Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have got openvpn running on my system with certificates and open to the IP addresses 17.xx.xx.x on the server.
What should I definitely block off from the system so that anyone using the VPN cannot gain access and how should I go about this in the firewall?
I'm guessing to block off intranet access to the webserver.
I have mysql and some mail programs running as well - how can I block those off?
I'm sorry I don't understand what are you trying to do here. You set up the VPN for what? Who are the clients using it and what do you want the clients to use?
When you answer this question of mine, you've also answered your own - you should block everything else - everything you don't want your users to access.
I'm sorry I don't understand what are you trying to do here. You set up the VPN for what? Who are the clients using it and what do you want the clients to use?
When you answer this question of mine, you've also answered your own - you should block everything else - everything you don't want your users to access.
True, it was more about how to go about blocking them, ie the VPN gives clients a 17.x.x.x address, do I block those and do I block ports or what?
The VPN is for clients to connect through so that they get the VPN IP address and can access email from their client, go out to the internet, etc. - it is not a VPN in the typical sense that they are using it to access network folders on the VPN server.
I don't want the client accessing anything on the server at all...just the ability to transmit traffic through it so that the destination websites or servers think they have a different IP much like a proxy server does.
So, do I simply block off access from 17.x.x.x to the localhost network?
I can't block access from 17.x.x.x to the server IP 88.xxx.xxx.xxx because then they couldn't access anything.
I don't want the client accessing anything on the server at all...just the ability to transmit traffic through it
Right. When the client is connected to the VPN, he is just connected to a network. A virtual network to be precise. He is not really "on the server" in the sense that he would be allowed to read the server's filesystem or execute any processes.
You need to configure the server to give this "virtual network" special rights e.g. NAT connections from the virtual network so they appear as coming from the server and so on.
I don't think that there is anything to block. You are just allowing more permissions to this virtual network than to the "internet" network. What you don't allow will be blocked by default as is blocked for the "internet" network.
Or am I missing something. Can you give me a specific example about what would you like to block?
Right. When the client is connected to the VPN, he is just connected to a network. A virtual network to be precise. He is not really "on the server" in the sense that he would be allowed to read the server's filesystem or execute any processes.
You need to configure the server to give this "virtual network" special rights e.g. NAT connections from the virtual network so they appear as coming from the server and so on.
I don't think that there is anything to block. You are just allowing more permissions to this virtual network than to the "internet" network. What you don't allow will be blocked by default as is blocked for the "internet" network.
Or am I missing something. Can you give me a specific example about what would you like to block?
Ok.
Let me list the current iptables to give an idea of what is currently blocked an accessible.
The VPN is the tun/tap
Quote:
# Generated by iptables-save v1.3.5 on Sun Feb 7 17:25:26 2010
*nat
:PREROUTING ACCEPT [181621:12525161]
:POSTROUTING ACCEPT [173692:10586243]
:OUTPUT ACCEPT [173691:10586203]
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Feb 7 17:25:26 2010
# Generated by iptables-save v1.3.5 on Sun Feb 7 17:25:26 2010
*filter
:INPUT DROP [142804:10450541]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [484:47207]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d 88.xxx.xxx.xx9 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d 88.xxx.xxx.xx9 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -d 88.xxx.xxx.xx9 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -d 88.xxx.xxx.xx9 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d 88.xxx.xxx.xx8 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d 88.xxx.xxx.xx8 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT
-A INPUT -d 88.xxx.xxx.xx8 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d 88.xxx.xxx.xx8 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d 88.xxx.xxx.xx8 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A OUTPUT -d 88.xxx.xxx.xx9 -p tcp -m tcp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -d 88.xxx.xxx.xx9 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A OUTPUT -s 88.xxx.xxx.xx8 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
I also have some routing setup, the 17.x addresses are the VPN network:
Basically, I just want to ensure that the VPN client has no ability to access the localhost services such as mysql, httpd, postfix, etc.
I realise they will not have command line access to these resources but there might be some localhost things on the webserver like squid cache manager access that they should not have access to. I guess the mysql doesn't matter as it still needs password access.
Basically, I just want to ensure that the VPN client has no ability to access the localhost services such as mysql, httpd, postfix, etc.
I realise they will not have command line access to these resources but there might be some localhost things on the webserver like squid cache manager access that they should not have access to. I guess the mysql doesn't matter as it still needs password access.
If the service is listening on the localhost interface (127.0.0.1), they will not have access (such as squid cache mgr).
If the service is listening on all interfaces (such as httpd, postfix) they will have access, the same access as anyone on the internet - e.g. they will be able to look at your public web-site and send you e-mail.
If I were you, I would write a list of all services (start with output of 'netstat -tlpn') and decide whether you want to allow access or not. And update your firewall script accordingly (the lines that are currently -i tun+ -j ACCEPT)
If the service is listening on the localhost interface (127.0.0.1), they will not have access (such as squid cache mgr).
If the service is listening on all interfaces (such as httpd, postfix) they will have access, the same access as anyone on the internet - e.g. they will be able to look at your public web-site and send you e-mail.
If I were you, I would write a list of all services (start with output of 'netstat -tlpn') and decide whether you want to allow access or not. And update your firewall script accordingly (the lines that are currently -i tun+ -j ACCEPT)
Sounds fair?
These are the current services.
I don't mind them sending me email, just that I wasnt to stop a spammer accessing the VPN and using the email server to send junk.
These are the current connections:
I don't mind them sending me email, just that I wasnt to stop a spammer accessing the VPN and using the email server to send junk.
They will not unless you add the 172.16.0.0/24 network to postfix "mynetworks" list.
Quote:
Originally Posted by qwertyjjj
So I would add a line blocking the ports?
so if source was 172.16.x.x.x DENY to port 3306 (mysql)?
The guys over at the security forum wouldn't approve
Don't specifically block individual ports and allow everything else. Rather allow what you need allowed and block everything else.
So instead of
Code:
-A INPUT -i tun+ -j ACCEPT
put something like
Code:
-A INPUT -i tun+ -m tcp --dport 12345 -j ACCEPT
for each service you need allowed for the VPN users in addition to what is already allowed for the internet network. Everything else will be filtered as if it came from the untrusted internet.
The lines
Code:
-A FORWARD -i tun+ -j ACCEPT
will still allow the desired "NAT" effect - e.g. packets from the VPN will be routed through your server.
Don't specifically block individual ports and allow everything else. Rather allow what you need allowed and block everything else.
That's partially the problem with VPNs and allowing clients running programs on their computers.
They might have a bit of MSN messenger, some random progra using port 1023456 blah blah
You almost have to allow everything and only block what you know.
So, could I do this in a kind of non approving security way because I need to have most ports open:
-A INPUT -i tun+ -m tcp --dport 3306 -j DROP
-A INPUT -i tun+ -m tcp --dport 843 -j DROP
-A INPUT -i tun+ -m tcp --dport 111 -j DROP
-A INPUT -i tun+ -m tcp --dport 5555 -j DROP
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
While I'm at this, do I really need these services running?
rpc.statd
portmap
python
cupsd
master
Also, I have sshd open to the internet but blocked using a pseudo flood protection:
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
In the iptables script above, if someone logged into the vpn, would this bypass the flood protection?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.