OpenVPNサーバーの設定が完了し、クライアントからVPNサーバーに接続できます。また、プライベートネットワーク(Docker、MySQL、Kafka)にアクセスするためのIptablesルールを変更しました。
VPNクライアントはMySQLサーバーとKafkaサーバーにアクセスできますが、Dockerサーバーにはアクセスできません。以下では、DockerサーバーのIptableルールについて言及しました。
Dockerサーバーに接続していることを確認してください。
MySQLサーバールール(VPNクライアントで動作)
root@app-db:/home/Mysqldb# sudo iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere icmp echo-request
3 ACCEPT tcp -- 192.168.30.0/24 anywhere
4 ACCEPT tcp -- anywhere anywhere tcp dpt:27017
5 ACCEPT tcp -- app-server anywhere tcp dpt:27017 state NEW,ESTABLISHED
6 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere app-server tcp spt:27017 state ESTABLISHED
2 ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
Dockerサーバールール:(VPNクライアントでは実行できません)
root@Docker-server:/home/contus# sudo iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT tcp -- ec2-xxx.xxx.xxx.xxx.compute-1.amazonaws.com anywhere tcp dpt:ssh
3 ACCEPT tcp -- pool-xx.xx.x.xx.washdc..net anywhere
4 ACCEPT tcp -- xxx.xxx.xxx.0/24 anywhere tcp dpt:ssh
5 ACCEPT tcp -- xxx.xxx.xxx.xxx anywhere
6 ACCEPT tcp -- ec2-xx.xx.xx.xx.compute-1.amazonaws.com anywhere
7 ACCEPT tcp -- 192.168.30.0/24 anywhere
8 ACCEPT tcp -- 10.8.0.0/24 anywhere tcp dpt:http ctstate NEW,ESTABLISHED
9 ACCEPT icmp -- anywhere anywhere icmp echo-request
10 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
11 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
12 ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 DOCKER-USER all -- anywhere anywhere
2 DOCKER-INGRESS all -- anywhere anywhere
3 DOCKER-ISOLATION all -- anywhere anywhere
4 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
5 DOCKER all -- anywhere anywhere
6 ACCEPT all -- anywhere anywhere
7 ACCEPT all -- anywhere anywhere
8 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
9 DOCKER all -- anywhere anywhere
10 ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp spt:http ctstate ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere icmp echo-reply
3 ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
4 ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
Chain DOCKER (2 references)
num target prot opt source destination
Chain DOCKER-INGRESS (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:4000
2 ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:4000
3 ACCEPT tcp -- anywhere anywhere tcp dpt:3000
4 ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:3000
5 ACCEPT tcp -- anywhere anywhere tcp dpt:5000
6 ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:5000
7 RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION (1 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
2 DROP all -- anywhere anywhere
3 RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere