Eu tenho uma máquina local que se conecta a uma VPN para acesso à Internet e é configurada de modo a não poder acessar a Internet de forma alguma através da VPN, embora a rede local possa ser acessada normalmente. Eu quero permitir que as pessoas na internet se conectem a uma porta específica (80) do meu ip público (não-VPN), embora ainda não permitam qualquer outro acesso à Internet sem a VPN.
$ route -nee
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
0.0.0.0 255.255.255.252 0.0.0.0 UG 0 0 0 tun0 0 0 0
10.8.0.1 255.255.255.252 255.255.255.255 UGH 0 0 0 tun0 0 0 0
10.8.0.4 0.0.0.0 255.255.255.252 U 0 0 0 tun0 0 0 0
VPN_PUBLIC_IP 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0 0 0 0
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 0 0 0
255.255.255.252 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 0 0 0
(minha LAN está em 192.168.1. , e a VPN usa a sub-rede 10.8.0. , sendo 10.8.0.1 a VPN)
atualmente não tenho regras configuradas com o iptables
Encaminhei a porta 80 do meu roteador para a caixa, mas as solicitações atuais não estão chegando ao apache (ou, pelo menos, não estão aparecendo em nenhum dos logs). Eu posso, no entanto, acessar o apache corretamente de outro computador na minha LAN, e se eu encaminhar a porta através da VPN
Existe alguma maneira simples de fazer isso?
EDITAR:
saída do tcpdump na porta 80:
# tcpdump -i eth0 dst port 80 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:13:52.052868 IP (tos 0x0, ttl 52, id 47824, offset 0, flags [DF], proto TCP (6), length 60)
BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x83dc (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771183 ecr 0,nop,wscale 8], length 0
23:13:53.051954 IP (tos 0x0, ttl 52, id 47825, offset 0, flags [DF], proto TCP (6), length 60)
BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x82e2 (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771433 ecr 0,nop,wscale 8], length 0
23:13:55.056213 IP (tos 0x0, ttl 52, id 47826, offset 0, flags [DF], proto TCP (6), length 60)
BROWSER_IP > LOCAL_IP: Flags [S], cksum 0x80ed (correct), seq 3242308735, win 29200, options [mss 1460,sackOK,TS val 801771934 ecr 0,nop,wscale 8], length 0
iptables -vnL:
# iptables -vnL
Chain INPUT (policy ACCEPT 16 packets, 1445 bytes)
pkts bytes target prot opt in out source destination
274K 52M LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
271K 52M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
271K 52M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
1779 162K ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
290 16952 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
523 33197 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
523 33197 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
523 33197 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 13 packets, 1372 bytes)
pkts bytes target prot opt in out source destination
260K 643M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
260K 643M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
1432 137K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination