[SOLVED] [iptables] Linux (not gateway) + OpenVpn, need forwarding rules.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
* Road warriors can access all resources of the local LAN (ping PCS, print, view shares)
* Road warriors can access all resources on the 3 servers (NatHack).
* All routes are working Okey (openvpn pushes to client route 172.16.1.0)
This is my little iptables config (copied from this forum) (living in /etc/rc.local)
Code:
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
My goal:
* Road warriors only access the 2 windows servers (all ports of them, 80, 25, 8080) and the linux server.
* Road warriors canīt access the others PCs/Printers on the LAN
What I need
* Help configuring iptables to avoid VPN (tun0) accessing some resources on the LAN (eth0)
* Is correct to do this iptables config in /etc/rc.local ? (Iīm newbie in Linux) some advice?
Many thanks in advance, thanks to this forum I have learned a lot! ops:
Server 10 (Debian VPN) - I don't want that roadwarriors can connect to SSH to it. (Not via 10.8.0.1 and not via the pushed route 172.16.1.10)
I don't understand what you mean by pushed route. Are there specific ports that you need roadwarriors to access? Or do you need them to be able to access any port but 22? In any case I won't answer it until I better understand your question.
You can learn a lot about the rules by reading the iptables man page. You'll also see what features are available for filtering. For instance...
Quote:
Originally Posted by laser_xf
Server 100 (Windows) - All okey. (maybe only needed rdp 3389 and rpd2 3390)
From the iptables man page note the -m option and the tcp/multiport modules:
Quote:
Code:
MATCH EXTENSIONS
iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or
with the -m or --match options, followed by the matching module name; after these, various extra command line options become available,
depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options
after the module has been specified to receive help specific to that module.
Code:
multiport
This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two
ports. It can only be used in conjunction with -p tcp or -p udp.
[!] --source-ports,--sports port[,port|,port:port]...
Match if the source port is one of the given ports. The flag --sports is a convenient alias for this option. Multiple ports or
port ranges are separated using a comma, and a port range is specified using a colon. 53,1024:65535 would therefore match ports
53 and all from 1024 through 65535.
[!] --destination-ports,--dports port[,port|,port:port]...
Match if the destination port is one of the given ports. The flag --dports is a convenient alias for this option.
[!] --ports port[,port|,port:port]...
Match if either the source or destination ports are equal to one of the given ports.
Code:
tcp
These extensions can be used if `--protocol tcp' is specified. It provides the following options:
[!] --source-port,--sport port[:port]
Source port or port range specification. This can either be a service name or a port number. An inclusive range can also be spec‐
ified, using the format first:last. If the first port is omitted, "0" is assumed; if the last is omitted, "65535" is assumed.
If the first port is greater than the second one they will be swapped. The flag --sport is a convenient alias for this option.
[!] --destination-port,--dport port[:port]
Destination port or port range specification. The flag --dport is a convenient alias for this option.
[!] --tcp-flags mask comp
Match when the TCP flags are as specified. The first argument mask is the flags which we should examine, written as a comma-sep‐
arated list, and the second argument comp is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG
PSH ALL NONE. Hence the command
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
[!] --syn
Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets are used to request TCP connec‐
tion initiation; for example, blocking such packets coming in an interface will prevent incoming TCP connections, but outgoing
TCP connections will be unaffected. It is equivalent to --tcp-flags SYN,RST,ACK,FIN SYN. If the "!" flag precedes the "--syn",
the sense of the option is inverted.
[!] --tcp-option number
Match if TCP option set.
So you can then form rules like the following (note I also added -p tcp to restrict to tcp protocol traffic only):
Code:
#Server 100 (Windows) - All okey. (maybe only needed rdp 3389 and rpd2 3390)
iptables -A FORWARD -i tun+ -d 172.16.1.100 -m multiport --dports 3389,3390 -j ACCEPT
#Server 200 (Windows) - Only have a webserver at port 80, can I drop all the other trafic from tun+ to it to prevent viewing shares from it?
iptables -A FORWARD -p tcp -i tun+ -d 172.16.1.200 -m tcp --dport 80 -j ACCEPT
Also note that "-m tcp" is redundant because from the iptables man page by using "-p tcp" a.k.a. "--protocol tcp" those options become available automatically. I'm just being explicit as to which module the options are coming from. Also note, your RDP ports rules are allowing both tcp and udp traffic.
I don't understand what you mean by pushed route. Are there specific ports that you need roadwarriors to access? Or do you need them to be able to access any port but 22? In any case I won't answer it until I better understand your question.
Yes, this is the reverse case, all ports OPEN, but 22 closed for VPN users.
(Note: that this seems to not be FORWARD traffic, because is the Openvpn server itself)
Quote:
Originally Posted by sag47
From the iptables man page note the -m option and the tcp/multiport modules:
Yes, that is running perfect with your options. Is the same for udp ports?
Quote:
Originally Posted by sag47
Also note, your RDP ports rules are allowing both tcp and udp traffic.
But with the -p tcp modifier not no? RDP only need 3389 TCP seems
Yes, this is the reverse case, all ports OPEN, but 22 closed for VPN users.
(Note: that this seems to not be FORWARD traffic, because is the Openvpn server itself)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.