当我在基于Tomato的路由器上启用OpenVPN客户端时,端口转发似乎不再起作用。我有一个装有此固件的Asus RT-N16路由器:
Tomato固件1.28.0000 MIPSR2-115 K26 USB VPN(简陋的构建)
我最近注册了VPN服务,并按照他们提供的指南在路由器上设置VPN:http : //www.ipvanish.com/visualguides/OpenVPN/Tomato/
按照指南进行操作后,我的所有流量都将通过隧道传输,这很棒。但是,我有一个连接此路由器的ubuntu服务器,该服务器承载的apache(在端口80和443上)不再可以从外部访问。我是VPN领域的新手,如果理论错误,请更正我。我希望当WAN请求进入VPN外部时,由于端口转发,它们会以这种方式响应。我没有根据的猜测是请求进入,但是响应消失在隧道中。
我在其他地方看到过很多帖子,这些帖子暗示需要向路由器的iptables添加其他规则,如下所示:
iptables -t nat -A PREROUTING -p tcp --dport <your_port_number> -j DNAT --to-destination <your_destination_IP_address>
iptables -A FORWARD -s <your_VPN_IP> -p tcp --dport <your_port_number> -j ACCEPT
但是,我没有成功实现这一目标。有可能做我想做的事吗?如果是这样,我缺少什么步骤?启用VPN客户端后,以下是路由器上ifconfig和iptables的输出。谢谢。
br0 Link encap:Ethernet HWaddr BC:AE:C5:E8:2B:72
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4906280 errors:0 dropped:0 overruns:0 frame:0
TX packets:6593105 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3320899619 (3.0 GiB) TX bytes:3055186673 (2.8 GiB)
eth0 Link encap:Ethernet HWaddr BC:AE:C5:E8:2B:72
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12317339 errors:0 dropped:0 overruns:0 frame:0
TX packets:11550871 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2602762531 (2.4 GiB) TX bytes:2190393333 (2.0 GiB)
Interrupt:4 Base address:0x2000
eth1 Link encap:Ethernet HWaddr BC:AE:C5:E8:2B:74
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:141603 errors:0 dropped:0 overruns:0 frame:12229612
TX packets:253818 errors:17 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11473501 (10.9 MiB) TX bytes:323350737 (308.3 MiB)
Interrupt:3 Base address:0x1000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:38 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3675 (3.5 KiB) TX bytes:3675 (3.5 KiB)
tun11 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.20.25.181 P-t-P:172.20.25.181 Mask:255.255.248.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1649 errors:0 dropped:0 overruns:0 frame:0
TX packets:1186 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1808407 (1.7 MiB) TX bytes:129251 (126.2 KiB)
vlan1 Link encap:Ethernet HWaddr BC:AE:C5:E8:2B:72
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:5125335 errors:0 dropped:0 overruns:0 frame:0
TX packets:6732029 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3654686593 (3.4 GiB) TX bytes:3092936664 (2.8 GiB)
vlan2 Link encap:Ethernet HWaddr BC:AE:C5:E8:2B:73
inet addr:98.228.254.52 Bcast:98.228.255.255 Mask:255.255.248.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7190398 errors:0 dropped:0 overruns:0 frame:0
TX packets:4818842 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3021257256 (2.8 GiB) TX bytes:3392423965 (3.1 GiB)
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
119 10231 ACCEPT all -- tun11 * 0.0.0.0/0 0.0.0.0/0
14 1470 DROP all -- br0 * 0.0.0.0/0 98.228.254.52
393 163K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
19219 6264K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
11 861 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
42101 2556K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
4974 1716K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3269 2974K ACCEPT all -- tun11 * 0.0.0.0/0 0.0.0.0/0
11M 11G all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
13009 5871K ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
122 5288 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
37051 2152K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
11M 11G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5081 302K wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0
20195 1208K wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0
20300 1216K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3994 packets, 1258K bytes)
pkts bytes target prot opt in out source destination
Chain wanin (1 references)
pkts bytes target prot opt in out source destination
2186 125K ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:49151
1054 79129 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.132 udp dpt:49151
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:8112
172 10288 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:443
5 358 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:993
1 52 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:5222
2 120 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:5269
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:110
4 240 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:26
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.115 tcp dpt:49491
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.115 udp dpt:49491
1610 83944 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:32400
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:587
3 168 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:22
29 1704 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.136 udp dpt:88
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.136 tcp dpt:3074
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.136 udp dpt:3074
1 44 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.136 tcp dpt:53
14 1143 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.136 udp dpt:53
Chain wanout (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 625 packets, 97194 bytes)
pkts bytes target prot opt in out source destination
5625 364K WANPREROUTING all -- * * 0.0.0.0/0 98.228.254.52
0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.1.0/24
Chain POSTROUTING (policy ACCEPT 174 packets, 10820 bytes)
pkts bytes target prot opt in out source destination
142 9572 MASQUERADE all -- * tun11 192.168.1.0/24 0.0.0.0/0
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:49151 to:98.228.254.52
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.132 udp dpt:49151 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:8112 to:98.228.254.52
333 17356 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:443 to:98.228.254.52
63 5305 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:993 to:98.228.254.52
2 230 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:5222 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:5269 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:25 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:110 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:26 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.115 tcp dpt:49491 to:98.228.254.52
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.115 udp dpt:49491 to:98.228.254.52
10 600 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:32400 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:465 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:587 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:22 to:98.228.254.52
111 6084 SNAT tcp -- * * 192.168.1.0/24 192.168.1.132 tcp dpt:80 to:98.228.254.52
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.136 udp dpt:88 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.136 tcp dpt:3074 to:98.228.254.52
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.136 udp dpt:3074 to:98.228.254.52
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.136 tcp dpt:53 to:98.228.254.52
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.136 udp dpt:53 to:98.228.254.52
29907 1817K MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 180 packets, 11182 bytes)
pkts bytes target prot opt in out source destination
Chain WANPREROUTING (1 references)
pkts bytes target prot opt in out source destination
4 172 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.1
2103 120K DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:49151 to:192.168.1.132
834 57491 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:49151 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8112 to:192.168.1.132
505 27636 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.132
68 5663 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:192.168.1.132
3 282 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 to:192.168.1.132
2 120 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5269 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:192.168.1.132
4 240 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:26 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:49491 to:192.168.1.115
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:49491 to:192.168.1.115
1633 85204 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32400 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:192.168.1.132
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:192.168.1.132
3 168 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.1.132
140 7788 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.132
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 to:192.168.1.136
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3074 to:192.168.1.136
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3074 to:192.168.1.136
1 40 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:192.168.1.136
14 1143 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:192.168.1.136
这是不正确的,端口转发不再起作用。相反,发生的是来自您的Ubuntu服务器的答复是通过VPN路由的,因此,当到达试图与Ubuntu服务器联系的PC时,它将来自与最初IP地址不同的IP地址。邮件已写入。对于所有明显的安全性问题,将指示所有PC丢弃这些伪造的(?)答复数据包。
因此,基本思想是使您的LAN允许VPN外部的答复(来自Ubuntu服务器)。这需要策略路由,即根据源(而不是目的地!)IP地址同时使用两个路由表。策略路由有时称为源路由。
你可以找到关于如何做到这一点上的番茄路线明确的指示serverfault网站,在这里。这是从以下内容开始的贡献:我终于做到了。我认为线程被不公正地关闭了,贡献是相当有用的。如果您在按照说明进行操作时遇到特定问题,请回来。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句