[SOLVED] iptables doesn't work well without OpenVPN

pedrokoma · 05-31-2011, 12:31 AM

Hi,

my problem is following: I'm running a bridged OpenVPN on my Debian. If the service is running, everything works fine: local and Internet, ftp, mailing from in and outside etc. But, when stopping OpenVPN, sending mails from inside (LAN) fails: I cannot reach smtp (postfix) listening on port 465. And even reaching mailboxes using IMAP gets horribly slow eg. in Thunderbird.
Here is my firewall.sh script, please check it:

Quote:

#!/bin/sh

echo "\n\nIPTABLES FIREWALL inicializalasa - szures"

# Enter the designation for the Internal Interface's
INTIF="eth0"

# Enter the NETWORK address the Internal Interface is on
INTNET="v.w.x.0/24"

# Enter the IP address of the Internal Interface
INTIP="v.w.x.y/24"

# Enter Internal broadcats
INTBCAST="v.w.x.255"

# Enter the external interface's designation
EXTIF="eth1"

# Enter the IP address of the External Interface
EXTIP="a.b.c.d/26"

# OpenVPN
VPNIF="tap0"
BRIF="br0"

echo " Stateful/NAT kernel modulok betoltese..."

#/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

# IP-forward
echo "1" > /proc/sys/net/ipv4/ip_forward
# SYN flood protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Source validation by reversed path according to RFC1812
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
if [ -e /proc/sys/net/ipv4/conf/tap0/rp_filter ]
then
echo "0" > /proc/sys/net/ipv4/conf/tap0/rp_filter
fi
# Ignore all ICMP echo requests sent to the broadcast address
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable ICMP redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# DHCP out
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " Belso interface: $INTIF"
echo " Belso interface IP cim: $INTIP"
echo " Kulso interface: $EXTIF"
echo " Kulso interface IP cim: $EXTIP"

echo " Firewall server szabalyok betoltese..."

UNIVERSE="0.0.0.0/0"

# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat

# Flush the user chain if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X

# Reset all IPTABLES counters
iptables -Z

echo " Felhasznaloi lancok beolvasasa ..."

iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT

echo " INPUT szabalyok beolvasasa ..."

#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#

# loopback interfaces are valid
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# accessing gateway itself
iptables -A INPUT -i $INTIF -s $INTNET -j ACCEPT

# broadcast
iptables -A INPUT -i $INTIF -d $INTBCAST -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
#iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j DROP

# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

# SYN
iptables -A INPUT -s $UNIVERSE -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Squid
iptables -t nat -A PREROUTING -s $INTNET -p tcp -m tcp ! -d $INTNET --dport 80 -j REDIRECT --to-port 3128
#iptables -A INPUT -i $INTIF -p tcp --dport 3128 -j ACCEPT

# HTTP - szerverhez intezett keres kintrol
iptables -A INPUT -s $UNIVERSE -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 443 -j ACCEPT

# FTP
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 20:21 -j ACCEPT

# SMB
iptables -A INPUT -i $INTIF -s $INTNET -p udp --dport 137 -j ACCEPT
iptables -A INPUT -i $INTIF -s $INTNET -p udp --dport 138 -j ACCEPT
iptables -A INPUT -i $INTIF -s $INTNET -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -i $INTIF -s $INTNET -p tcp --dport 445 -j ACCEPT

# SSH 2/min from same IP
iptables -A INPUT -s $UNIVERSE -p tcp -m tcp --sport 22 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp -m tcp --sport 1779 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 1779 -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --dport 1779 -m state --state NEW -m recent --set --name SSH -j ACCEPT

# SMTP
iptables -A INPUT -s $UNIVERSE -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 25 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 465 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 465 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 587 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 587 -j ACCEPT

# IMAP
iptables -A INPUT -s $UNIVERSE -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 143 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p tcp --sport 993 -j ACCEPT

# NMAP
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# ESET Mail Security - Postfix
#iptables -A INPUT -s $UNIVERSE -p tcp --sport 2525 -j ACCEPT

# ESET Update kintrol
iptables -A INPUT -s $UNIVERSE -p tcp --dport 8081 -j ACCEPT

# ICMP
iptables -A INPUT -s $UNIVERSE --fragment -p icmp -j DROP
iptables -A INPUT -s $UNIVERSE -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -s $UNIVERSE -p icmp -j ACCEPT

