LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 01-14-2013, 04:36 PM   #1
Carlton23
LQ Newbie
 
Registered: Jan 2013
Posts: 9

Rep: Reputation: Disabled
OpenVPN & port forwarding options


Hello,

I've been struggling with an idea, but I cant work out if it is possible or not! I've done lots of research, but just scrambled my brain instead.

I want to run openVPN on a server to act as a hub/switch, it will link together 5 or 6 machines creating a 192.* network. I think I've managed this bit.

Next, four of those 4 of those 5 machines are listening on a TCP/IP port which transmit CCTV images when the 5th machine connects (I've written the software, that bit works!).

I want to use iptables to create a route between the 5th machine and ONE of the CCTV machines. I will then change the routing table to select a different CCTV machine, and so on. If I add a 6th machine it will behave the same as the 5th (it will be a CCTV 'viewer').

My requirements are that nobody else on the network has access to the CCTV (hence VPN) and that the CCTV machines cant 'see' each other. I may add more machines at a later date.

Also, I want get experience with VPN & iptables, which is the main reason I want to do it like this.


So, my question: is this possible!?!?!? Do iptables work ok within a VPN (some answers on here suggest not, for reasons I dont yet understand).


My current thinking:
VPN server, normal config (I think I have)

port forwarding with iptables - IP address based, not eth interface:
Code:
iptables -A INPUT -p tcp -s 192.168.1.123 -d 192.168.1.321 --sport 513:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 192.168.1.321 -d 192.168.1.123 --sport 123 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

#Allow TCP connection to port 123 on host 192.168.1.321 (CCTV machine) when the source (5th or 6th PC) has IP 192.168.1.123
After that I want to route everything else to nowhere;
Code:
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
I'll probably need some routes for DHCP too...



So - again, does that seem possible? Or am I wasting my time?

I'd really appreciate any info.
Thank you.
 
Old 01-16-2013, 08:13 AM   #2
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,278

Rep: Reputation: 91
Why are you messing with the routing, as long as you turn on the OpenVPN option to allow connected client communication you should be able to use the viewer software to just connect to the connected CCTV client you want. The OpenVPN server will route the traffic for you it actually doesn't even need to route the traffic if they are all on the same logical subnet (IP scheme).
 
Old 01-16-2013, 08:53 AM   #3
Carlton23
LQ Newbie
 
Registered: Jan 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
Thank you for your reply.

The only option I could find that matches your description is '--client-to-client'

Quote:
--client-to-client
Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface.
When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules.
The reason I dont want to use this, is that I DO want per-client rules, and I do NOT want each client to "see" the other clients.

For example, what if my viewer software allowed me to look at my house while I'm out, but a different viewer I give access to my neighbour so they can record the cars on the driveway. I dont want them to be able to view my front room

Pushing routes to clients isnt ideal either, because they could guess IPs for themselves if they wanted (unlikely yeah, but you get the idea).

This is how I ended up with the iptables idea. As mentioned before, this is much to do with learning as anything.

Do you think it'll work as I've described, or should I just try and see what happens?

Thanks again.
 
Old 01-16-2013, 08:55 AM   #4
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,278

Rep: Reputation: 91
Then use static IP assigning to the viewer clients and use IPtable to handle access, it will be way easier than trying to use routes, which I don't even think wuld be possible.
 
Old 01-16-2013, 09:03 AM   #5
Carlton23
LQ Newbie
 
Registered: Jan 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scheidel21 View Post
which I don't even think wuld be possible.
That's what I'm getting at. Is VPN data not routable? even if I have the source and destination IPs?
 
Old 01-16-2013, 11:16 AM   #6
darkxer0x
LQ Newbie
 
Registered: Feb 2009
Posts: 20

Rep: Reputation: 0
Read this

Anyway, if I have understood what you want to do, Iīd do the following:
- Each CCTV machine has a tunnel to the server.
- When a viewer wants to see a CCTV, it connects to the server, and the server forwards the traffic from the viewer to the CCTV machine.
 
Old 01-16-2013, 11:47 AM   #7
Carlton23
LQ Newbie
 
Registered: Jan 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
Thanks, I'll have a read.

It looks as though you are correct in your understanding, and I like the suggestion of the viewers connecting directly to the server. However I'm unsure as to how I'd configure the server/NAT for each session; At least if they are all on the VPN, I can trust that they are who they say they are (I could also look them up in DNS or something). Without the VPN, I'd have to authenticate the viewer some other way.

To put it another way, if I use VPN, I can garuntee two viewers have different IPs. If there are two on the same IP, I would be unable to set the new routes on demand.


*Note: When I say 'I can', I mean I'd write a script to do it


Thanks for your input.
 
Old 01-17-2013, 04:49 AM   #8
darkxer0x
LQ Newbie
 
Registered: Feb 2009
Posts: 20

Rep: Reputation: 0
Here there is a big problem, and itīs that you are trying to use VPN in a scenario where VPN is not required (and not recommended).

You need each CCTV to send the video to the server. And the server, to send the video to the viewers. Why you need here a VPN? The purpose of a VPN is to communicate two LANs remotely, or a computer to a LAN remotely.
But connect a server and a client? You donīt need VPN.

So, what should you do? Easy:
- CCTV machines send video only to the server.
- The server send the video only to the authorized machines.
- You can tunnelize (with stunnel, for exampel), all the communications.

The idea here is that the server manages all the authentication and forwarding logic, the complex part. The CCTV machines should be very simple.
 
Old 01-17-2013, 05:02 AM   #9
Carlton23
LQ Newbie
 
Registered: Jan 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
I have no control over the CCTV/viewer software, I didnt write it. Also I would expect creating some man in the middle software would take longer than configuring a VPN router. It is peer-to-peer, ie each CCTV is its own encapsulated server. If it was on the open internet, you could use the viewer software, type in an IP, and the CCTV data would start streaming. Additionally, the comms are unsecure.

Is the conclusion essentially that routing would work, but it's a horrible solution? Or that the whole idea is a waste of time?


Thanks.
 
Old 01-17-2013, 07:16 AM   #10
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,278

Rep: Reputation: 91
Routing is not the solution, there is no security in routing. Assigning IP addresses statically via OpenVPN configuration and utilizing firewall rules is the way to go. The only other, more secure way I can think of doing this would be to run multiple instances of OpenVPN, and have the CCTV machines connect to multiple VPNs on the server, and have the client viewer machines connect to the appropriate VPN.

So if you have 6 CCTV machines they all connect to VPN 1, the VPN you also connect to
3 of those machines connect to VPN 2 as well, and your neighbor connects to that VPN, they can only access those machines.

The only way routing would work is again using multipe VPNs, CCTV servers connect to one, and viewers connect to others. You can then push out routes per individual VPN, and again specify that the specific IP addresses that the connecting viewer is allowed to view are reachable by routing through the VPN connection.
 
Old 01-17-2013, 08:05 AM   #11
Carlton23
LQ Newbie
 
Registered: Jan 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
Ok, I think I understand you.

Quote:
Is the conclusion essentially that routing would work, but it's a horrible solution?
'routing' should have been 'iptables'. If iptables == firewall then it ties in with what you say;

Quote:
Assigning IP addresses statically via OpenVPN configuration and utilizing firewall rules is the way to go.
Same thing?
 
Old 01-17-2013, 08:22 AM   #12
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,278

Rep: Reputation: 91
Yes IPtables is the firewall
 
Old 01-17-2013, 08:59 AM   #13
darkxer0x
LQ Newbie
 
Registered: Feb 2009
Posts: 20

Rep: Reputation: 0
Now I think I understand the situation more or less.
I.E:
CCTV Viewer IP: 5.5.5.5
Server Public IP Address: 1.1.1.1
Server Internal IP Address (through vpn or whaever): 192.168.1.1
CCTV Machine: 192.168.1.2
CCTV Mache port: 100

- CCTV Viewer enter the server ip address (1.1.1.1)
- Server forwards traffic from the CCTV Viewer to the CCTV machine for that client, doing dnat:
iptables -A FORWARD -p tcp -s 5.5.5.5 -d 192.168.1.2 -dport 100 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j DROP (better if you have a POLICY DROP)
iptables -A PREROUTING -p tcp -s 5.5.5.5 --dport 100 -j DNAT --to-destination 192.168.1.2

I think this should do what youīre looking for.

Last edited by darkxer0x; 01-17-2013 at 09:00 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Port forwarding & NAT linuxhasib Linux - Server 1 02-08-2012 01:00 AM
IPv6 & Port Forwarding Geremia Linux - Server 3 04-18-2011 02:51 AM
OPENVPN - Port Forwarding giannos Linux - Networking 4 10-12-2010 07:53 AM
port forwarding - multiple IP's and openvpn jonnytabpni Linux - Networking 2 09-19-2009 01:41 AM
Port Forwarding & MNF apoc63 Linux - Newbie 0 01-03-2005 10:41 PM


All times are GMT -5. The time now is 07:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration