LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 07-19-2005, 01:01 AM   #1
efm
Member
 
Registered: Apr 2005
Location: indonesia
Distribution: suse 10
Posts: 101

Rep: Reputation: 15
how to allow tun/tap device in firewall?


hello,
i'm using suse 9.3 with firewall enabled.
openvpn could connect to each other successfully, but i can't ping each other, except
when i stop the firewall in each computer.
i want to know how to open tap/tun device in firewall to solve this.
or do any of you have other solution?

thank you very much
 
Old 07-19-2005, 09:15 AM   #2
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 32
simply allow anything from the subnet you use for openvpn
ie: openvpn will hand out 10.0.5.x addesses
add on the client / server
Code:
iptables -A INPUT -s 10.0.5.0/255.255.255.0 -j ACCEPT
on any routers inbetween
Code:
iptables -A FORWARD -s 10.0.5.0/255.255.255.0 -j ACCEPT
if the OUTPUT chain of the pc's is restricted add a rule there too

once that works you can start restricting, ie. DROP certain ports, etc


you couldl also post your iptables here for us to help you somewhat better.
 
Old 07-19-2005, 09:57 PM   #3
efm
Member
 
Registered: Apr 2005
Location: indonesia
Distribution: suse 10
Posts: 101

Original Poster
Rep: Reputation: 15
hi, thanks for reply
i did something about it yesterday, but i think it's not the right solution, because now i saw the summary
of the firewall about "internal network is not protected". what i did yesterday are:

in the susefirewall_custom file, i added the lines:
Code:
fw_custom_before_denyall {
  iptables -A INPUT -i tun0 -j ACCEPT
  iptables -A FORWARD -i tun0 -j ACCEPT
  true
}
and in susefirewall2 file, i added the lines
Code:
  fw_forward = "yes"
  fw_dev_int = "tun0"
  fw_route "192.168.3.1/192.168.2.4"
the vpn connection are connected, and i can ping each other now,
but i'm affraid that there will be security breach on the firewall

i will try your suggestion, and thank you for that,
btw, do you know more about openvpn?
 
Old 07-19-2005, 10:00 PM   #4
efm
Member
 
Registered: Apr 2005
Location: indonesia
Distribution: suse 10
Posts: 101

Original Poster
Rep: Reputation: 15
btw,
you want me to post the iptables list here,
how can i do that? i mean, i don't know the command to do that,
thanks
 
Old 07-20-2005, 04:51 AM   #5
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 32
iptables -L
or
iptables-save

about openvpn - i use it on a daily bases

Last edited by Nathanael; 07-20-2005 at 04:53 AM.
 
Old 07-20-2005, 06:13 AM   #6
efm
Member
 
Registered: Apr 2005
Location: indonesia
Distribution: suse 10
Posts: 101

Original Poster
Rep: Reputation: 15
hi, thx for the reply,
the iptables seems so large, but here it is:

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
input_int  all  --  anywhere             anywhere            
input_ext  all  --  anywhere             anywhere            
input_ext  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' 
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
forward_int  all  --  anywhere             anywhere            
forward_ext  all  --  anywhere             anywhere            
forward_ext  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' 
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' 

Chain forward_ext (2 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' 
LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' 
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' 
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV ' 
DROP       all  --  anywhere             anywhere            

Chain forward_int (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' 
LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' 
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' 
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV ' 
DROP       all  --  anywhere             anywhere            

Chain input_ext (2 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            PKTTYPE = broadcast udp dpt:netbios-ns 
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast 
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable 
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:pop3 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:http-alt flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http-alt 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:microsoft-ds flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:netbios-dgm flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:netbios-ns flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ns 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
reject_func  tcp  --  anywhere             anywhere            tcp dpt:ident state NEW 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:pop3 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:smtp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:http 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:http-alt 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns 
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' 
LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' 
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' 
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV ' 
DROP       all  --  anywhere             anywhere            

Chain input_int (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain reject_func (1 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable
well, i have so much to ask about openvpn. at first i used openvpn in windows, but then i turned to
hate windows, so i have to use linux.
 
Old 07-20-2005, 06:57 AM   #7
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 32
you need to allow traffic from tap0/tun0 depending on what you are using
or allow the subnets.

you could send me you iptables-save -t filter

also: i personally would advise you to use iptables directly rather than a gui, since this will give you a lot more understanding of what is going on, and how your firewall works (only in case you are up for that)
read: http://iptables-tutorial.frozentux.n...-tutorial.html

also: you can clear out your firewall, and slowly add things in again, this would tell you which rules need adding/moving/modifying
 
Old 07-20-2005, 07:12 AM   #8
efm
Member
 
Registered: Apr 2005
Location: indonesia
Distribution: suse 10
Posts: 101

Original Poster
Rep: Reputation: 15
hi, this is my iptables-save -t list,
i still can't figure out what this all about

Code:
# Generated by iptables-save v1.3.1 on Wed Jul 20 18:10:42 2005
*mangle
:PREROUTING ACCEPT [721770:403842044]
:INPUT ACCEPT [716014:403408602]
:FORWARD ACCEPT [5358:376924]
:OUTPUT ACCEPT [762006:466980515]
:POSTROUTING ACCEPT [757577:466591676]
COMMIT
# Completed on Wed Jul 20 18:10:42 2005
# Generated by iptables-save v1.3.1 on Wed Jul 20 18:10:42 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1218:106649]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j input_int
-A INPUT -i eth0 -j input_ext
-A INPUT -i eth1 -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun0 -j forward_int
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -i eth1 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_int -j DROP
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 137 -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 110 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 25 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 8080 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 445 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 138 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 138 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 137 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 137 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 139 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -p udp -m udp --dport 110 -j ACCEPT
-A input_ext -p udp -m udp --dport 25 -j ACCEPT
-A input_ext -p udp -m udp --dport 80 -j ACCEPT
-A input_ext -p udp -m udp --dport 8080 -j ACCEPT
-A input_ext -p udp -m udp --dport 137 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Wed Jul 20 18:10:42 2005
# Generated by iptables-save v1.3.1 on Wed Jul 20 18:10:42 2005
*nat
:PREROUTING ACCEPT [65643:6463214]
:POSTROUTING ACCEPT [15544:991065]
:OUTPUT ACCEPT [15544:991065]
COMMIT
# Completed on Wed Jul 20 18:10:42 2005
btw, i used the firewall gui to set the firewall and the tun0 device, but in the summary it
states that device not found or something,
thanks again
 