# NTP
iptables -A INPUT -s $UNIVERSE -p udp --sport 123 --dport 123 -j ACCEPT

# DNS
iptables -A INPUT -s $UNIVERSE -p udp --sport 53 -j ACCEPT

# DHCP local
iptables -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

# CIB program
iptables -A INPUT -s $INTNET -p tcp --dport 21000 -j ACCEPT

# tavoli asztal; default gateway legyen a cimzett eszkoz (is), kulonben nem talalnak vissza a csomagok
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT

# Webmin
iptables -A INPUT -s $INTNET -p tcp --dport 10000 -j ACCEPT

# OpenVPN
iptables -A INPUT -s $UNIVERSE -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i $VPNIF -j ACCEPT
iptables -A INPUT -i $BRIF -j ACCEPT

# MySQL
iptables -A INPUT -s $UNIVERSE -p tcp --dport 3306 -j ACCEPT

# Windows 7 aktivalas
iptables -A INPUT -s $UNIVERSE -p tcp --dport 1688 -j ACCEPT

# Catch all rule, all other incoming is denied and logged.
#iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP

echo " OUTPUT szabalyok beolvasasa ..."

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#

# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTNET -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
#iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j DROP

# HTTP - szerverrol kifele
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --sport 443 -j ACCEPT

# FTP
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --sport 20:21 -j ACCEPT

# SMB
iptables -A OUTPUT -o $INTIF -d $INTNET -p udp --sport 137 -j ACCEPT
iptables -A OUTPUT -o $INTIF -d $INTNET -p udp --sport 138 -j ACCEPT
iptables -A OUTPUT -o $INTIF -d $INTNET -p tcp --sport 139 -j ACCEPT
#iptables -A OUTPUT -o $INTIF -d $INTNET -p tcp --sport 445 -j ACCEPT

# SSH
iptables -A OUTPUT -d $UNIVERSE -p tcp -m tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp -m tcp --sport 1779 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp -m tcp --dport 1779 -j ACCEPT

# SMTP
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 25 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 465 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 587 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --dport 587 -j ACCEPT

# IMAP
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 143 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 143 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 993 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 993 -j ACCEPT

# NMAP
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# ESET Mail Security - Postfix
#iptables -A OUTPUT -d $UNIVERSE -p tcp --dport 2525 -j ACCEPT

# ESET Update kintrol
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 8081 -j ACCEPT

# ICMP
iptables -A OUTPUT -d $UNIVERSE -p icmp -j ACCEPT

# NTP
iptables -A OUTPUT -d $UNIVERSE -p udp --sport 123 --dport 123 -j ACCEPT

# DNS
iptables -A OUTPUT -d $UNIVERSE -p udp --dport 53 -j ACCEPT

# CIB program
iptables -A OUTPUT -d $INTNET -p tcp --sport 21000 -j ACCEPT

#tavoli asztal; default gateway legyen a cimzett eszkoz (is), kulonben nem talalnak vissza a csomagok
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 3389 -j ACCEPT

# Webmin
iptables -A OUTPUT -d $INTNET -p tcp --sport 10000 -j ACCEPT

# OpenVPN
iptables -A OUTPUT -o $VPNIF -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p tcp --sport 1194 -j ACCEPT
iptables -A OUTPUT -o $BRIF -j ACCEPT

# Catch all rule, all other outgoing is denied and logged.
#iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP

echo " FORWARD szabalyok beolvasasa..."

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#

iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# HTTP - halozatrol
iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 443 -j ACCEPT

# DNS
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p udp --sport 53 -j ACCEPT

# FTP
iptables -A FORWARD -d $UNIVERSE -p tcp -m tcp --dport 20:21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -p tcp -m tcp --sport 20:21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -d $UNIVERSE -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# SSH
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p tcp --dport 1779 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 22 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 1779 -j ACCEPT

# Bankos program
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 8080 -j ACCEPT

# CIB program
iptables -A FORWARD -s $INTNET -d $UNIVERSE -p tcp --dport 21000 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d $INTNET -p tcp --sport 21000 -j ACCEPT

# Konyvtari program
iptables -A FORWARD -s 192.168.0.100/24 -d $UNIVERSE -p tcp --dport 9999 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d 192.168.0.100/24 -p tcp --sport 9999 -j ACCEPT
iptables -A FORWARD -s 192.168.0.100/24 -d $UNIVERSE -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d 192.168.0.100/24 -p tcp --sport 22 -j ACCEPT
iptables -A FORWARD -s 192.168.0.100/24 -d $UNIVERSE -p tcp --dport 210 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -d 192.168.0.100/24 -p tcp --sport 210 -j ACCEPT

#tavoli asztal; default gateway legyen a cimzett eszkoz (is), kulonben nem talalnak vissza a csomagok
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3389 -j ACCEPT

# ESET Update kintrol
iptables -A FORWARD -s $UNIVERSE -p tcp --dport 8081 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -p tcp --sport 8081 -j ACCEPT

# Konyha VPN-hez
iptables -A FORWARD -s $UNIVERSE -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -p 47 -j ACCEPT

# NTP
iptables -A FORWARD -i $INTIF -o $EXTIF -p udp --sport 123 --dport 123 -j ACCEPT

# OpenVPN
iptables -A FORWARD -i $VPNIF -j ACCEPT
iptables -A FORWARD -i $BRIF -j ACCEPT

# Windows 7 aktivalas
iptables -A FORWARD -s $UNIVERSE -p tcp --dport 1688 -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.
#iptables -A FORWARD -j drop-and-log-it
iptables -A FORWARD -j DROP

echo " NAT szabalyok beolvasasa..."

# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -s $INTNET -j MASQUERADE

# Sulinet DNS csere Arrabonetre - ha nem fut DNS-proxy (BIND)
iptables -t nat -A PREROUTING -p udp -d 195.199.183.241/32 --dport 53 -s $INTNET -j DNAT --to e.f.g.h:53
iptables -t nat -A POSTROUTING -p udp -d $INTNET -s e.f.g.h/32 --sport 53 -j SNAT --to 195.199.183.241:53
iptables -t nat -A PREROUTING -p udp -d 195.199.255.4/32 --dport 53 -s $INTNET -j DNAT --to i.j.k.l:53
iptables -t nat -A POSTROUTING -p udp -d $INTNET -s i.j.k.l/32 --sport 53 -j SNAT --to 195.199.255.4:53

# Windows 7 aktivalas
iptables -t nat -A PREROUTING -p tcp -d 195.199.255.195/32 --dport 1688 -s $INTNET -j DNAT --to 192.168.0.2:1688
iptables -t nat -A POSTROUTING -p tcp -d $INTNET -s 192.168.0.2/32 --sport 1688 -j SNAT --to 195.199.255.195:1688

# tavoli asztal; default gateway legyen a cimzett eszkoz (is), kulonben nem talalnak vissza a csomagok
iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 3389 -j DNAT --to-destination 192.168.0.3:3389
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.3 --sport 3389 -j SNAT --to-source a.b.c.d:3389

# Konyha VPN-hez
iptables -t nat -A PREROUTING -p 47 -i $EXTIF -j DNAT --to 192.168.0.40

# ESET Mail Security
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 25 -j REDIRECT --to-ports 2525
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 465 -j REDIRECT --to-ports 2525
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 587 -j REDIRECT --to-ports 2525
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 143 -j REDIRECT --to-ports 8143
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 993 -j REDIRECT --to-ports 8143

# ESET Update kintrol
#iptables -t nat -A PREROUTING -p tcp -d a.b.c.d --dport 8081 -j DNAT --to-destination 192.168.0.3:8081
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.3 --sport 8081 -j SNAT --to-source a.b.c.d:8081

echo "IPTABLES FIREWALL inicializalasa befejezodott\n\n"

estabroo · 05-31-2011, 04:59 PM

If I had to make a guess I'd say it's because your final OUTPUT rule is drop and when the vpn is down the only allowed outbound traffic is stuff coming from port 1194 (openvpn). So when it's down you might have to relax that rule. Try changing or removing the OUTPUT drop rule and see if it works as you want.

pedrokoma · 06-01-2011, 10:31 AM

Dear Estabroo,

the mentioned line hasn't got sense anyway, because the default rule was DROP. And even then, because dropping is the last rule, the foregoing rules should be effective.
Despite that I've tried what you said, without success.

Thnx anyway.

pedrokoma · 06-02-2011, 07:41 AM

Problem solved. ESET's Mail Security gets but doesn't forward packets to Postfix/Courier_IMAP. When OpenVPN running, mails aren't forwarded to ESET, that's why problems didn't occur.