LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-05-2010, 12:42 PM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Rep: Reputation: 30
how to incorporate this into iptables


I'm following an openvpn installtion how to and it says to add this to the iptables:
Quote:
# External Interface for VPN
# VPN Interface
VPNIF="tun0"
VPNNET="172.16.0.0/24"
VPNIP="172.16.0.1"
### OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT
# OpenVPN
$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT
I'm not quite sure how to incorporate that into my existing rules:
Quote:
*filter
:INPUT DROP [10:568]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5:260]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH --rsource -j DROP
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
Any thoughts as the whole formatting is separate and has the addition of FORWARD rules, etc. I need the VPN running on the .199 address
 
Old 01-05-2010, 01:04 PM   #2
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
Here's just an example of what that stuff would look like if it were in the format of your firewall script in the second code block you posted:

First, I defined the empty variables with some stuff, based on my own machine settings:
Code:
bash-3.1# EXTIF=eth0 # the external internet-facing interface      
bash-3.1# VPNIF=tun0 # the interface to the VPN
bash-3.1# INTIF=eth1 # my internal interface (??) 
bash-3.1# UNIVERSE=0/0 # everywhere  
bash-3.1# EXTIP=111.222.333.444  # imaginary internet-facing IP address that people use to find me
bash-3.1# VPNNET="172.16.0.0/24" 
bash-3.1# VPNIP="172.16.0.1"
Now, with those variables set, I can echo that script above and see a realistic output:
Code:
bash-3.1# echo "

### OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT # OpenVPN
$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT "

Gives output like:

### OpenVPN
 -A INPUT -i eth0 -p tcp -s 0/0 -d 111.222.333.444 --destination-port 1723 -j ACCEPT # OpenVPN
 -A INPUT -i eth0 -p tcp -s 0/0 -d 111.222.333.444 --destination-port 1723 -j ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
 -A OUTPUT -o eth1 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
 -A OUTPUT -o tun0 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT # OpenVPN
 -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A FORWARD -o eth1 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
 -A FORWARD -o tun0 -s 111.222.333.444 -d 172.16.0.1 -j ACCEPT
 -A FORWARD -o eth0 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
 -A FORWARD -o tun0 -s MISSING -d 172.16.0.0/24 -j ACCEPT
bash-3.1#
Now, NOTE: I assume "UNIVERSE" means "everywhere", which in iptables-speak is "0/0" so I set $UNIVERSE to "0/0"

NOTE 2: See the last line, where it says "MISSING" -- I suppose the idea there is to put the IP/mask of the network referred to as $INTNET, but to complete my example, I'm not sure what to put there. The documentation you are going by, should be able to clarify that for you.

Finally, since it appears that all the above belongs in the *filter table, which is what you are running now anyhow, it's just a matter of inserting these new lines in an orderly fashion, into your existing script posted above (of course, replace any IP addresses with the actual ones you want to use).

Hope this helps you get a start at it

Sasha

Last edited by GrapefruiTgirl; 01-05-2010 at 01:06 PM.
 
Old 01-06-2010, 03:57 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by GrapefruiTgirl View Post
Here's just an example of what that stuff would look like if it were in the format of your firewall script in the second code block you posted:

First, I defined the empty variables with some stuff, based on my own machine settings:
Code:
bash-3.1# EXTIF=eth0 # the external internet-facing interface      
bash-3.1# VPNIF=tun0 # the interface to the VPN
bash-3.1# INTIF=eth1 # my internal interface (??) 
bash-3.1# UNIVERSE=0/0 # everywhere  
bash-3.1# EXTIP=111.222.333.444  # imaginary internet-facing IP address that people use to find me
bash-3.1# VPNNET="172.16.0.0/24" 
bash-3.1# VPNIP="172.16.0.1"
Now, with those variables set, I can echo that script above and see a realistic output:
Code:
bash-3.1# echo "

### OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT # OpenVPN
$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT "

Gives output like:

