LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-05-2010, 10:28 AM   #1
nass
Member
 
Registered: Apr 2006
Location: Athens, Greece
Distribution: slack(64|32)_v(13.37|14.0), debian6, ubuntu
Posts: 632

Rep: Reputation: 36
iptables drop packets as invalid between 2 end-network connected through VPN


hello everyone,
i am setting up a linux box as router / firewall.currently, im setting up the firewall on that machine..

the situation is :

there are 2 networks, the home network and the work network.

i am connecting the 2 with a vpn connection. the openvpn server is a pc in the home network..

the router/ firewall linux box is another pc in the home network, which i 'inserted' between the ISP modem and the internal switch of my home network.

i have managed to connect the vpn server in the home net to the vpn client at work net and so i can ping directly from the home net (192.168.0.0/24) to the work net (192.168.1.0/24) without using the vpn ip space at all (192.168.150.0/24). which is great..

i did however try to open a remote desktop connection from a home windows pc to a work windows pc and it didnt work. checking the output with dmesg in the firewall linux box it says
Quote:
Invalid packet: IN=eth0 OUT=eth0 SRC=192.168.0.3 DST=192.168.1.107 LEN=59 TOS=0x00 PREC=0x00 TTL=127 ID=35708 PROTO=TCP SPT=2016 DPT=3389 WINDOW=65535 RES=0x00 ACK PSH URGP=0
any ideas why the packet is considered invalid?

Last edited by nass; 03-05-2010 at 10:56 AM.
 
Old 03-05-2010, 10:56 AM   #2
nass
Member
 
Registered: Apr 2006
Location: Athens, Greece
Distribution: slack(64|32)_v(13.37|14.0), debian6, ubuntu
Posts: 632

Original Poster
Rep: Reputation: 36
EDIT: my FORWARD chain looks like

Quote:
echo "Process FORWARD chain ..."


$IPT -A FORWARD -p ALL -j bad_packets #this is were the problem occurs
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

#traffic from (192.168.150.0/24) and from (192.168.1.0/24)
$IPT -A FORWARD -p tcp -s $VPN_NET -j ACCEPT
$IPT -A FORWARD -p tcp -s $WORK_NET -j ACCEPT

#to listening port ofvpn server
$IPT -A FORWARD -p tcp --destination-port 1194 -j ACCEPT
$IPT -A FORWARD -p udp --destination-port 1194 -j ACCEPT
and bad_packets chain contains the following relevant part

Quote:
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet: "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
so guess i could place the accept rule for the work_net traffic above the -j bad_packets redirection... but i'm not sure this is good practice....

also is there some big security hole in the forward chain that i could do without??

thank you for your help
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables routing packets on the same sub-network Evstrati Linux - Networking 3 02-17-2010 02:50 PM
can't telnet to a VPN when another NIC is connected to a private network in CENTOS freeburn Linux - Networking 5 12-13-2009 05:18 PM
drop packets for specific port with iptables ohcarol Linux - Security 1 07-03-2005 11:48 AM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 03:07 AM
drop incoming/outgoing packets using iptables doshiaj Linux - Security 1 06-08-2004 11:38 AM


All times are GMT -5. The time now is 01:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration