阻止PPTP客户端的传出流量

时间:2018-07-02 07:29:53

标签: networking iptables pptp

我在Ubuntu VM中安装了PPTP服务器。 Ubuntu主机配置为将思想VPN流量从外部客户端传递到此服务器到内部服务器资源。现在,我需要阻止这些VPN客户端访问特定的外部IP地址或端口。我该怎么办?

我尝试使用以下规则丢弃主机上的所有输出流量:

iptables -I OUTPUT -p udp --dport 9999 -j DROP

但是它不适用于VPN客户端。将此规则添加到具有PPTP的VM也不起作用。我该如何阻止此类连接?

主机上的当前iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED tcp dpt:1723
ACCEPT     gre  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     udp  --  anywhere             anywhere             udp 9999 reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             vpn                  state NEW tcp dpt:1723
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED tcp dpt:1723
ACCEPT     gre  --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
REJECT     udp  --  anywhere             anywhere             udp 9999 reject-with icmp-port-unreachable

1 个答案:

答案 0 :(得分:0)

您的iptables -L输出是什么?您的规则高于接受吗?您保存您的iptables吗?