LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-14-2011, 02:32 AM   #1
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 62

Rep: Reputation: 1
configuring openvpn with iptables rules (internet connection freezes when tun0 is up)


hello everyone, first i would like to apologize because i feel like i am almost spamming the forum so please forgive me.

I wanted to see how i could basically open my vpn to outside users to get hosting experience. I realized that i could do this with port forwarding, openvpn, and nat with iptables rules. So first thing i did was configure openvpn, and let me tell you that took more than a smile to get that thing configured (i hope i have it configured right) after running openvpn here is my ifconfig output:

Code:
em1       Link encap:Ethernet  HWaddr 00:11:85:7D:00:65  
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::211:85ff:fe7d:65/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3172035 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1476578 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3554149299 (3.3 GiB)  TX bytes:136854094 (130.5 MiB)
          Interrupt:20 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:60689 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60689 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:7246717 (6.9 MiB)  TX bytes:7246717 (6.9 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.1.1  P-t-P:192.168.1.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
Okay now i hope i have that configured right, if anyone sees anything wrong with it please let me know, oh and if you need to see any options configured in /etc/openvpn/server.conf i will be happy to get them for you.

Okay well next i know that i need nat rules with iptables because what i want is for tun0 to have full access with input/output/forward and what i want is to have my public ip address from my isp routed back to my linux box i don't know if its supposed to go to em1 or tun0 ?

Here is an output of my iptables script

Code:
#!/bin/bash

###### TURN ON PORT FORWARDING ########
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -v -F;
iptables -F -t mangle
iptables -F -t nat;
iptables -v -A INPUT -i lo -j ACCEPT;

# iptables -A PREROUTING -t nat -i em1 -p tcp --dport 80 -j DNAT --to 192.168.1.3:80
# iptables -t nat -A POSTROUTING -s 192.168.1.3 -j SNAT --to 173.XX.XXX.XXX (my public ip)
# iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE

# iptables -A INPUT -i tun0 -j ACCEPT
# iptables -A OUTPUT -o tun0 -j ACCEPT
# iptables -A FORWARD -i tun0 -j ACCEPT
# iptables -I FORWARD -i em1 -o tun0 -j ACCEPT
# iptables -I FORWARD -i tun0 -o em1 -j ACCEPT

########### BASIC RULE SET #############
iptables -v -P INPUT DROP # Default Policy DROP
# iptables -v -A INPUT -m state --state RELATED,ESTABLISHED -j LOG --log-prefix "ACCEPT"
iptables -v -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; # ACCEPT ESTABLISHED
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i em1 -j ACCEPT
iptables -A INPUT -i em1 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT #ALLOW SSL
iptables -A INPUT -i em1 -p tcp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT #ALLOW OPENVPN 

########## CONNECTION LIMIT LOG/DROP ############
iptables -A INPUT -p tcp -i em1 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -i em1 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j LOG --log-level 4 --log-prefix "LIMIT:"
iptables -A INPUT -p tcp -i em1 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP

###########  DROP SPOOFED PACKETS  ###############
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j LOG --log-level 4 --log-prefix "SPOOF PACKETS:"
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP

########### LOG/DROP NEW CONNECTIONS ##############
# iptables -A INPUT -p tcp -m state --state NEW -j LOG # LOG NEW TCP CONNECTIONS
# iptables -A INPUT -p tcp -m state --state NEW -j DROP # BLOCK NEW TCP CONNECTIONS

######### LOG/DROP FTP SSH AND SEDMAIL ############
iptables -v -A INPUT -p tcp -s 0/0 --dport 21 -j LOG # LOG FTP ATTEMPTS
iptables -v -A INPUT -p tcp -s 0/0 --dport 21 -j REJECT --reject-with tcp-reset # RESET FTP 
iptables -v -A INPUT -p tcp -s 0/0 --dport 22 -j LOG # LOG SSH ATTEMPTS
iptables -v -A INPUT -p tcp -s 0/0 --dport 22 -j DROP # BLOCK SSH
iptables -v -A INPUT -p tcp -s 0/0 --dport 25 -j LOG # LOG SENDMAIL
iptables -v -A INPUT -p tcp -s 0/0 --dport 25 -j DROP # BLOCK SENDMAIL

########### INPUT THAT IS NEEDED  #################
iptables -v -A INPUT -m state -m tcp --proto tcp --dport 80 --state NEW -j ACCEPT; # HTTP
iptables -v -A INPUT -m state -m udp --proto udp --dport 53 --state NEW -j ACCEPT; # DNS
iptables -v -A INPUT -m state -m tcp --proto tcp --dport 53 --state NEW -j ACCEPT; # DNS

########### BLOCK SYN FLOOD ######################
iptables -A INPUT -i em1 -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "SYN DROP:"
iptables -A INPUT -i em1 -p tcp ! --syn -m state --state NEW -j DROP

########### DENY FRAGMENT PACKETS ###############
iptables -A INPUT -i em1 -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FRAG DROP:"
iptables -A INPUT -i em1 -f -j DROP

########### DROPS BAD PACKETS ###############
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i em1 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i em1 -p tcp --tcp-flags ALL ALL -j DROP

iptables -A INPUT -i em1 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL DROP:"
iptables -A INPUT -i em1 -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

iptables -A INPUT -i em1 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A INPUT -i em1 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS DROP:"
iptables -A INPUT -i em1 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

iptables -A INPUT -i em1 -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FIN DROP:"
iptables -A INPUT -i em1 -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

iptables -A INPUT -i em1 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

########### LIMIT PING ATTEMPTS ###################
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

########### BLOCK CERTAIN ICMP  ###################
iptables -v -A INPUT -p icmp -j ACCEPT # ACCEPT ICMP PACKETS
iptables -v -A INPUT -p icmp --icmp-type echo-request -j DROP # BLOCK ICMP ECHO

########## BLOCK INVALID ICMP #####################
iptables -v -A INPUT -i em1 -m state -p icmp --state INVALID -j DROP # BLOCK INVALID ICMP
iptables -v -A FORWARD -i em1 -m state -p icmp --state INVALID -j DROP # BLOCK INVALID ICMP
iptables -A OUTPUT -o em1 -m state -p icmp --state INVALID -j DROP # BLOCK INVALID ICMP
iptables -A FORWARD -o em1 -m state -p icmp --state INVALID -j DROP # BLOCK INVALID ICMP

############ BLOCK STEALTH SCAN ###################
iptables -N st_scan # STEALTH SCAN CHAIN
iptables -A st_scan -p tcp --tcp-flags SYN,FIN,RST,ACK RST,ACK -j RETURN # BLOCK STEALTH SCAN
iptables -A st_scan -j LOG --log-level 4 --log-prefix "STEALTH SCAN:" # LOG STEALTH SCAN
iptables -A st_scan -j DROP # DROP STEALTH SCAN


########## PORTSCAN RULE SETUP  ###################
iptables -N port-scan # BEGIN PORTSCAN RULES
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN #BLOCK PSCAN
iptables -A port-scan -j LOG --log-level 4 --log-prefix "PORT SCAN:" # LOG PORT SCAN
iptables -A port-scan -j DROP # DROP PORT SCAN


########## LOG ALL DROPPED PACKETS #################
iptables -N logdrop
iptables -A logdrop -j LOG --log-level 4 --log-prefix "DROPPED:" # LOG DROPPED PACKETS
iptables -A logdrop -j DROP


