このiptablesルールにはどのような問題がありますか?

このiptablesルールにはどのような問題がありますか?

Google で入手した結果は次のとおりです。

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain

これが私がしたことです:

答え:私はDebianを使っているので、iptables-persistをインストールしました。

B.sudo /etc/iptables/rules.v4デフォルト値を次に置き換えました。

*filter
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT #allow loopback access
-A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
-A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
-A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
-A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
-A FORWARD -i eth+ -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
-t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
-A OUTPUT -o eth+ ! -d 111.222.333.444 -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects
COMMIT

C. /etc/iptables/rules.v4に変更を保存し、コンピュータを再起動しました。 111.222.333.444 は、XYZ 国にある VPN サーバーの IP アドレスの例です。

D. 再起動後、VPN サーバーに接続できません。 rule.v4の内容に問題があります。

関連情報