iptables and openvpn
hy
situacion is like this, and im confused with this setup. everything is working i can connect and browse internet.
question is at bootom.
host centos----enp2s0---192.168.0.13
-----virbr0---192.168.122.1
iptables rules on host
Code:
#!/bin/bash
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
iptables -A PREROUTING -t nat -d 192.168.0.13 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.122.20
iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
iptables -A FORWARD -i enp2s0 -o virbr0 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i virbr0 -o enp2s0 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
###############################################################################
iptables -I INPUT -p tcp -m tcp -m multiport ! --dports 6205 -j DROP
iptables -I OUTPUT -p tcp -m tcp -m multiport ! --sports 6205 -j DROP
iptables -I INPUT -p udp -m udp -m multiport ! --dports 1194 -j DROP
iptables -I OUTPUT -p udp -m udp -m multiport ! --sports 1194 -j DROP
######################################################################
#########################passwordattack###############################
###############################################################################
ptables -t mangle -I PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags A
iLL SYN,RST,ACK,FIN,URG -j DROP
iptables -t mangle -I PREROUTING -s 224.0.0.0/3 -j DROP
iptables -t mangle -I PREROUTING -s 169.254.0.0/16 -j DROP
iptables -t mangle -I PREROUTING -s 172.16.0.0/12 -j DROP
iptables -t mangle -I PREROUTING -s 192.0.2.0/24 -j DROP
#iptables -t mangle -I PREROUTING -s 192.168.0.0/16 -j DROP
#iptables -t mangle -I PREROUTING -s 10.0.0.0/8 -j DROP
iptables -t mangle -I PREROUTING -s 0.0.0.0/8 -j DROP
iptables -t mangle -I PREROUTING -s 240.0.0.0/5 -j DROP
#iptables -t mangle -I PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
iptables -t mangle -I PREROUTING -p icmp -j DROP
--hitcount 2 -j DROP
virtual host running openvpn 192.168.122.20 with iptables rules
Code:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp -i eth0 -j DROP
iptables -A OUTPUT -p tcp -o eth0 -j DROP
iptables -A INPUT -p tcp -i tun0 -j DROP
iptables -A OUTPUT -p tcp -o tun0 -j DROP
iptables -A INPUT -i eth0 -p udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.0.13
iptables -t nat -A POSTROUTING -s 192.168.122.20 -j SNAT --to 192.168.0.13
#iptables -t nat -A PREROUTING -p udp -d 10.8.0.0/24 --dport 1194 -j DNAT --to-destination 192.168.122.20
#iptables -t nat -A PREROUTING -p udp -d 192.168.122.20 --dport 1194 -j DNAT --to-destination 192.168.0.13
my question is way i need postrouting on vm vpn server. i can connect without them but browsing doesent working. i have postrouting on host machine isnt that enought. as you can see i block everything expect port 1194 so whats the point of postrouting on vm.
second way my host address still connecting to tcp protocols as you can see on host firewall everything is blocked expect 1194.
or can anyone tell how to add this nat rules as static routes. |