iptables -v -A INPUT -j REJECT; # REJECT EVERYTHING ELSE


######## OUTPUT FOR SERVICES NEEDED ########

iptables -v -P OUTPUT ACCEPT # Default Policy Accept
iptables -v -A OUTPUT -o lo -j ACCEPT;
iptables -v -A OUTPUT -o em1 -j ACCEPT;
iptables -v -A OUTPUT -m tcp --proto tcp --dport 80 -j ACCEPT; # HTTP
iptables -v -A OUTPUT -m tcp --proto tcp --dport 443 -j ACCEPT; # HTTPS
iptables -v -A OUTPUT -m tcp --proto tcp --dport 445 -j ACCEPT; # SMB
iptables -v -A OUTPUT -m tcp --proto tcp --dport 53 -j ACCEPT; # DNS
iptables -v -A OUTPUT -m udp --proto udp --dport 53 -j ACCEPT; # DNS
iptables -v -A OUTPUT -m tcp --proto tcp --dport 5222 -j ACCEPT; #Google Talk or Jabber
iptables -v -A OUTPUT -m tcp --proto tcp --dport 5050 -j ACCEPT; #Yahoo
iptables -v -A OUTPUT -m tcp --proto tcp --dport 6667 -j ACCEPT; #IRC
iptables -v -A OUTPUT -m tcp --proto tcp --dport 7777 -j ACCEPT; #Jabber file Transfers
iptables -A OUTPUT -o em1 -p tcp --dport 31337 --sport 31337 -j DROP # BLOCK BACKDOOR
iptables -v -A OUTPUT -j REJECT;


######### DEFAULT DROPS #######

iptables -v -P FORWARD DROP # Default Policy DROP
iptables -A FORWARD -p tcp -i em1 -m state --state NEW -m recent --set
iptables -A FORWARD -p tcp -i em1 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT # SYN FLOOD PROTECT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # DEATH BY PING
iptables -A FORWARD -p tcp -i em1 --dport 31337 --sport 31337 -j DROP # BLOCK BACKDOOR
iptables -v -A FORWARD -j REJECT; # DEFAULT REJECT


######### IPTABLES SAVE ##################

iptables-save > /tmp/iptables;

iptables-restore < /tmp/iptables;

/etc/init.d/iptables save
Again, please forgive me for the large output i wanted to post my whole iptables script just in case i have a problem that is blocking a certain service. Here is the problem when i run openvpn my internet connection freezes up and i know its because i need to add certain iptables rules i am just not sure which ones i don't have much experience with nat.

The nat rules you see commented out in the begging of the iptables script i tried those rules however the connection still froze so i am lost about where to go from here if anyone has any input i would really appreciate it.

Also if i want my public ip address to go to my fedora linux box do i have it point to em1 or tun0 or how would i go about doing it?

For right now i only want port 80 to be unfiltered until i get things better organized, what i am looking for is that when people do http://mypublicip it gets routed back to my fedora linux box.

NOTE: The other thing that i did notice is for openvpn, the server.conf file says that openvpn should be running on port 1194 and when i did nmap on my system it didn't come up but tun0 still showed up on my ifconfig output... (just a thought)

If you need any more info from me i will be happy to supply it.

Again thank you all for your time and help

Last edited by BlackHawk; 06-14-2011 at 02:39 AM.
 
Old 06-14-2011, 03:29 AM   #2
ambrop7
Member
 
Registered: May 2011
Distribution: Gentoo
Posts: 98

Rep: Reputation: 16
Your subnets for em1 and tun0 overlap; they should not. Use a different subnet for tun0 (e.g. 192.168.2.0/24). That means, for example, tun0 should have 192.168.2.1/24, and a VPN client should have 192.168.2.2/24. (I'm not sure if this is actually a problem - but it really makes more sense to have VPN in its own network.)

First get rid of all the filtering rules. Never try to setup the whole thing in one shot - it won't work, and it will be hard to see which part is problematic.

Then make sure the VPN link itself works (ping from server a VPN client, or the other way).

Then, to allow VPN clients to access the local network and the Internet (assuming no other relevant rules are already present):

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -i tun0 -o em0 -j MASQUERADE

This should work right away. Be aware that the iptables command above will use NAT when VPN clients access the Internet or the local network. This means that they cannot be identified from within the local network (any traffic will originate from the VPN server's local IP). If you don't want that, do not issue that iptables command above, and instead add a route to your router (Internet gateway) for the VPN subnet (e.g. if it was a Linux router: route add -net 192.168.2.0/24 gw 192.168.1.3).

Now you have a baseline and you can play with filtering.
 
Old 06-14-2011, 01:28 PM   #3
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 62

Original Poster
Rep: Reputation: 1
hey ambrop7 thank you so much for your reply, i took your advise and tried moving tun0 over to 192.168.2.1 and em1 is on 192.168.1.3 however whenever i try running the openvpn service my internet connection just freezes. I tried only using the iptables rules that placed above however when i run the command i get this (oh i caught the em0 i changed it to em1)

when i run the command i get this:
iptables v1.4.10: Can't use -i with POSTROUTING

here is a new look at my ifconfig output:

Code:
em1       Link encap:Ethernet  HWaddr 00:11:85:7D:00:65  
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::211:85ff:fe7d:65/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3215332 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1484254 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3565433064 (3.3 GiB)  TX bytes:138048824 (131.6 MiB)
          Interrupt:20 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:60853 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60853 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:7933365 (7.5 MiB)  TX bytes:7933365 (7.5 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.2.1  P-t-P:192.168.2.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
The internet connection still freezes i am thinking that this is probably a firewall problem, however i may be doing something wrong in server.conf file with openvpn.

Any ideas i am really stuck...?

Thank you all again for your time and help
 
Old 06-14-2011, 02:07 PM   #4
ambrop7
Member
 
Registered: May 2011
Distribution: Gentoo
Posts: 98

Rep: Reputation: 16
Sorry about the wrong iptables command. Use these instead:

iptables -t mangle -A FORWARD -i tun0 -o em1 -j MARK --or-mark 0x100
iptables -t nat -A POSTROUTING -m mark --mark 0x100/0x100 -j MASQUERADE

What do you mean by "the internet connection freezes"? Where - on the client or on the server? Also, what platform is your client and how have you configured it?

Why does your ifconfig for tun0 say Mask:255.255.255.255? I told you to use 192.168.2.0/24, i.e. mask 255.255.255.0. I am sure this is why nothing is working - there are no IP addresses available for VPN clients.

As I have said before: remove all firewall rules first and anything which could interfere with the VPN. Then test the system one step at a time. From the client, once connected to the VPN, try pinging (in that order):
- your network's NATed Internet address (the one the client uses to connect to the VPN)
- the server's VPN address (192.168.2.1)
- the server's em1 address (192.168.1.3)
- an external Internet address
 
Old 06-14-2011, 10:24 PM   #5
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 62

Original Poster
Rep: Reputation: 1
okay here is where i am at with this now... i tried moving tun0 to a different private ip address so here is my current ifconfig output and it seems to running okay..

Code:
em1       Link encap:Ethernet  HWaddr 00:11:85:7D:00:65  
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::211:85ff:fe7d:65/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3325414 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1549936 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3645806841 (3.3 GiB)  TX bytes:144996036 (138.2 MiB)
          Interrupt:20 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:81155 errors:0 dropped:0 overruns:0 frame:0
          TX packets:81155 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8822543 (8.4 MiB)  TX bytes:8822543 (8.4 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.0.0.1  P-t-P:10.0.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:420 (420.0 b)
I can ping 10.0.0.1 no problem, that works. Netstat -a |grep openvpn shows that openvpn is LISTENING

okay what i figured out is that i logged into my router (verizon fios) and what i did was used port forwarding to have services such as FTP SSHD SMTP HTTPD all forwared back to my linux box on 192.168.1.3

I also wrote a rule on my router's firewall setting to allow tcp port 1194 for OpenVPN.

Here is what i need to know...

I am not really sure how to put this... Is it possible to use iptables to protect my linux box now that public ip address is being forwarded back to my linux box? I am not sure, but do i need to route data from my public ip address back to em1 = 192.168.1.3 with iptables?

Okay here is a situation i am wondering, now that my router is using port forwarding to redirect services like ssh from my public ip address to my linux box (192.168.1.3) can i write rules with iptables to block ssh brute forcing?

When i run my current iptables script which is displayed above i get this (i know you told me to start fresh with new rules and i did but i am showing you this in an example)

Output from nmap:
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp open telnet
25/tcp filtered smtp
80/tcp open http
443/tcp filtered https

My iptables rules currently close off ftp/ssh/smtp but i am not sure what routing rules i am going to need with nat and masquerade to have data routed back to my linux box done correctly with iptables. I really hope you get what i am trying to do...

If you have any input on the situation i would really appreciate it...

Last edited by BlackHawk; 06-14-2011 at 10:26 PM.
 
Old 06-14-2011, 10:54 PM   #6
Lexus45
Member
 
Registered: Jan 2010
Distribution: Debian, Centos, Ubuntu, Slackware
Posts: 361
Blog Entries: 3

Rep: Reputation: 48
What shows the command
Code:
netstat --proto=inet -nl
 
Old 06-14-2011, 11:10 PM   #7
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 62

Original Poster
Rep: Reputation: 1
netstat --proto=inet -nl

Code:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:113                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:44564               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:1194                0.0.0.0:*                   LISTEN      
udp        0      0 0.0.0.0:16055               0.0.0.0:*                               
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               
udp        0      0 0.0.0.0:39847               0.0.0.0:*                               
udp        0      0 0.0.0.0:51632               0.0.0.0:*                               
udp        0      0 0.0.0.0:1008                0.0.0.0:*                               
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               
udp        0      0 0.0.0.0:677                 0.0.0.0:*
Okay there is the output...

What i am wondering is should i have packets routed from my public ip back to 192.168.1.3 (my fedora box) and how do i do that with iptables ? I wrote rules to allow all INPUT OUTPUT FORWARD to tun0 and my internet seems to be running fine but i want to be able to use iptables to write secure rules to block things like malicious packets and brute force attempts to my public ip (now being forwared to 192.168.1.3)

I am not sure what NAT rules i am going to need and other things like MASQUERADE options etc... etc...

and how do i go about routing it?

Any input as always is greatly appreciate, and again thank you for your time...
 
Old 06-15-2011, 06:30 AM   #8
ambrop7
Member
 
Registered: May 2011
Distribution: Gentoo
Posts: 98

Rep: Reputation: 16
I can't be of much help to you, as you seem to be repeatedly ignoring my advice, and instead of focusing on one thing at a time, you invent new "problems" before you have reached one goal.

You haven't said what specific goal you have reached now. Does the VPN link work? Does accessing Internet through the VPN work? I asked you to ping several IP addresses, and you haven't confirmed for all these which are successful and which fail. I suggested using a 255.255.255.0 netmask for tun0, but you are still using 255.255.255.255.

Basically, if you can ping the tun0 address from the client, your VPN link is working, and you can stop worrying whether your VPN server is reachable - it is.

If you have configured the router to forward everything to the Linux box (probably called the "DMZ Host" option), then everything will go the Linux box - there is nothing more to be done about it. If you want filtering on the Linux box, it can be done independently in iptables 'nat' and maybe 'mangle' tables - it has absolutely nothing to do with NAT or port forwarding. The only NAT the Linux box is concerned with is NATing VPN clients to the server's local address when they access the local network or the Internet

If you want to forward an external connection to the router to a VPN client, simply do:

iptables -t nat -A PREROUTING -i em1 -d 192.168.1.3 -p tcp --dport 1234 -j DNAT --to-destination 10.0.0.5:4321
 
Old 06-16-2011, 02:50 AM   #9
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 62

Original Poster
Rep: Reputation: 1
ambrop7 i am sorry if you feel like i am not taking your advise i am just trying to get this figured out that is all..

actually i am taking your advise

If you look above i did post that i can ping 10.0.0.1 no problem it works on my internal network but i know that does not mean that it is working 100% I can ping 10.0.0.1 from the box that is running openvpn but when i try to ping it from another box on my network it is not working could be an iptables issue though. I am trying to resolve this now.

i did try to put tun0 on 255.255.255.0 but for some reason it ends up on 255.255.255.255, maybe because 192.168.1.3 uses 255.255.255.0 ?

