如何把 venet0:1 通过 iptables 转发出来？

[pityonline]

不幸的事情还是发生了，主IP被 ban 了，现在只能用备用IP将就一下，但备用IP不能使用 openvpn，很不爽，请大家帮忙看看。

服务器端：sudo openvpn /etc/openvpn/server.conf

代码： 全选

Tue Sep 14 22:08:47 2010 Initialization Sequence Completed
Tue Sep 14 22:08:47 2010 MULTI: multi_create_instance called
Tue Sep 14 22:08:47 2010 125.39.160.250:42601 Re-using SSL/TLS context
Tue Sep 14 22:08:47 2010 125.39.160.250:42601 LZO compression initialized
Tue Sep 14 22:08:47 2010 125.39.160.250:42601 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Sep 14 22:08:47 2010 125.39.160.250:42601 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Sep 14 22:08:47 2010 125.39.160.250:42601 Local Options hash (VER=V4): '530fdded'
Tue Sep 14 22:08:47 2010 125.39.160.250:42601 Expected Remote Options hash (VER=V4): '41690919'
Tue Sep 14 22:08:47 2010 125.39.160.250:42601 TLS: Initial packet from [AF_INET]125.39.160.250:42601, sid=4413bede fd98a302
Tue Sep 14 22:09:47 2010 125.39.160.250:42601 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Sep 14 22:09:47 2010 125.39.160.250:42601 TLS Error: TLS handshake failed
Tue Sep 14 22:09:47 2010 125.39.160.250:42601 SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Sep 14 22:09:48 2010 MULTI: multi_create_instance called
Tue Sep 14 22:09:48 2010 125.39.160.250:43001 Re-using SSL/TLS context
Tue Sep 14 22:09:48 2010 125.39.160.250:43001 LZO compression initialized
Tue Sep 14 22:09:48 2010 125.39.160.250:43001 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Sep 14 22:09:48 2010 125.39.160.250:43001 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Sep 14 22:09:48 2010 125.39.160.250:43001 Local Options hash (VER=V4): '530fdded'
Tue Sep 14 22:09:48 2010 125.39.160.250:43001 Expected Remote Options hash (VER=V4): '41690919'
Tue Sep 14 22:09:48 2010 125.39.160.250:43001 TLS: Initial packet from [AF_INET]125.39.160.250:43001, sid=0b9305e8 e41e86b6

客户端：sudo openvpn --config /etc/openvpn/client.conf

代码： 全选

Tue Sep 14 22:07:43 2010 LZO compression initialized
Tue Sep 14 22:07:43 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Sep 14 22:07:43 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Sep 14 22:07:43 2010 Local Options hash (VER=V4): '41690919'
Tue Sep 14 22:07:43 2010 Expected Remote Options hash (VER=V4): '530fdded'
Tue Sep 14 22:07:43 2010 Socket Buffers: R=[112640->131072] S=[112640->131072]
Tue Sep 14 22:07:43 2010 UDPv4 link local: [undef]
Tue Sep 14 22:07:43 2010 UDPv4 link remote: [AF_INET]64.120.233.241:1194
Tue Sep 14 22:08:43 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Sep 14 22:08:43 2010 TLS Error: TLS handshake failed
Tue Sep 14 22:08:43 2010 TCP/UDP: Closing socket
Tue Sep 14 22:08:43 2010 SIGUSR1[soft,tls-error] received, process restarting
Tue Sep 14 22:08:43 2010 Restart pause, 2 second(s)
Tue Sep 14 22:08:45 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Sep 14 22:08:45 2010 Re-using SSL/TLS context
Tue Sep 14 22:08:45 2010 LZO compression initialized
Tue Sep 14 22:08:45 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Sep 14 22:08:45 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Sep 14 22:08:45 2010 Local Options hash (VER=V4): '41690919'
Tue Sep 14 22:08:45 2010 Expected Remote Options hash (VER=V4): '530fdded'
Tue Sep 14 22:08:45 2010 Socket Buffers: R=[112640->131072] S=[112640->131072]
Tue Sep 14 22:08:45 2010 UDPv4 link local: [undef]
Tue Sep 14 22:08:45 2010 UDPv4 link remote: [AF_INET]64.120.233.241:1194

两端总是对置重连，一直不成功，好像是加密握手失败，我感觉是 iptables 规则的问题，好像 64.120.233.241 这个IP就没有转发出来，我的转发规则是写在 /etc/rc.local 里的，开机自动运行这一条：

代码： 全选

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet1 -j SNAT --to-source 64.120.233.241

在主IP被 ban 之前一直是转发 venet0 网卡的，没有问题，写成上面这样不行，因为 vps 上根本没有 venet1 网卡，备用IP的网卡是 venet0:1，但用 venet0:1 替换 venet1 执行会提示：

代码： 全选

Warning: weird character in interface `venet0:1' (No aliases, :, ! or *).