### OpenVPN
 -A INPUT -i eth0 -p tcp -s 0/0 -d 111.222.333.444 --destination-port 1723 -j ACCEPT # OpenVPN
 -A INPUT -i eth0 -p tcp -s 0/0 -d 111.222.333.444 --destination-port 1723 -j ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
 -A OUTPUT -o eth1 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
 -A OUTPUT -o tun0 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT # OpenVPN
 -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A FORWARD -o eth1 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
 -A FORWARD -o tun0 -s 111.222.333.444 -d 172.16.0.1 -j ACCEPT
 -A FORWARD -o eth0 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
 -A FORWARD -o tun0 -s MISSING -d 172.16.0.0/24 -j ACCEPT
bash-3.1#
Now, NOTE: I assume "UNIVERSE" means "everywhere", which in iptables-speak is "0/0" so I set $UNIVERSE to "0/0"

NOTE 2: See the last line, where it says "MISSING" -- I suppose the idea there is to put the IP/mask of the network referred to as $INTNET, but to complete my example, I'm not sure what to put there. The documentation you are going by, should be able to clarify that for you.

Finally, since it appears that all the above belongs in the *filter table, which is what you are running now anyhow, it's just a matter of inserting these new lines in an orderly fashion, into your existing script posted above (of course, replace any IP addresses with the actual ones you want to use).

Hope this helps you get a start at it

Sasha
Thanks
I'm not sure what my internal network config is though.
I presume I need a LAN address like 10.x.x.x or 192.168.x.x but all I get from ifconfig is this:
tun0 has appeared from PPP but I can't get that working so am trying openvpn again
Quote:
[root@server88-208-237-198 keys]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:19:99:63:5A:A3
inet addr:88.xxx.xxx.xx8 Bcast:88.xxx.xxx.255 Mask:255.255.252.0
inet6 addr: fe80::219:99ff:fe63:5aa3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:575798084 errors:0 dropped:0 overruns:0 frame:0
TX packets:568596230 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1194350165 (1.1 GiB) TX bytes:1476107142 (1.3 GiB)

eth0:0 Link encap:Ethernet HWaddr 00:19:99:63:5A:A3
inet addr:88.xxx.xxx.xx9 Bcast:88.xxx.xxx.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14761 errors:0 dropped:0 overruns:0 frame:0
TX packets:14761 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3011783 (2.8 MiB) TX bytes:3011783 (2.8 MiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.0.1 P-t-P:172.16.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

[root@server88-208-237-198 keys]#
 
Old 01-06-2010, 04:09 AM   #4
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
This fails when I restart iptables, hmm:
Quote:
*filter
:INPUT DROP [10:568]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5:260]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH -$
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds$
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1057 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 5555 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.199 -p tcp -m tcp --dport 1723 -m state --state NEW -j ACCEPT
-A INPUT -p 47 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLI$
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHE$
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

### OpenVPN
-A INPUT -i eth0 -p tcp -s 0/0 -d xx.xxx.xxx.199 --destination-port 1194 -j ACCEPT
-A INPUT -i eth0 -p tcp -s 0/0 -d xx.xxx.xxx.199 --destination-port 1194 -j ACCEPT
# Allow TUN interface connections to OpenVPN server
-A OUTPUT -o eth1 -s xx.xxx.xxx.199 -d 172.16.0.0/24 -j ACCEPT
-A OUTPUT -o tun0 -s xx.xxx.xxx.199 -d 172.16.0.0/24 -j ACCEPT # OpenVPN
-A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o eth1 -s xx.xxx.xxx.199 -d 172.16.0.0/24 -j ACCEPT
-A FORWARD -o tun0 -s xx.xxx.xxx.199 -d 172.16.0.1 -j ACCEPT
-A FORWARD -o eth0 -s xx.xxx.xxx.199 -d 172.16.0.0/24 -j ACCEPT
-A FORWARD -o tun0 -s 255.255.255.0 -d 172.16.0.0/24 -j ACCEPT

COMMIT
 
Old 01-06-2010, 10:13 AM   #5
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
When an iptables-restore script such as this fails, iptables gives the line number where the failure occurred.

So, at your root console, if you do:

Code:
cat <this-file> | iptables-restore -c
it will say something like "Error occurred at line ###", telling you where to look for the problem. I suspect the problem(s) have to do with those xx.xxx.xxx.199 entries. I doubt that syntax makes iptables happy, so you need an actual IP address or network/mask there.