My fedora box running openvpn is on 192.168.1.3 when i ping 10.0.0.1 from that box it works fine i can even ssh into 10.0.0.1 works fine but when i ping 10.0.0.1 from another linux box on my network -> 192.168.1.6 well 10.0.0.1 doesn't respond so i am trying to figure this out

when i ping 192.168.1.3 from 192.168.1.6 it works so any thoughts you might have would be great

ambrop7 here is some of the options i have enabled on my server.conf file for openvpn (located /etc/openvpn/server.conf)

# Server and client IP and Pool
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# Routes to push to the client
push "route 10.0.0.0 255.255.255.0"

As you can now see i did take your advise and try to put it on that netmask for some reason tun0 goes to -> 255.255.255.255

Is it a problem that i can't ping 10.0.0.1 from another linux box on my network? i have written rules to allow all INPUT OUTPUT AND FORWARD for tun0 however i haven't written anything else for that interface so maybe this is the reason that i can't ping it from another box on the network?

I think i am going to need those nat rules or prerouting options if i want stuff routed through tun0 right?

Thank you all again for your time and help

Last edited by BlackHawk; 06-16-2011 at 03:09 AM.
 
Old 06-16-2011, 05:18 AM   #10
ambrop7
Member
 
Registered: May 2011
Distribution: Gentoo
Posts: 98

Rep: Reputation: 16
The example client and server config files at http://openvpn.net/index.php/open-so....html#examples should work fine without any changes. I don't see anything wrong with the part of the config file you showed me, though the "push route" thing is not really required (clients will add it automatically because they receive an IP address in this subnet).

Your first goal is to be able to ping through the VPN, that is, to ping 10.0.0.1 from the client while the VPN is up.

Don't try anything else until you've got this working. As I have already said: do not worry about NAT or masquerading (they are not needed to get the pinging working, except for forwarding the appropritate ports on your router) and do not worry about filtering (just remove the filtering rules temporarily). If for whatever reason you are still refusing to remove the firewall rules, you can see if packets are being dropped due to firewall rules by running "iptables -t filter --list --verbose" and checking the match counters.

Last edited by ambrop7; 06-16-2011 at 05:20 AM.
 
Old 06-16-2011, 06:21 AM   #11
ambrop7
Member
 
Registered: May 2011
Distribution: Gentoo
Posts: 98

Rep: Reputation: 16
I have just tried the above mentioned config files, and they do in fact work as-is (except for changing the "remote" address in the client file). Here's what I've done:

On the server:

Code:
cd /usr/share/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client
./build-dh

cp keys/ca.crt keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpn/

sftp root@client_machine
sftp> cd /etc/openvpn/
sftp> put ca.crt                                                          100% 1318     1.3KB/s   1.3KB/s   00:00    
sftp> put client.crt                                                      100% 3857     3.8KB/s   3.8KB/s   00:00    
sftp> put client.key
Also copy the server config file from the howto to /etc/openvpn/openvpn.conf
Then start the server by hand in the terminal:

Code:
# cd /etc/openvpn/
# openvpn openvpn.conf
Thu Jun 16 13:08:57 2011 OpenVPN 2.1.4 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [MH] [PF_INET6] built on May 18 2011
Thu Jun 16 13:08:57 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Jun 16 13:08:57 2011 Diffie-Hellman initialized with 1024 bit key
Thu Jun 16 13:08:57 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jun 16 13:08:57 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Thu Jun 16 13:08:57 2011 ROUTE default_gateway=192.168.111.1
Thu Jun 16 13:08:57 2011 TUN/TAP device tun1 opened
Thu Jun 16 13:08:57 2011 TUN/TAP TX queue length set to 100
Thu Jun 16 13:08:57 2011 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Thu Jun 16 13:08:57 2011 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Thu Jun 16 13:08:57 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jun 16 13:08:57 2011 UDPv4 link local (bound): [undef]
Thu Jun 16 13:08:57 2011 UDPv4 link remote: [undef]
Thu Jun 16 13:08:57 2011 MULTI: multi_init called, r=256 v=256
Thu Jun 16 13:08:57 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Thu Jun 16 13:08:57 2011 IFCONFIG POOL LIST
Thu Jun 16 13:08:57 2011 client,10.8.0.4
Thu Jun 16 13:08:57 2011 Initialization Sequence Completed
On the server machine, you should now have (my iface is tun1 because I changed it):

Code:
# ifconfig tun1
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
I see that the mask really is always 255.255.255.255; don't worry about it, it's because OpenVPN adds routes separately, so the mask is irrelevant.

