[SOLVED] iptables doesn't work well without OpenVPN
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
my problem is following: I'm running a bridged OpenVPN on my Debian. If the service is running, everything works fine: local and Internet, ftp, mailing from in and outside etc. But, when stopping OpenVPN, sending mails from inside (LAN) fails: I cannot reach smtp (postfix) listening on port 465. And even reaching mailboxes using IMAP gets horribly slow eg. in Thunderbird.
Here is my firewall.sh script, please check it:
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
# Flush the user chain if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
echo " Felhasznaloi lancok beolvasasa ..."
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
echo " INPUT szabalyok beolvasasa ..."
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j DROP
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# SYN
iptables -A INPUT -s $UNIVERSE -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -s $UNIVERSE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# OpenVPN
iptables -A INPUT -s $UNIVERSE -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i $VPNIF -j ACCEPT
iptables -A INPUT -i $BRIF -j ACCEPT
# MySQL
iptables -A INPUT -s $UNIVERSE -p tcp --dport 3306 -j ACCEPT
# Windows 7 aktivalas
iptables -A INPUT -s $UNIVERSE -p tcp --dport 1688 -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
#iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo " OUTPUT szabalyok beolvasasa ..."
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTNET -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j DROP
# HTTP - szerverrol kifele
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -d $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED -p tcp --sport 443 -j ACCEPT
# FTP
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --sport 20:21 -j ACCEPT
# DNS
iptables -A OUTPUT -d $UNIVERSE -p udp --dport 53 -j ACCEPT
# CIB program
iptables -A OUTPUT -d $INTNET -p tcp --sport 21000 -j ACCEPT
#tavoli asztal; default gateway legyen a cimzett eszkoz (is), kulonben nem talalnak vissza a csomagok
iptables -A OUTPUT -d $UNIVERSE -p tcp --sport 3389 -j ACCEPT
# OpenVPN
iptables -A OUTPUT -o $VPNIF -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p tcp --sport 1194 -j ACCEPT
iptables -A OUTPUT -o $BRIF -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
#iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo " FORWARD szabalyok beolvasasa..."
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
#tavoli asztal; default gateway legyen a cimzett eszkoz (is), kulonben nem talalnak vissza a csomagok
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3389 -j ACCEPT
# ESET Update kintrol
iptables -A FORWARD -s $UNIVERSE -p tcp --dport 8081 -j ACCEPT
iptables -A FORWARD -s $UNIVERSE -p tcp --sport 8081 -j ACCEPT
If I had to make a guess I'd say it's because your final OUTPUT rule is drop and when the vpn is down the only allowed outbound traffic is stuff coming from port 1194 (openvpn). So when it's down you might have to relax that rule. Try changing or removing the OUTPUT drop rule and see if it works as you want.
the mentioned line hasn't got sense anyway, because the default rule was DROP. And even then, because dropping is the last rule, the foregoing rules should be effective.
Despite that I've tried what you said, without success.
Problem solved. ESET's Mail Security gets but doesn't forward packets to Postfix/Courier_IMAP. When OpenVPN running, mails aren't forwarded to ESET, that's why problems didn't occur.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.