LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-07-2016, 10:34 AM   #1
end
Member
 
Registered: Aug 2016
Posts: 266

Rep: Reputation: Disabled
iptables and openvpn


hy

situacion is like this, and im confused with this setup. everything is working i can connect and browse internet.

question is at bootom.


host centos----enp2s0---192.168.0.13
-----virbr0---192.168.122.1

iptables rules on host

Code:

#!/bin/bash
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP




iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT


iptables -A PREROUTING -t nat -d 192.168.0.13 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.122.20

iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE




iptables -A FORWARD  -i enp2s0  -o virbr0  -m conntrack --ctstate NEW,ESTABLISHED  -j ACCEPT

iptables -A FORWARD  -i virbr0  -o enp2s0   -m conntrack --ctstate NEW,ESTABLISHED  -j ACCEPT



###############################################################################

iptables -I INPUT -p tcp -m tcp -m multiport ! --dports 6205 -j DROP
iptables -I OUTPUT -p tcp -m tcp -m multiport ! --sports 6205 -j DROP
iptables -I INPUT -p udp -m udp -m multiport ! --dports 1194 -j DROP
iptables -I OUTPUT -p udp -m udp -m multiport ! --sports 1194 -j DROP
######################################################################
#########################passwordattack###############################

###############################################################################

ptables -t mangle -I PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
iptables -t mangle -I PREROUTING -p tcp --tcp-flags A
iLL SYN,RST,ACK,FIN,URG -j DROP


iptables -t mangle -I PREROUTING -s 224.0.0.0/3 -j DROP
iptables -t mangle -I PREROUTING -s 169.254.0.0/16 -j DROP
iptables -t mangle -I PREROUTING -s 172.16.0.0/12 -j DROP
iptables -t mangle -I PREROUTING -s 192.0.2.0/24 -j DROP
#iptables -t mangle -I PREROUTING -s 192.168.0.0/16 -j DROP
#iptables -t mangle -I PREROUTING -s 10.0.0.0/8 -j DROP
iptables -t mangle -I PREROUTING -s 0.0.0.0/8 -j DROP
iptables -t mangle -I PREROUTING -s 240.0.0.0/5 -j DROP
#iptables -t mangle -I PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

iptables -t mangle -I PREROUTING -p icmp -j DROP

--hitcount 2 -j DROP
virtual host running openvpn 192.168.122.20 with iptables rules

Code:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


iptables -A INPUT -p tcp -i eth0 -j DROP 
iptables -A OUTPUT -p tcp -o eth0 -j DROP
iptables -A INPUT -p tcp -i tun0 -j DROP
iptables -A OUTPUT -p tcp -o tun0 -j DROP



iptables -A INPUT -i eth0 -p udp --dport 1194  -m state --state NEW,ESTABLISHED  -j ACCEPT
iptables -A OUTPUT -o eth0  -p udp --sport 1194   -m state --state NEW,ESTABLISHED -j ACCEPT



iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate NEW,ESTABLISHED  -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate NEW,ESTABLISHED  -j ACCEPT



iptables -t nat -A POSTROUTING -s 10.8.0.0/24   -j SNAT --to 192.168.0.13
iptables -t nat -A POSTROUTING -s 192.168.122.20  -j SNAT --to 192.168.0.13
#iptables -t nat -A PREROUTING -p udp -d 10.8.0.0/24 --dport 1194 -j DNAT --to-destination 192.168.122.20
#iptables -t nat -A PREROUTING -p udp -d 192.168.122.20 --dport 1194 -j DNAT --to-destination 192.168.0.13
my question is way i need postrouting on vm vpn server. i can connect without them but browsing doesent working. i have postrouting on host machine isnt that enought. as you can see i block everything expect port 1194 so whats the point of postrouting on vm.

second way my host address still connecting to tcp protocols as you can see on host firewall everything is blocked expect 1194.

or can anyone tell how to add this nat rules as static routes.

Last edited by end; 11-07-2016 at 07:51 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with iptables rule for openvpn vistal Linux - Server 2 01-21-2014 12:14 AM
Allow openvpn in IPTables jhmdev Linux - Networking 9 07-30-2009 03:48 PM
openvpn and netfilter/iptables number-g Linux - Networking 0 03-27-2009 05:32 PM
OPENVPN /IPTABLES help woodson2 Fedora 2 11-07-2008 08:54 AM
OPENVPN /IPTABLES help woodson2 Linux - Networking 3 11-06-2008 03:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration