LINUX.ORG.RU

Сообщения dnsis

 

Насройтка firewall для wireguard

Форум — Admin

Привет все. Озадачился настройкой собственного VPN сервера, купил VPS, настроил wireguard, nftables. Вопросы по nftables, конфиг такой:

01 #!/usr/sbin/nft -f
02
03 flush ruleset
04 
05 table inet filter {
06 	chain input {
07 		type filter hook input priority filter; policy drop;
08 		ct state invalid counter packets 0 bytes 0 drop
09 		iifname "lo" accept
10 		icmp type echo-request counter packets 0 bytes 0 accept
11 		ct state established,related counter packets 0 bytes 0 accept
12 		iifname "enp3s0" tcp dport 22 counter packets 0 bytes 0 accept
13 		iifname "enp3s0" udp dport 44830 counter packets 0 bytes 0 accept
14 	}
15 
16 	chain forward {
17 		type filter hook forward priority filter; policy drop;
18 		ct state invalid drop
19 		ct state established,related,new counter packets 0 bytes 0 accept
20 	}
21 
22 	chain output {
23 		type filter hook output priority filter; policy accept;
24 	}
25 }
26 table ip nat {
27 	chain prerouting {
28 		type nat hook prerouting priority dstnat; policy accept;
29 	}
30 
31 	chain postrouting {
32 		type nat hook postrouting priority srcnat; policy accept;
33 		oifname "enp0s3" counter packets 0 bytes 0 masquerade
34 	}
35 }
  • Если в таблице filter политики цепочек input и forward установлены в policy drop, то имеют ли смысл строки [08] и [18]?

  • Для iptables хатало строк:
iptables -A INPUT -i enp0s3 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i enp0s3 -p udp --dport 53830 -j ACCEPT
iptables -A INPUT -i enp0s3 -j DROP
iptables -A FORWARD -i eth0 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -j DROP
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

А вот при переносе правил в nftables В строке [19] пришлось добавить state new, это правильный подход?


  • Ну и самое главное, сламался curl. Примеры: kali-linux качает, но в консоли пишет всякую дребедень
curl -Lv https://kali.download/arm-images/kali-2022.3/kali-linux-2022.3-raspberry-pi-zero-2-w-armhf.img.xz -o NUL
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 104.18.103.100:443...
* Connected to kali.download (104.18.103.100) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
> GET /arm-images/kali-2022.3/kali-linux-2022.3-raspberry-pi-zero-2-w-armhf.img.xz HTTP/1.1
> Host: kali.download
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 25 Oct 2022 03:43:19 GMT
< Content-Type: application/octet-stream
< Content-Length: 2079663332
< Connection: keep-alive
< Last-Modified: Tue, 09 Aug 2022 13:52:26 GMT
< ETag: "62f2669a-7bf524e4"
< Expires: Thu, 31 Dec 2037 23:55:55 GMT
< Cache-Control: max-age=315360000
< CF-Cache-Status: HIT
< Age: 50
< Accept-Ranges: bytes
< Server: cloudflare
< CF-RAY: 75f7f284ad7abfb4-WAW
<
{ [2340 bytes data]
* schannel: failed to decrypt data, need more data
{ [99725 bytes data]
* schannel: failed to decrypt data, need more data
....
и так далее

А вот alpine вообще не качает, просто зависает вот так вот:

C:\#share>curl -Lv https://dl-cdn.alpinelinux.org/alpine/v3.16/releases/x86_64/alpine-standard-3.16.2-x86_64.iso -o NUL
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.114.133:443...
* Connected to dl-cdn.alpinelinux.org (151.101.114.133) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
  0     0    0     0    0     0      0      0 --:--:--  0:01:02 --:--:--     0

Ключ -k не помогает

Это значит, что я не все правильно настроил. Где искать?

 , , ,

dnsis
()

RSS подписка на новые темы