이 iptables 규칙에 어떤 문제가 있나요?

tag-icon tag-icon networking iptables firewall
이 iptables 규칙에 어떤 문제가 있나요?

구글링을 통해 얻은 결과는 다음과 같습니다.

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain

이것이 내가 한 일입니다:

답변: 저는 Debian을 사용하고 있기 때문에 iptables-persist를 설치했습니다.

B. sudo /etc/iptables/rules.v4기본값을 다음으로 바꿨습니다.

*filter
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT #allow loopback access
-A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
-A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
-A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
-A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A FORWARD -i eth+ -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
-t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
-A OUTPUT -o eth+ ! -d 111.222.333.444 -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects
COMMIT

C. /etc/iptables/rules.v4에 변경 사항을 저장하고 컴퓨터를 다시 시작했습니다. 111.222.333.444는 XYZ 국가에 위치한 VPN 서버의 IP 주소 예입니다.

D. 재부팅 후 VPN 서버에 연결할 수 없습니다. rule.v4의 내용에 문제가 있습니다.

관련 정보