网卡名称不能那样写，如此这般，怎么办？

附上 ifconfig 信息：

代码： 全选

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: ::1/128 Scope:Host
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:13097 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13711 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4961999 (4.9 MB)  TX bytes:3443700 (3.4 MB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:64.120.233.240  P-t-P:64.120.233.240  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:64.120.233.241  P-t-P:64.120.233.241  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

[delectate]

帮顶！

[WenBin]

话说我的openvpn都没配成功

[pityonline]

帮顶！

谢顶！

[pityonline]

话说我的openvpn都没配成功

你点开你楼上签名找下就OK了……

[oneleaf]

改回 venet0 试试？

[pityonline]

改回 venet0 试试？

venet0 已经被 ban 了……

或者能把备用IP转到 venet0 上也可以，但这个估计要服务商才可以操作吧？

[pityonline]

我果真把 venet0:0 和 venet0:1 的IP地址互换了：

代码： 全选

sudo ifconfig venet0:0 64.120.233.241 netmask 255.255.255.255

结果干掉了 venet0:0 因为提示 "FILE EXISTS"，用 sudo ifconfig 查看，venet0:0 已经没有了。然后使用：

代码： 全选

sudo ifconfig venet0:1 64.120.233.240 netmask 255.255.255.255

没有回显，成功，但此时 ssh 连接也断开了，因为 venet0:1 变成了 64.120.233.240，而这个IP已经被 ban 了，此时我的 vps 上只有一个被 ban 掉的IP了，无法访问了——还好之前买的那个 ssh 帐号还能用，用那个 ssh 登录，再 ssh 连接到 64.120.233.240，ifconfig 查看了一下，果真如此！于是用：

代码： 全选

sudo ifconfig venet0:0 64.120.233.241 netmask 255.255.255.255

设置了 venet0:0 的IP地址，再用 ifconfig 查看，结果为：

代码： 全选

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:64.120.233.241  P-t-P:64.120.233.241  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:64.120.233.240  P-t-P:64.120.233.240  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

成功！

重新运行了 iptables：

代码： 全选

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 64.120.233.241

但 openvpn 的问题依旧：

代码： 全选

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

看样子与 TLS 验证有问题，难道要重新生成证书？网上查了下，提到：

This could mean your packets are being blocked by a firewall, your certificates on both ends don't match, or the IPs or subnet masks are wrong in your config files. A common problem is that users forget that Windows XP now comes with its own firewall enabled by default. Check to make sure Norton Security or some other security program is not running on the Windows client. It may be necessary to log out of Windows and login again before the changes take effect.

引自： http://brneurosci.org/linuxsetup71.html
大致说可能与防火墙，证书，或IP、子网掩码等有关，证书存在问题的可能性不大，因为IP被 ban 掉前一直用着好好的，我迷惑了……

[delectate]

sudo……真是安全第一啊

最初也是弄了个普通用户，sudo提权，后来想：既然能有人盗取这个普通用户pwd，就肯定能sudo提权，不能提权也能找溢出，除非限定登录ip，否则都不安全

[pityonline]

sudo……真是安全第一啊

最初也是弄了个普通用户，sudo提权，后来想：既然能有人盗取这个普通用户pwd，就肯定能sudo提权，不能提权也能找溢出，除非限定登录ip，否则都不安全

怕这怕那就没法活了，我们能做的也只是在想的到的地方多做些工作，如果攻击者有资源有决心，入侵只是个时间问题……

好消息，blog 回来了！

[delectate]

拖延呗，时间越长越好

[oneleaf]

直接使用ssh 端口转发不好吗，折腾openvpn好麻烦，又不快。

[pityonline]

ssh 连接一直没完没了地出现这些……

代码： 全选

channel 26: open failed: connect failed: Connection timed out
channel 13: open failed: connect failed: Connection timed out
channel 14: open failed: connect failed: Connection timed out
channel 21: open failed: connect failed: Connection timed out
channel 25: open failed: connect failed: Connection timed out
channel 27: open failed: connect failed: Connection timed out
channel 28: open failed: connect failed: Connection timed out
channel 32: open failed: connect failed: Connection timed out
channel 33: open failed: connect failed: Connection timed out
channel 34: open failed: connect failed: Connection timed out
channel 36: open failed: connect failed: Connection timed out
channel 37: open failed: connect failed: Connection timed out
channel 38: open failed: connect failed: Connection timed out
channel 39: open failed: connect failed: Connection timed out
channel 40: open failed: connect failed: Connection timed out
channel 41: open failed: connect failed: Connection timed out
channel 43: open failed: connect failed: Connection timed out
channel 30: open failed: connect failed: Connection timed out
channel 42: open failed: connect failed: Connection timed out
channel 47: open failed: connect failed: Connection timed out
channel 48: open failed: connect failed: Connection timed out
channel 49: open failed: connect failed: Connection timed out
channel 50: open failed: connect failed: Connection timed out
channel 4: open failed: connect failed: Connection timed out
channel 15: open failed: connect failed: Connection timed out
channel 16: open failed: connect failed: Connection timed out
channel 13: open failed: connect failed: Connection timed out
channel 5: open failed: connect failed: Connection timed out
channel 3: open failed: connect failed: Connection timed out

[oneleaf]

试试连接另外一个正常的IP.

[pityonline]

试试连接另外一个正常的IP.

在被 ban 之前，两个IP都是这个情况，所以换的 openvpn ……