VPNクライアントがナビゲーションにローカルインターネットを使用できるようにする方法

VPNクライアントがナビゲーションにローカルインターネットを使用できるようにする方法

Strongswanパッケージを使用してcentos 8でIkev2 VPN Server Road Warriorを設定しましたが、正常に動作します。クライアントが接続されると、ナビゲーションにリモートサイトインターネットを使用します。クライアントがインターネットを使用できるようにする方法は、私のIPテーブルとファイアウォールルールの下にあります。

iptables-S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N LIBVIRT_INP
-N LIBVIRT_OUT
-N LIBVIRT_FWO
-N LIBVIRT_FWI
-N LIBVIRT_FWX
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT

iptables -S 入力

-P INPUT ACCEPT
-A INPUT -j LIBVIRT_INP

iptables -S出力

-P OUTPUT ACCEPT
-A OUTPUT -j LIBVIRT_OUT

iptables-L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_INP  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_FWX  all  --  anywhere             anywhere            
LIBVIRT_FWI  all  --  anywhere             anywhere            
LIBVIRT_FWO  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_OUT  all  --  anywhere             anywhere            

Chain LIBVIRT_INP (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootpc

Chain LIBVIRT_FWO (1 references)
target     prot opt source               destination         
ACCEPT     all  --  192.168.122.0/24     anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWI (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere  

      

ファイアウォール-cmd -リスト-すべて

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1 enp0s20f0u14
  sources: 
  services: cockpit dhcpv6-client http https ipsec openvpn ssh
  ports: 500/udp 4500/udp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule protocol value="esp" accept
    rule protocol value="ah" accept

iptables - 保存

# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*nat
:PREROUTING ACCEPT [27115:3345403]
:INPUT ACCEPT [69:9680]
:POSTROUTING ACCEPT [3405:252395]
:OUTPUT ACCEPT [214:16188]
:LIBVIRT_PRT - [0:0]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*filter
:INPUT ACCEPT [65756:14700930]
:FORWARD ACCEPT [78940:39400265]
:OUTPUT ACCEPT [48913:35869992]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWX - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*security
:INPUT ACCEPT [47156:11962633]
:FORWARD ACCEPT [78894:39398425]
:OUTPUT ACCEPT [48920:35871732]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*raw
:PREROUTING ACCEPT [150103:54480128]
:OUTPUT ACCEPT [48922:35872348]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*mangle
:PREROUTING ACCEPT [150103:54480128]
:INPUT ACCEPT [65757:14700982]
:FORWARD ACCEPT [78940:39400265]
:OUTPUT ACCEPT [48923:35872484]
:POSTROUTING ACCEPT [127964:75288423]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 28 12:39:48 2021

答え1

スプリットトンネリングを使用してローカルネットワークを介してルーティングするにはルートを0.0.0.0に設定し、VPNを介してルーティングするにはルートをオフィスネットワーク(10.0.0.0?)に設定します。

関連情報