これで、ownCloud Webインターフェイスを使用して外部からポート80にアクセスできるようになりました。しかし、OpenVPN接続を介してのみアクセスしたいと思います。私は実行しようとしています:
# iptables -I INPUT -i eth0 -p tcp --dport 80 -j REJECT
# ip6tables -I INPUT -i eth0 -p tcp --dport 80 -j REJECT
ルールは機能しますが、ポート80は外部サイトから引き続きアクセスできます。
# ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq portid ac1f6b4db9fa state UP group default qlen 1000
link/ether ac:1f:6b:4d:b9:fa brd ff:ff:ff:ff:ff:ff
inet 93.90.192.155/32 brd 93.90.192.155 scope global eth0
valid_lft forever preferred_lft forever
inet6 2001:8d8:1801:61::1/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ae1f:6bff:fe4d:b9fa/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop portid ac1f6b4db9fb state DOWN group default qlen 1000
link/ether ac:1f:6b:4d:b9:fb brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ac:9a:05:e2 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
6: br-3e70ad5e4d73: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:fd:b1:80:27 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 scope global br-3e70ad5e4d73
valid_lft forever preferred_lft forever
7: br-4dc510063f2a: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:7b:9d:e2:e7 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 scope global br-4dc510063f2a
valid_lft forever preferred_lft forever
inet6 fe80::42:7bff:fe9d:e2e7/64 scope link
valid_lft forever preferred_lft forever
2000: br-7009c9b53be2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ce:4a:31:5d brd ff:ff:ff:ff:ff:ff
inet 172.20.0.1/16 scope global br-7009c9b53be2
valid_lft forever preferred_lft forever
inet6 fe80::42:ceff:fe4a:315d/64 scope link
valid_lft forever preferred_lft forever
2028: vethf9b0f83@if2027: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7009c9b53be2 state UP group default
link/ether d6:1f:65:42:b0:89 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::d41f:65ff:fe42:b089/64 scope link
valid_lft forever preferred_lft forever
2030: veth4e42ada@if2029: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7009c9b53be2 state UP group default
link/ether 96:86:a6:73:45:4e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::9486:a6ff:fe73:454e/64 scope link
valid_lft forever preferred_lft forever
2032: veth96694cc@if2031: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7009c9b53be2 state UP group default
link/ether 6e:92:09:b6:ec:a8 brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::6c92:9ff:feb6:eca8/64 scope link
valid_lft forever preferred_lft forever
2038: tun6: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 192.168.223.1/24 brd 192.168.223.255 scope global tun6
valid_lft forever preferred_lft forever
inet6 fd00:c0a8:df00::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::9ec6:43f0:ab47:4cc4/64 scope link flags 800
valid_lft forever preferred_lft forever
# iptables-save -c
# Generated by iptables-save v1.6.0 on Tue Dec 11 17:29:00 2018
*nat
:PREROUTING ACCEPT [5616:316476]
:INPUT ACCEPT [3829:209148]
:OUTPUT ACCEPT [466:37373]
:POSTROUTING ACCEPT [2848:179661]
:DOCKER - [0:0]
[24860:1336310] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[1029:61686] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 192.168.223.0/24 -o eth0 -m comment --comment pritunl-5c0e51712cc5cb0023308bcc -j MASQUERADE
[36:2312] -A POSTROUTING -s 172.20.0.0/16 ! -o br-7009c9b53be2 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-4dc510063f2a -j MASQUERADE
[0:0] -A POSTROUTING -s 172.19.0.0/16 ! -o br-3e70ad5e4d73 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.4/32 -d 172.20.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.223.0/24 -j SNAT --to-source 172.17.0.1
