昨天刚刚配置好的l2tp/ipsec vpn今天突然不能使用了,上去之后tcpdump抓包发下如下数据包 ICMP host 45.32.12.213.vultr.com unreachable - admin prohibited, length 105,之后关闭了firewalld之后vpn可以正常拨通,于是乎问题明了了啊,由于防火墙的规则错误导致的于是使用iptables-save导出所有规则,虽然对于防火墙使用不熟悉,可是大概问题知道是由于icmp的某些规则被禁止掉了,使用关键字搜索后发现如下资料,关键内容放在最后,之后再保存的规则里关键字搜索发现了两条可疑的规则:-A INPUT -j REJECT –reject-with icmp-host-prohibited,-A FORWARD -j REJECT –reject-with icmp-host-prohibited,使用命令iptables -t filter -D FORWARD -j REJECT –reject-with icmp-host-prohibited,
iptables -t filter -D INPUT -j REJECT –reject-with icmp-host-prohibited,删除后恢复正常,之后运行了firewall-cmd –reload发现又不行了,之后查了查发现原来iptables已经被firewall取代iptables他们是两套工具,iptables只是为了兼容之前而保留下来的,这也就说明了为什么reload之后仍然可以从外网访问的,原因就在于在安装vpn的过程中使用的firewall-cmd –permanent 添加了udb500还有4500端口,因此即便是reload之后也能存在,但是其他规则可能就不行了|这里有个疑问那就是为什么nat转发规则使用的iptables添加的但是现在仍然是生效的,而想prohibit这两个规则又是在什么时候去除的呢?而且特意查看了一下昨天vpn可以使用的情况下save的路由规则,是prohibit这两条规则是存在的,为什么在今天早上重新加载防火墙之后就影响vpn建立连接了呢,感觉还是得深入了解一下才行|,搜了一下发现打算深入了解一下,网上大多给的方法就是回退回去iptables不用firewall-cmd。。。讲真我觉得firewall-cmd更好用一些,还有一条连接可以后面接着学习firewalld使用
The REJECT target rejects the packet. If you do not specify which ICMP message to reject with, the server by default will send back ICMP port unreachable (type 3, code 3).
--reject-with modifies this behaviour to send a specific ICMP message back to the source host. You can find information about --reject-with and the available rejection messages in man iptables:
REJECT
This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which are only called from those chains. The following option controls the nature of the error packet returned:
--reject-with typeThe type given can be:
- icmp-net-unreachable
- icmp-host-unreachable
- icmp-port-unreachable
- icmp-proto-unreachable
- icmp-net-prohibited
- icmp-host-prohibited or
- icmp-admin-prohibited (*)
which return the appropriate ICMP error message (port-unreachable is the default). The option tcp-reset can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking ident (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won’t accept your mail otherwise).
(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT