커널 5.0x가 설치된 Ubuntu 18.04 시스템에 PPTPd 서버를 설정했으며 Win10 시스템에서 연결하여 서버를 핑할 수 있습니다.그리고 핑 8.8.8.8. 따라서 DNS는 VPN을 통해 작동합니다. 그러나 웹페이지를 검색할 수 없거나 다른 포트에 연결할 수 없습니다.
나는 modprobe 작업(nf_nat_pptp 및 nf_conntrack_pptp)을 수행했습니다.
기본적으로 서버의 로컬 주소는 192.168.0.1이고 클라이언트가 받는 주소는 192.168.0.100입니다. 아래 iptables는 테스트에 사용된 다른 주소 범위를 보여줍니다.
나는 이것이 iptables 문제라고 확신하지만 규칙 목록을 보고 그러한 문제를 추적한 경험이 없습니다.
# sysctl -p
net.ipv4.ip_forward = 1
net.netfilter.nf_conntrack_helper = 1
# iptables -nvL -t nat --line-number
Chain PREROUTING (policy ACCEPT 239K packets, 23M bytes)
num pkts bytes target prot opt in out source destination
1 252K 25M PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2 252K 25M PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 50342 packets, 2729K bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 62252 packets, 4500K bytes)
num pkts bytes target prot opt in out source destination
1 62476 4516K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 21854 packets, 1580K bytes)
num pkts bytes target prot opt in out source destination
1 40409 2921K MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
2 70 4886 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
3 5 325 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
4 22005 1590K POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
5 22005 1590K POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 6 432 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
7 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
8 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 POST_public all -- * * 0.0.0.0/0 192.168.0.0/24 [goto]
2 22005 1590K POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain POST_public (2 references)
num pkts bytes target prot opt in out source destination
1 22005 1590K POST_public_pre all -- * * 0.0.0.0/0 0.0.0.0/0
2 22005 1590K POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
3 22005 1590K POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
4 22005 1590K POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
5 22005 1590K POST_public_post all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain POST_public_post (1 references)
num pkts bytes target prot opt in out source destination
Chain POST_public_pre (1 references)
num pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 11025 842K PRE_public all -- * * 192.168.0.0/24 0.0.0.0/0 [goto]
2 241K 24M PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public (2 references)
num pkts bytes target prot opt in out source destination
1 252K 25M PRE_public_pre all -- * * 0.0.0.0/0 0.0.0.0/0
2 252K 25M PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
3 252K 25M PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
4 252K 25M PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
5 252K 25M PRE_public_post all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public_post (1 references)
num pkts bytes target prot opt in out source destination
Chain PRE_public_pre (1 references)
num pkts bytes target prot opt in out source destination
# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 5673 557K ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
2 5071 511K ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
3 83 4400 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 state NEW
4 1532 141K ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
5 1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 state NEW
6 1759 163K ACCEPT 47 -- eth0 * 0.0.0.0/0 0.0.0.0/0
7 555K 94M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
8 21994 1589K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
9 110K 6423K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
10 72059 4171K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
11 8933 364K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
12 11808 1026K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
13 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
14 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
15 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2072 108K TCPMSS tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
2 0 0 TCPMSS tcp -- * * 10.0.0.0/24 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
3 3739 194K TCPMSS tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4 0 0 TCPMSS tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
5 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
6 80 5808 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
7 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8 8862 510K FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
9 8862 510K FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
10 8819 507K FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
11 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
12 8819 507K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
13 0 0 TCPMSS tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp flags:0x17/0x02 TCPMSS set 1356
14 0 0 ACCEPT all -- ppp+ eth0 0.0.0.0/0 0.0.0.0/0
15 0 0 ACCEPT all -- eth0 ppp+ 0.0.0.0/0 0.0.0.0/0
16 0 0 ACCEPT all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 603K packets, 125M bytes)
num pkts bytes target prot opt in out source destination
1 8423 599K ACCEPT 47 -- * eth0 0.0.0.0/0 0.0.0.0/0
2 43988 3795K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 627K 136M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 8862 510K FWDI_public all -- * * 192.168.0.0/24 0.0.0.0/0 [goto]
2 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 FWDO_public all -- * * 0.0.0.0/0 192.168.0.0/24 [goto]
2 8819 507K FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_direct (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
num pkts bytes target prot opt in out source destination
1 8862 510K FWDI_public_pre all -- * * 0.0.0.0/0 0.0.0.0/0
2 8862 510K FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
3 8862 510K FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
4 8862 510K FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
5 8862 510K FWDI_public_post all -- * * 0.0.0.0/0 0.0.0.0/0
6 43 3348 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_post (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDI_public_pre (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
num pkts bytes target prot opt in out source destination
1 8819 507K FWDO_public_pre all -- * * 0.0.0.0/0 0.0.0.0/0
2 8819 507K FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
3 8819 507K FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
4 8819 507K FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
5 8819 507K FWDO_public_post all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_post (1 references)
num pkts bytes target prot opt in out source destination
Chain FWDO_public_pre (1 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
num pkts bytes target prot opt in out source destination
1 1214 114K IN_public all -- * * 192.168.0.0/24 0.0.0.0/0 [goto]
2 70845 4058K IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
1 37532 2252K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,143,993,110,995 match-set f2b-postfix-sasl src reject-with icmp-port-unreachable
2 1 60 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 match-set f2b-sshd src reject-with icmp-port-unreachable
Chain IN_public (2 references)
num pkts bytes target prot opt in out source destination
1 72059 4171K IN_public_pre all -- * * 0.0.0.0/0 0.0.0.0/0
2 72059 4171K IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
3 72059 4171K IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
4 72059 4171K IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
5 20855 1397K IN_public_post all -- * * 0.0.0.0/0 0.0.0.0/0
6 114 6638 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num pkts bytes target prot opt in out source destination
1 2000 84664 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
2 21 868 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
3 27 1460 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ctstate NEW,UNTRACKED
4 12 496 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 ctstate NEW,UNTRACKED
5 676 36856 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
6 11957 717K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ctstate NEW,UNTRACKED
7 186 10756 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 ctstate NEW,UNTRACKED
8 4329 238K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
9 25 1368 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 ctstate NEW,UNTRACKED
10 21 1088 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 ctstate NEW,UNTRACKED
11 3 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 ctstate NEW,UNTRACKED
12 114 5008 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:10000:10100 ctstate NEW,UNTRACKED
13 26 1376 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000 ctstate NEW,UNTRACKED
14 31 2022 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW,UNTRACKED
15 7 288 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW,UNTRACKED
16 31049 1629K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1025:65535 ctstate NEW,UNTRACKED
17 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 ctstate NEW,UNTRACKED
18 720 43028 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_post (1 references)
num pkts bytes target prot opt in out source destination
Chain IN_public_pre (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
num pkts bytes target prot opt in out source destination
답변1
iptables 규칙에 뭔가 문제가 있는 것 같습니다. 보니까 중복이 많네요. 예를 들어 POSTROUTING체인을 자세히 살펴보세요 . 규칙 #1, 2, 3은 동일합니다. 또한 규칙 #6, 7, 8은 동일합니다.
규칙은 위에서 아래로 처리된다는 점을 기억하세요. POSTROUTING_ZONES체인을 자세히 살펴보면 . 규칙 #1에는 적중 항목이 없습니다(0 패킷). 이는 이전 규칙에 의해 트래픽이 차단되었음을 의미합니다. 규칙을 정리하고 규칙을 다시 추가하여 중복이 없는지 확인하는 것이 좋습니다.