V2EX = way to explore

V2EX 是一个关于分享和探索的地方

For Existing Member Sign In

Distributions

› Ubuntu

› Fedora

› CentOS

中文资源站

› 网易开源镜像站

This topic created in 3486 days ago, the information mentioned may be changed or developed.

在 vps 上部署了 shadowvpn ， shadowvpn 启动的时候会运行 server_up.sh 这个脚本将两条规则（-A FORWARD -s 10.7.0.0/16 -m state --state RELATED,ESTABLISHED -j ACCEPT 和 -A FORWARD -d 10.7.0.0/16 -j ACCEPT ）写入 iptables 。

我的 iptables 里有下面两条默认的规则在 iptables 的最底部。 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icml-host-prohibited

问题是 server_up.sh 注入的规则都放在了默认两条规则的下面，这也就意味着注入的规则失效了。

下面是 server_up.sh 脚本的内容 #!/bin/sh

This script will be executed when server is up. All key value pairs (except

password) in ShadowVPN config file will be passed to this script as

environment variables.

Turn on IP forwarding

sysctl -w net.ipv4.ip_forward=1

Configure IP address and MTU of VPN interface

ip addr add $net dev $intf ip link set $intf mtu $mtu ip link set $intf up

turn on NAT over VPN

if !(iptables-save -t nat | grep -q "shadowvpn"); then iptables -t nat -A POSTROUTING -s $net ! -d $net -m comment --comment "shadowvpn" -j MASQUERADE fi iptables -A FORWARD -s $net -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -d $net -j ACCEPT