[0:0] -A DOCKER -i br-7009c9b53be2 -j RETURN
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-4dc510063f2a -j RETURN
[0:0] -A DOCKER -i br-3e70ad5e4d73 -j RETURN
[786:46280] -A DOCKER ! -i br-7009c9b53be2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.20.0.4:8080
COMMIT
# Completed on Tue Dec 11 17:29:00 2018
# Generated by iptables-save v1.6.0 on Tue Dec 11 17:29:00 2018
*filter
:INPUT ACCEPT [129372:32447827]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [128998:23100691]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
[0:0] -A INPUT -i tun6 -m comment --comment pritunl-5c0e51712cc5cb0023308bcc -j ACCEPT
[0:0] -A FORWARD -o tun6 -m comment --comment pritunl-5c0e51712cc5cb0023308bcc -j ACCEPT
[0:0] -A FORWARD -i tun6 -m comment --comment pritunl-5c0e51712cc5cb0023308bcc -j ACCEPT
[116329:40795012] -A FORWARD -j DOCKER-ISOLATION
[111111:35660642] -A FORWARD -o br-7009c9b53be2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[2486:148280] -A FORWARD -o br-7009c9b53be2 -j DOCKER
[2732:4986090] -A FORWARD -i br-7009c9b53be2 ! -o br-7009c9b53be2 -j ACCEPT
[2350:141000] -A FORWARD -i br-7009c9b53be2 -o br-7009c9b53be2 -j ACCEPT
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A FORWARD -o br-4dc510063f2a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-4dc510063f2a -j DOCKER
[0:0] -A FORWARD -i br-4dc510063f2a ! -o br-4dc510063f2a -j ACCEPT
[0:0] -A FORWARD -i br-4dc510063f2a -o br-4dc510063f2a -j ACCEPT
[0:0] -A FORWARD -o br-3e70ad5e4d73 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-3e70ad5e4d73 -j DOCKER
[0:0] -A FORWARD -i br-3e70ad5e4d73 ! -o br-3e70ad5e4d73 -j ACCEPT
[0:0] -A FORWARD -i br-3e70ad5e4d73 -o br-3e70ad5e4d73 -j ACCEPT
[0:0] -A FORWARD -s 192.168.223.0/24 -j ACCEPT
[0:0] -A OUTPUT -o tun6 -m comment --comment pritunl-5c0e51712cc5cb0023308bcc -j ACCEPT
[132:7040] -A DOCKER -d 172.20.0.4/32 ! -i br-7009c9b53be2 -o br-7009c9b53be2 -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A DOCKER-ISOLATION -i br-4dc510063f2a -o br-7009c9b53be2 -j DROP
[0:0] -A DOCKER-ISOLATION -i br-7009c9b53be2 -o br-4dc510063f2a -j DROP
[0:0] -A DOCKER-ISOLATION -i br-3e70ad5e4d73 -o br-7009c9b53be2 -j DROP
[0:0] -A DOCKER-ISOLATION -i br-7009c9b53be2 -o br-3e70ad5e4d73 -j DROP
[0:0] -A DOCKER-ISOLATION -i docker0 -o br-7009c9b53be2 -j DROP
[0:0] -A DOCKER-ISOLATION -i br-7009c9b53be2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION -i br-3e70ad5e4d73 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION -i docker0 -o br-3e70ad5e4d73 -j DROP
[0:0] -A DOCKER-ISOLATION -i br-4dc510063f2a -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION -i docker0 -o br-4dc510063f2a -j DROP
[0:0] -A DOCKER-ISOLATION -i br-3e70ad5e4d73 -o br-4dc510063f2a -j DROP
[0:0] -A DOCKER-ISOLATION -i br-4dc510063f2a -o br-3e70ad5e4d73 -j DROP
[401460:103833650] -A DOCKER-ISOLATION -j RETURN
COMMIT
# ip route
default via 10.255.255.1 dev eth0
10.255.255.1 dev eth0 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-4dc510063f2a proto kernel scope link src 172.18.0.1 linkdown
172.19.0.0/16 dev br-3e70ad5e4d73 proto kernel scope link src 172.19.0.1 linkdown
172.20.0.0/16 dev br-7009c9b53be2 proto kernel scope link src 172.20.0.1
192.168.223.0/24 dev tun6 proto kernel scope link src 192.168.223.1
ベストアンサー1
コメントすることができないので、直接返信する必要があります。同じサーバーにVPNがある場合は、次のことが役立ちます。
iptables -A INPUT -i vpninterface -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j REJECT
VPNが別のサーバーにある場合は、他のサーバーをホワイトリストに追加できます。
iptables -A INPUT -p tcp -s <serverip> --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j REJECT
ただし、OwnCloudがSSL証明書(正式ではない場合があります)を使用している場合は、ポート443が必要になることがあります。