我在Ubuntu VM中安装了PPTP服务器。 Ubuntu主机配置为将思想VPN流量从外部客户端传递到此服务器到内部服务器资源。现在,我需要阻止这些VPN客户端访问特定的外部IP地址或端口。我该怎么办?
我尝试使用以下规则丢弃主机上的所有输出流量:
iptables -I OUTPUT -p udp --dport 9999 -j DROP
但是它不适用于VPN客户端。将此规则添加到具有PPTP的VM也不起作用。我该如何阻止此类连接?
主机上的当前iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere ctstate RELATED,ESTABLISHED tcp dpt:1723
ACCEPT gre -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT udp -- anywhere anywhere udp 9999 reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere vpn state NEW tcp dpt:1723
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT tcp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED tcp dpt:1723
ACCEPT gre -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
REJECT udp -- anywhere anywhere udp 9999 reject-with icmp-port-unreachable
答案 0 :(得分:0)
您的iptables -L
输出是什么?您的规则高于接受吗?您保存您的iptables
吗?