07:40:33 2019 SENT CONTROL [remote2.cyberninjas.com]: 'PUSH_REQUEST' (status=1)
Wed Jun 05 07:40:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: route options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: peer-id set
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Jun 05 07:40:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 05 07:40:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 interactive service msg_channel=832
Wed Jun 05 07:40:33 2019 ROUTE_GATEWAY 192.168.1.99/255.255.255.0 I=15 HWADDR=8c:ae:4c:f6:89:4d
Wed Jun 05 07:40:33 2019 open_tun
Wed Jun 05 07:40:33 2019 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{A4956E3A-C1FC-45BF-9857-31E5725E5011}.tap
Wed Jun 05 07:40:33 2019 TAP-Windows Driver Version 9.21 
Wed Jun 05 07:40:33 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {A4956E3A-C1FC-45BF-9857-31E5725E5011} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jun 05 07:40:33 2019 Successful ARP Flush on interface [23] {A4956E3A-C1FC-45BF-9857-31E5725E5011}
Wed Jun 05 07:40:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,ASSIGN_IP,,10.8.0.6,,,,
Wed Jun 05 07:40:38 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD MY_SERVERS_PUBLIC_IP MASK 255.255.255.255 192.168.1.99
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,ADD_ROUTES,,,,,,
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 Initialization Sequence Completed
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,CONNECTED,SUCCESS,10.8.0.6,MY_SERVERS_PUBLIC_IP,1194,,

这是我在服务器的 OpenVPN 日志中看到的内容:

Wed Jun  5 11:39:35 2019 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Wed Jun  5 11:39:35 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan  9 2019
Wed Jun  5 11:39:35 2019 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Wed Jun  5 11:39:35 2019 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_
VERIFY 
Wed Jun  5 11:39:35 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jun  5 11:39:35 2019 ROUTE_GATEWAY 172.26.0.1/255.255.240.0 IFACE=eth0 HWADDR=0a:9c:e4:ab:cc:ce
Wed Jun  5 11:39:35 2019 TUN/TAP device tun0 opened
Wed Jun  5 11:39:35 2019 TUN/TAP TX queue length set to 100
Wed Jun  5 11:39:35 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun  5 11:39:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun  5 11:39:35 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun  5 11:39:35 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun  5 11:39:35 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jun  5 11:39:35 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun  5 11:39:35 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jun  5 11:39:35 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jun  5 11:39:35 2019 MULTI: multi_init called, r=256 v=256
Wed Jun  5 11:39:35 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun  5 11:39:35 2019 IFCONFIG POOL LIST
Wed Jun  5 11:39:35 2019 Initialization Sequence Completed
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Initial packet from [AF_INET]THE_CLIENT_PUBLIC_IP:50490, sid=80eafd2f b659fb60
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_VER=2.4.6
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PLAT=win
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PROTO=2
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_NCP=2
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4v2=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZO=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUB=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUBv2=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_TCPNL=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_GUI_VER=OpenVPN_GUI_11
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Username/Password authentication succeeded for username 'dlogan' 
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 [] Peer Connection Initiated with [AF_INET]THE_CLIENT_PUBLIC_IP:50490
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: Learn: 10.8.0.6 -> THE_CLIENT_PUBLIC_IP:50490
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: primary virtual IP for THE_CLIENT_PUBLIC_IP:50490: 10.8.0.6
Wed Jun  5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun  5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 SENT CONTROL [UNDEF]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.
8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Jun  5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun  5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun  5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun  5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 [UNDEF] Inactivity timeout (--ping-restart), restarting
Wed Jun  5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 SIGUSR1[soft,ping-restart] received, client-instance restarting

我已经查看并尝试采用/尝试以下文章中的设置但没有成功: https ://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server /

如何强制所有流量通过VPN?

https://askubuntu.com/questions/462533/route-all-traffic-through-openvpn

https://openvpn.net/community-resources/how-to/#redirect

很可能我只是没有把正确的组合放在一起,但我在这里不知所措,肯定在寻求帮助。

如果您能够解释为什么给定的设置可能会解决问题,我们将不胜感激,因为如果您给出的不是完整的解决方案,这可能会帮助我弄清楚这一点。

iptables

3 个回答

  1. 经过大量试验和错误,阅读更多资源和一些有用的评论(感谢 Meoffrey),这就是我最终得到的工作配置。

    错误的事情:

    1) 最初我没有启用 IP 转发。这是关键问题。

    2)不需要我拥有的 iptable 规则,我需要的只是:

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

    接下来是工作配置。

    OpenVPN 服务器配置:

    port 1194
proto udp4
dev tun

dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120

cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3

duplicate-cn
max-clients 30
user nobody
group nogroup
mute 20
explicit-exit-notify 3

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional

push "redirect-gateway def1"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"

    OpenVPN 服务器 /etc/sysctl.conf:

    net.ipv4.ip_forward=1

    安装了 iptables-persistent 并具有以下 /etc/iptables/rules.v4:

    注意:我在 AWS Lightsail 上运行它,因此我已经使用 AWS 网络防火墙限制了端口。如果你在没有它的情况下把它放在互联网上,你可能想要比我更多的规则。

    # Generated by iptables-save v1.6.1 on Wed Jun  5 15:14:19 2019
*mangle
:PREROUTING ACCEPT [51602:22128126]
:INPUT ACCEPT [26875:8155930]
:FORWARD ACCEPT [24727:13972196]
:OUTPUT ACCEPT [26848:13392260]
:POSTROUTING ACCEPT [51575:27364456]
COMMIT
# Completed on Wed Jun  5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun  5 15:14:19 2019
*nat
:PREROUTING ACCEPT [737:43965]
:INPUT ACCEPT [28:1240]
:OUTPUT ACCEPT [510:38713]
:POSTROUTING ACCEPT [510:38713]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun  5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun  5 15:14:19 2019
*filter
:INPUT ACCEPT [13001:3562550]
:FORWARD ACCEPT [18127:10646956]
:OUTPUT ACCEPT [13277:9043865]
COMMIT
# Completed on Wed Jun  5 15:14:19 2019

    最后,OpenVPN 客户端配置:

    client
dev tun
proto udp
remote OPENVPNSERVER_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
explicit-exit-notify 3
auth-user-pass
auth-nocache
remote-cert-tls server
    • 2
  2. Best Answer

    服务器配置上似乎缺少路由。服务器必须告诉客户端加入它的新路由和整个 VPN 子网。看看我猜是这样的:

    push "route 10.8.0.0 255.255.255.0"
    • 1

  3. 所以看起来您正在转发到eth0,但是,似乎没有规则允许在该界面上输入。

    # Allow input on eth0
iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    参考:

    • 1

相关问题