On the client machine, copy the client config file from the howto to /etc/openvpn/openvpn.conf, and adjust the server address ("remote" option).
Then start the client from the terminal:

Code:
# cd /etc/openvpn/
# openvpn openvpn.conf
Thu Jun 16 13:15:11 2011 OpenVPN 2.1.4 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [MH] [PF_INET6] built on Apr  3 2011
Thu Jun 16 13:15:11 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Jun 16 13:15:11 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Jun 16 13:15:11 2011 LZO compression initialized
Thu Jun 16 13:15:11 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jun 16 13:15:11 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
Thu Jun 16 13:15:11 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jun 16 13:15:11 2011 Local Options hash (VER=V4): '41690919'
Thu Jun 16 13:15:11 2011 Expected Remote Options hash (VER=V4): '530fdded'
Thu Jun 16 13:15:11 2011 UDPv4 link local: [undef]
Thu Jun 16 13:15:11 2011 UDPv4 link remote: [AF_INET]192.168.111.118:1194
Thu Jun 16 13:15:11 2011 TLS: Initial packet from [AF_INET]192.168.111.118:1194, sid=2aa31ec9 beb1b933
Thu Jun 16 13:15:11 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/name=ca/emailAddress=me@myhost.mydomain
Thu Jun 16 13:15:11 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
Thu Jun 16 13:15:11 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 16 13:15:11 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 16 13:15:11 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jun 16 13:15:11 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jun 16 13:15:11 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jun 16 13:15:11 2011 [server] Peer Connection Initiated with [AF_INET]192.168.111.118:1194
Thu Jun 16 13:15:13 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Jun 16 13:15:13 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Thu Jun 16 13:15:13 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jun 16 13:15:13 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jun 16 13:15:13 2011 OPTIONS IMPORT: route options modified
Thu Jun 16 13:15:13 2011 ROUTE default_gateway=192.168.111.1
Thu Jun 16 13:15:13 2011 TUN/TAP device tun1 opened
Thu Jun 16 13:15:13 2011 TUN/TAP TX queue length set to 100
Thu Jun 16 13:15:13 2011 /sbin/ifconfig tun1 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Thu Jun 16 13:15:13 2011 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
Thu Jun 16 13:15:13 2011 Initialization Sequence Completed
Now on the client you should have:

Code:
# ifconfig tun1
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=1.24 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=0.865 m
If you have done all of the above, the server and client are starting up properly (i.e. you get "Initialization Sequence Completed" for both), but you can't ping, it's almost surely due to filtering rules.

If they aren't initializing properly, it may be because you haven't properly configured port forwarding on your router, or, again, have bad filtering rules on the Linux box.

Last edited by ambrop7; 06-16-2011 at 06:24 AM.
 
Old 06-22-2011, 12:36 AM   #12
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 62

Original Poster
Rep: Reputation: 1
I am sorry i haven't replied to this thread in a timely manner...

All is well with openvpn moving to another private subnet address worked great for me and i am able to ping tun0 and it works great, and i have no problem on the startup. When fedora boots up tun0 starts up right away with no issues. I need to test tun0 from outside my lan to make sure it is really working, i will let you all know how that goes, but for now it seems to be working great!


Ambrop7 thank you for all of your help

Last edited by BlackHawk; 06-22-2011 at 12:38 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables + openvpn + eth0 and tun0 shadyabhi Linux - Networking 3 01-18-2011 03:44 AM
How to set a route for Eth1 (DHCP clients) to reach Tun0 (openvpn server)? CentOS torontob Linux - Networking 2 09-22-2010 12:14 AM
iptables question with OpenVPN (tun0 to tun0 filtering) fang0654 Linux - Server 3 09-30-2009 02:17 AM
OpenVPN : need help with understanding tun0 and P-t-P jonaskellens Linux - Networking 3 08-24-2009 01:27 AM
Iptables/TC: how to make masqueraded traffic go through an openVPN tun0? theVOID Linux - Networking 3 04-25-2008 03:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration