pedrokoma |
05-31-2011 12:31 AM |
iptables doesn't work well without OpenVPN
Hi,
my problem is following: I'm running a bridged OpenVPN on my Debian. If the service is running, everything works fine: local and Internet, ftp, mailing from in and outside etc. But, when stopping OpenVPN, sending mails from inside (LAN) fails: I cannot reach smtp (postfix) listening on port 465. And even reaching mailboxes using IMAP gets horribly slow eg. in Thunderbird.
Here is my firewall.sh script, please check it:
Quote:
#!/bin/sh
echo "\n\nIPTABLES FIREWALL inicializalasa - szures"
# Enter the designation for the Internal Interface's
INTIF="eth0"
# Enter the NETWORK address the Internal Interface is on
INTNET="v.w.x.0/24"
# Enter the IP address of the Internal Interface
INTIP="v.w.x.y/24"
# Enter Internal broadcats
INTBCAST="v.w.x.255"
# Enter the external interface's designation
EXTIF="eth1"
# Enter the IP address of the External Interface
EXTIP="a.b.c.d/26"
# OpenVPN
VPNIF="tap0"
BRIF="br0"
echo " Stateful/NAT kernel modulok betoltese..."
#/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
# IP-forward
echo "1" > /proc/sys/net/ipv4/ip_forward
# SYN flood protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Source validation by reversed path according to RFC1812
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
if [ -e /proc/sys/net/ipv4/conf/tap0/rp_filter ]
then
echo "0" > /proc/sys/net/ipv4/conf/tap0/rp_filter
fi
# Ignore all ICMP echo requests sent to the broadcast address
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable ICMP redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# DHCP out
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " Belso interface: $INTIF"
echo " Belso interface IP cim: $INTIP"
echo " Kulso interface: $EXTIF"
echo " Kulso interface IP cim: $EXTIP"
echo " Firewall server szabalyok betoltese..."
UNIVERSE="0.0.0.0/0"
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
# Flush the user chain if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
echo " Felhasznaloi lancok beolvasasa ..."
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
echo " INPUT szabalyok beolvasasa ..."
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# accessing gateway itself
iptables -A INPUT -i $INTIF -s $INTNET -j ACCEPT
# broadcast
iptables -A INPUT -i $INTIF -d $INTBCAST -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j DROP
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# SYN
iptables -A INPUT -s $UNIVERSE -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Squid
iptables -t nat -A PREROUTING -s $INTNET -p tcp -m tcp ! -d $INTNET --dport 80 -j REDIRECT --to-port 3128
#iptables -A INPUT -i $INTIF -p tcp --dport 3128 -j ACCEPT
# HTTP - szerverhez intezett keres kintrol
iptables -A INPUT -s $UNIVERSE -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 443 -j ACCEPT
# FTP
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 20:21 -j ACCEPT
# SMB
iptables -A INPUT -i $INTIF -s $INTNET -p udp --dport 137 -j ACCEPT
iptables -A INPUT -i $INTIF -s $INTNET -p udp --dport 138 -j ACCEPT
iptables -A INPUT -i $INTIF -s $INTNET -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -i $INTIF -s $INTNET -p tcp --dport 445 -j ACCEPT
# SSH 2/min from same IP
iptables -A INPUT -s $UNIVERSE -p tcp -m tcp --sport 22 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp -m tcp --sport 1779 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 1779 -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --dport 1779 -m state --state NEW -m recent --set --name SSH -j ACCEPT
# SMTP
iptables -A INPUT -s $UNIVERSE -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 25 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 465 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 465 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 587 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 587 -j ACCEPT
# IMAP
iptables -A INPUT -s $UNIVERSE -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 143 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 993 -j ACCEPT
# NMAP
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# ESET Mail Security - Postfix
#iptables -A INPUT -s $UNIVERSE -p tcp --sport 2525 -j ACCEPT
# ESET Update kintrol
iptables -A INPUT -s $UNIVERSE -p tcp --dport 8081 -j ACCEPT
# ICMP
iptables -A INPUT -s $UNIVERSE --fragment -p icmp -j DROP
iptables -A INPUT -s $UNIVERSE -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p icmp -j ACCEPT
# NTP
iptables -A INPUT -s $UNIVERSE -p udp --sport 123 --dport 123 -j ACCEPT
# DNS
iptables -A INPUT -s $UNIVERSE -p udp --sport 53 -j ACCEPT
# DHCP local
iptables -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
# CIB program
iptables -A INPUT -s $INTNET -p tcp --dport 21000 -j ACCEPT
# tavoli asztal; default gateway legyen a cimzett eszkoz (is), kulonben nem talalnak vissza a csomagok
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
# Webmin
iptables -A INPUT -s $INTNET -p tcp --dport 10000 -j ACCEPT
# OpenVPN
iptables -A INPUT -s $UNIVERSE -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i $VPNIF -j ACCEPT
iptables -A INPUT -i $BRIF -j ACCEPT
# MySQL
iptables -A INPUT -s $UNIVERSE -p tcp --dport 3306 -j ACCEPT
# Windows 7 aktivalas
iptables -A INPUT -s $UNIVERSE -p tcp --dport 1688 -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
#iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo " OUTPUT szabalyok beolvasasa ..."
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTNET -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j DROP
# HTTP - szerverrol kifele
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --sport 443 -j ACCEPT
# FTP
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --sport 20:21 -j ACCEPT
# SMB
iptables -A OUTPUT -o $INTIF -d $INTNET -p udp --sport 137 -j ACCEPT
iptables -A OUTPUT -o $INTIF -d $INTNET -p udp --sport 138 -j ACCEPT
iptables -A OUTPUT -o $INTIF -d $INTNET -p tcp --sport 139 -j ACCEPT
#iptables -A OUTPUT -o $INTIF -d $INTNET -p tcp --sport 445 -j ACCEPT
# SSH
iptables -A OUTPUT -d $UNIVERSE -p tcp -m tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp -m tcp --sport 1779 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp -m tcp --dport 1779 -j ACCEPT
# SMTP
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 25 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 465 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 587 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --dport 587 -j ACCEPT
# IMAP
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 143 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 143 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 993 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 993 -j ACCEPT
# NMAP
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# ESET Mail Security - Postfix
#iptables -A OUTPUT -d $UNIVERSE -p tcp --dport 2525 -j ACCEPT
# ESET Update kintrol
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 8081 -j ACCEPT
# ICMP
iptables -A OUTPUT -d $UNIVERSE -p icmp -j ACCEPT
# NTP
iptables -A OUTPUT -d $UNIVERSE -p udp --sport 123 --dport 123 -j ACCEPT
# DNS
iptables -A OUTPUT -d $UNIVERSE -p udp --dport 53 -j ACCEPT
# CIB program
iptables -A OUTPUT -d $INTNET -p tcp --sport 21000 -j ACCEPT
#tavoli asztal; default gateway legyen a cimzett eszkoz (is), kulonben nem talalnak vissza a csomagok
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 3389 -j ACCEPT
# Webmin
iptables -A OUTPUT -d $INTNET -p tcp --sport 10000 -j ACCEPT
# OpenVPN
iptables -A OUTPUT -o $VPNIF -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p tcp --sport 1194 -j ACCEPT
iptables -A OUTPUT -o $BRIF -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
#iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo " FORWARD szabalyok beolvasasa..."
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP - halozatrol
iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 443 -j ACCEPT
# DNS
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p udp --sport 53 -j ACCEPT
# FTP
iptables -A FORWARD -d $UNIVERSE -p tcp -m tcp --dport 20:21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -p tcp -m tcp --sport 20:21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -d $UNIVERSE -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# SSH
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p tcp --dport 1779 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 22 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 1779 -j ACCEPT
# Bankos program
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 8080 -j ACCEPT
# CIB program
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p tcp --dport 21000 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 21000 -j ACCEPT
# Konyvtari program
iptables -A FORWARD -s 192.168.0.100/24 -d $UNIVERSE -p tcp --dport 9999 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d 192.168.0.100/24 -p tcp --sport 9999 -j ACCEPT
iptables -A FORWARD -s 192.168.0.100/24 -d $UNIVERSE -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d 192.168.0.100/24 -p tcp --sport 22 -j ACCEPT
iptables -A FORWARD -s 192.168.0.100/24 -d $UNIVERSE -p tcp --dport 210 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d 192.168.0.100/24 -p tcp --sport 210 -j ACCEPT
#tavoli asztal; default gateway legyen a cimzett eszkoz (is), kulonben nem talalnak vissza a csomagok
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3389 -j ACCEPT
# ESET Update kintrol
iptables -A FORWARD -s $UNIVERSE -p tcp --dport 8081 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -p tcp --sport 8081 -j ACCEPT
# Konyha VPN-hez
iptables -A FORWARD -s $UNIVERSE -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -p 47 -j ACCEPT
# NTP
iptables -A FORWARD -i $INTIF -o $EXTIF -p udp --sport 123 --dport 123 -j ACCEPT
# OpenVPN
iptables -A FORWARD -i $VPNIF -j ACCEPT
iptables -A FORWARD -i $BRIF -j ACCEPT
# Windows 7 aktivalas
iptables -A FORWARD -s $UNIVERSE -p tcp --dport 1688 -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
#iptables -A FORWARD -j drop-and-log-it
iptables -A FORWARD -j DROP
echo " NAT szabalyok beolvasasa..."
# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -s $INTNET -j MASQUERADE
# Sulinet DNS csere Arrabonetre - ha nem fut DNS-proxy (BIND)
iptables -t nat -A PREROUTING -p udp -d 195.199.183.241/32 --dport 53 -s $INTNET -j DNAT --to e.f.g.h:53
iptables -t nat -A POSTROUTING -p udp -d $INTNET -s e.f.g.h/32 --sport 53 -j SNAT --to 195.199.183.241:53
iptables -t nat -A PREROUTING -p udp -d 195.199.255.4/32 --dport 53 -s $INTNET -j DNAT --to i.j.k.l:53
iptables -t nat -A POSTROUTING -p udp -d $INTNET -s i.j.k.l/32 --sport 53 -j SNAT --to 195.199.255.4:53
# Windows 7 aktivalas
iptables -t nat -A PREROUTING -p tcp -d 195.199.255.195/32 --dport 1688 -s $INTNET -j DNAT --to 192.168.0.2:1688
iptables -t nat -A POSTROUTING -p tcp -d $INTNET -s 192.168.0.2/32 --sport 1688 -j SNAT --to 195.199.255.195:1688
# tavoli asztal; default gateway legyen a cimzett eszkoz (is), kulonben nem talalnak vissza a csomagok
iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 3389 -j DNAT --to-destination 192.168.0.3:3389
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.3 --sport 3389 -j SNAT --to-source a.b.c.d:3389
# Konyha VPN-hez
iptables -t nat -A PREROUTING -p 47 -i $EXTIF -j DNAT --to 192.168.0.40
# ESET Mail Security
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 25 -j REDIRECT --to-ports 2525
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 465 -j REDIRECT --to-ports 2525
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 587 -j REDIRECT --to-ports 2525
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 143 -j REDIRECT --to-ports 8143
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 993 -j REDIRECT --to-ports 8143
# ESET Update kintrol
#iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 8081 -j DNAT --to-destination 192.168.0.3:8081
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.3 --sport 8081 -j SNAT --to-source a.b.c.d:8081
echo "IPTABLES FIREWALL inicializalasa befejezodott\n\n"
|
|