Old 07-20-2005, 07:47 AM   #9
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 32
that is your firewall man! reading your rules can solve the prob.
i take it these are your client rules right?
could you tell me what version of openvpn you are running, if you are using tun adaptors or tap adapter and
the port openvpn is using, and the protocol?

for this you can look in your openvpn config file for
1. port
2. proto
3. dev

also perhaps you could post following from your server

iptables-save -t filter
 
Old 07-21-2005, 03:39 AM   #10
efm
Member
 
Registered: Apr 2005
Location: indonesia
Distribution: suse 10
Posts: 101

Original Poster
Rep: Reputation: 15
hi,
wow, you're really fast, and yes that was from the client

i'm using openvpn 2.0, and i installed it by doing rpmbuild first

port 1194
proto udp
dev tun

btw, i did something to the server.conf file (i post it below too), and now i could ping the server's internal
ip. almost forgot, the client internal lan is 192.168.2.0/255.255.255.0, the server internal lan is
192.168.1.0/255.255.255.0. when connected, there will be new ip for tun0 in server which is 192.168.3.1
and for the client 192.168.3.6 (stated in server.conf and client.conf)
right now, the client could ping server's internal ip (192.168.1.4) but the server could not ping client's
internal ip (192.168.2.4), and the manual says that i have to enable ip forwarding so the lan from client could
access the lan in server and vice versa, but i don't know how to enable ip forwarding

server.conf
Code:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
route 192.168.2.0 255.255.255.0
client-to-client
push "route 192.168.2.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
client.conf
Code:
client
dev tun
proto udp
remote 222.124.84.21 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/client1.crt
key /etc/openvpn/easy-rsa/keys/client1.key
ns-cert-type server
comp-lzo
verb 3
the iptables-save from server:
Code:
# Generated by iptables-save v1.3.1 on Thu Jul 21 14:38:39 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [108:9240]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j input_int
-A INPUT -i eth0 -j input_ext
-A INPUT -i eth1 -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun0 -j forward_int
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -i eth1 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_int -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 10000 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1194 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1194 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 26 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 26 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5050 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 5050 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5801 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 5801 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5901 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 5901 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 8080 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 110 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -p udp -m udp --dport 10000 -j ACCEPT
-A input_ext -p udp -m udp --dport 1194 -j ACCEPT
-A input_ext -p udp -m udp --dport 26 -j ACCEPT
-A input_ext -p udp -m udp --dport 5050 -j ACCEPT
-A input_ext -p udp -m udp --dport 8080 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Jul 21 14:38:40 2005
btw, if I want to change any of above firewall settings, which file must i edit?

thank you for your help
 
Old 07-21-2005, 05:19 AM   #11
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 32
on server: you can kick out the line for tcp traffic on port 1194, this is not needed since your ovpn server is listening to udp protocol.
i would set openvpn to use the tap addapter
just change tun to tap in both config files
you enable ipforwarding by
echo 1 > /proc/sys/net/ipv4/ip_forward
disable ipforwarding by replacing the 1 with a 0 (zero)

you need rules in your forwarding table which allows traffic between eth0 eth1 AND tun0 (of if you should chagne from tun to tap, you need rules to allow from eth0 eth1 and tap0)

seriously, read this document (pick the topics you want to read) and run the suff yourself
http://iptables-tutorial.frozentux....s-tutorial.html
 
Old 07-21-2005, 09:30 PM   #12
efm
Member
 
Registered: Apr 2005
Location: indonesia
Distribution: suse 10
Posts: 101

Original Poster
Rep: Reputation: 15
hi,
i changed the configuration in server.conf and client.conf according to your
suggestion, and i will try it right away,
btw, from the openvpn manual, it says that to use bridging, then i have to
"bridge" the eth0 and tap0, i don't understand about this in linux, as in windows
it's so easy, but, no more windows.
thanks,
 
Old 07-22-2005, 05:47 AM   #13
Nathanael
Member
 
Registered: May 2004
Location: Karlsruhe, Germany
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940

Rep: Reputation: 32
bridging and routing are 2 different things
when you bridge, you are basically making a switch
eth0 and tap0 do not have the addresses anymore, but the bridge will (this divice is then called br0) have one address.
how it works is really simple and easy to get your head around.

i have used both, bridging and routing in an openvpn environment
successfully
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TUN TAP for non-Redhat Machine Echo Kilo Linux - Networking 3 12-19-2004 07:16 PM
TUN device error palanisaravanan Linux - Networking 1 11-24-2004 01:17 AM
Getting FD for an existing tun device alanwolfen Programming 1 10-18-2004 12:39 PM
ADSL Speedtouch PPPOA3 TUN/TAP Problem Tomas79 Mandriva 1 08-11-2004 03:25 PM
Universal tun/tap device driver support giddyupman Linux - Networking 4 05-14-2004 11:04 AM


All times are GMT -5. The time now is 03:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration