首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
广告
anubiskong
V2EX  ›  问与答

用 strongSwan 做了个 VPN, 但是 iptables 不知道如何设置

  •   
  •   anubiskong · 2015-01-05 13:50:16 +08:00 · 6418 次点击
    这是一个创建于 3601 天前的主题,其中的信息可能已经有所发展或是发生改变。

    现在的现象是: 我可以连上VPN, 但是无论开网页还是应用都链接超时
    但是如果我放开所有的iptables限制, 访问完全没有问题, 速度也比较快.
    下面是我的iptables规则, 希望懂得人能指导一下链接超时的原因.

    sudo iptables --list
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    ACCEPT all -- localhost localhost

    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere tcp dpt:33004
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT udp -- anywhere anywhere udp dpt:isakmp
    ACCEPT udp -- anywhere anywhere udp dpt:4500

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
    ACCEPT all -- 10.0.0.0/24 anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    ACCEPT all -- anywhere anywhere

  • anywhere
  • udp
  • iptables
    7 条回复    2015-01-05 16:01:44 +08:00
    chon
        1
    chon  
       2015-01-05 13:55:50 +08:00
    什么叫做「放开所有的iptables限制」?
    yywudi
        2
    yywudi  
       2015-01-05 13:58:41 +08:00
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
    ACCEPT all -- 10.0.0.0/24 anywhere

    REJECT放在ACCEPT的下一行
    anubiskong
        3
    anubiskong  
    OP
       2015-01-05 14:01:12 +08:00
    @chon 清空iptables的所有规则
    anubiskong
        4
    anubiskong  
    OP
       2015-01-05 14:17:56 +08:00
    @yywudi 换成这样了, 还是不行

    ACCEPT all -- localhost localhost
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere tcp dpt:33004
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT udp -- anywhere anywhere udp dpt:isakmp
    ACCEPT udp -- anywhere anywhere udp dpt:4500

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- 10.0.0.0/24 anywhere
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    bellchu
        5
    bellchu  
       2015-01-05 15:31:59 +08:00 via iPad
    MASQUERADE 都没有你用ip route转发的?
    bellchu
        6
    bellchu  
       2015-01-05 15:35:53 +08:00 via iPad
    Iptables -nL -t nat
    看看
    anubiskong
        7
    anubiskong  
    OP
       2015-01-05 16:01:44 +08:00
    @bellchu

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0
    MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0
    MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0
    MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5443 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 26ms · UTC 03:42 · PVG 11:42 · LAX 19:42 · JFK 22:42
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.