用 strongSwan 做了个 VPN, 但是 iptables 不知道如何设置

2015-01-05 13:50:16 +08:00
 anubiskong

现在的现象是: 我可以连上VPN, 但是无论开网页还是应用都链接超时
但是如果我放开所有的iptables限制, 访问完全没有问题, 速度也比较快.
下面是我的iptables规则, 希望懂得人能指导一下链接超时的原因.

sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

ACCEPT all -- localhost localhost

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:33004
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:4500

Chain FORWARD (policy ACCEPT)
target prot opt source destination

REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- 10.0.0.0/24 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

ACCEPT all -- anywhere anywhere

6249 次点击
所在节点    问与答
7 条回复
chon
2015-01-05 13:55:50 +08:00
什么叫做「放开所有的iptables限制」?
yywudi
2015-01-05 13:58:41 +08:00
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- 10.0.0.0/24 anywhere

REJECT放在ACCEPT的下一行
anubiskong
2015-01-05 14:01:12 +08:00
@chon 清空iptables的所有规则
anubiskong
2015-01-05 14:17:56 +08:00
@yywudi 换成这样了, 还是不行

ACCEPT all -- localhost localhost
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:33004
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:4500

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
bellchu
2015-01-05 15:31:59 +08:00
MASQUERADE 都没有你用ip route转发的?
bellchu
2015-01-05 15:35:53 +08:00
Iptables -nL -t nat
看看
anubiskong
2015-01-05 16:01:44 +08:00
@bellchu

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0
MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0
MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0
MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/159352

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX