Есть:
Сеть 192.168.1.0/24 (шлюз 192.168.1.1) с выходом в Интернет (IP: 345.45.67.89)
Сервер OpenVPN (CentOS 7) подключен через eth0 (192.168.1.2) (Порт OpenVPN: 1194 | tun0 10.8.0.0/24 сеть)
Правило пересылки на шлюзе 192.168.1.1 с 345.45.67.89:54321 на 192.168.1.2:1194
Необходимо заблокировать 192.168.1.5 за посещение его клиентами OpenVPN.
Я пытаюсь добавить правило:
sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -d 192.168.1.5 -j DROP
Через ssh на сервере curl http://192.168.1.5 -o out составляет 0%. Но через OpenVPN у меня есть доступ к http://192.168.1.5.
tun0 в доверенном с включенным маскарадом. Похоже, с этим проблема.
Какие правила следует использовать для исходящих подключений DROP к 192.168.1.5 из 10.8.0.0/24?
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 XXX prefixlen 64 scopeid 0x20<link>
ether XXX txqueuelen 1000 (Ethernet)
RX packets 1176345 bytes 119424262 (113.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23934 bytes 17136251 (16.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4 bytes 344 (344.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 344 (344.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 XXX prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 11947 bytes 904082 (882.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15492 bytes 15376868 (14.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
sudo firewall-cmd --list-все-зоны
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: openvpn ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: tun0
sources:
services:
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
sudo firewall-cmd --direct --get-all-rules
ipv4 filter OUTPUT 0 -d 192.168.1.5 -j DROP