I don't see an obvious problem with the script besides that

Sasha
 
Old 01-06-2010, 10:20 AM   #6
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by GrapefruiTgirl View Post
When an iptables-restore script such as this fails, iptables gives the line number where the failure occurred.

So, at your root console, if you do:

Code:
cat <this-file> | iptables-restore -c
it will say something like "Error occurred at line ###", telling you where to look for the problem. I suspect the problem(s) have to do with those xx.xxx.xxx.199 entries. I doubt that syntax makes iptables happy, so you need an actual IP address or network/mask there.

I don't see an obvious problem with the script besides that

Sasha
I just covered out the IP address with x's so it wasn't public on this forum
I run service iptables restart when the script is done but fails.
 
Old 01-06-2010, 10:32 AM   #7
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
Ahh, ok

Well, instead of using "service start", do it in the console using iptables-restore, so you can get the feedback from iptables telling you what line the error is on.

Sasha

HEY Wait!! A few of the longer lines appear to end with garbage:

-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLI$
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHE$
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH -$
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds$
Fix those up

Last edited by GrapefruiTgirl; 01-06-2010 at 10:35 AM.
 
Old 01-06-2010, 10:50 AM   #8
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by GrapefruiTgirl View Post
Ahh, ok

Well, instead of using "service start", do it in the console using iptables-restore, so you can get the feedback from iptables telling you what line the error is on.

Sasha

HEY Wait!! A few of the longer lines appear to end with garbage:

-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLI$
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHE$
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH -$
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds$
Fix those up
Nah, that;s the cut and paste not doing it's job in Linux.
 
Old 01-06-2010, 10:53 AM   #9
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
Ack!

LOL, ok well back to my initial suggestion: execute the script using cat <script> | iptables-restore -c and determine what line number(s) is causing the problem.

Sasha
 
Old 01-07-2010, 02:20 AM   #10
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by GrapefruiTgirl View Post
Ack!

LOL, ok well back to my initial suggestion: execute the script using cat <script> | iptables-restore -c and determine what line number(s) is causing the problem.

Sasha
So, I edit the iptables script and then run the above command?
cat /etc/sysconfig/ipatbles | iptables-restore -c

If it fails, does that break my iptables current structure and throw out users or do they remain connected?
 
Old 01-07-2010, 03:11 AM   #11
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Well, it connected successfully!
However, none of my traffic on the client is being forwarded. I opened up a browser and it still gave me my IP rather than the server's IP.
 
Old 01-07-2010, 06:32 AM   #12
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by GrapefruiTgirl View Post
Ack!

LOL, ok well back to my initial suggestion: execute the script using cat <script> | iptables-restore -c and determine what line number(s) is causing the problem.

Sasha
Ok, VPN connected but not working 100% yet.
I am trying to do a NAT forward in iptables but get the following error:
Quote:
[root@server88-xxx-xxx-198 openvpn]# iptables -t nat -I POSTROUTING -i tun0 -o e
iptables v1.3.5: Can't use -i with POSTROUTING
Any ideas on what to do?
I have an OpenVON server running and I need the client to use the ports on the OpenVPN server
 
Old 01-07-2010, 09:31 AM   #13
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
Quote:
Originally Posted by qwertyjjj View Post
So, I edit the iptables script and then run the above command?
cat /etc/sysconfig/ipatbles | iptables-restore -c
Yep, just cat the script like that.
Quote:
If it fails, does that break my iptables current structure and throw out users or do they remain connected?
If it fails due to error, I *believe* it will not make any change, however, just incase, have your original working firewall script as a separate file than the one with these mods.
If the one with the mods fails, than just restart your working firewall with the original script to be sure the good copy is in use.
It may cause a 'bump' in service, but I don't think it will disconnect everyone connected (don't quote me here!)
 
Old 01-07-2010, 09:33 AM   #14
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555Reputation: 555
[root@server88-xxx-xxx-198 openvpn]# iptables -t nat -I POSTROUTING -i tun0 -o e
iptables v1.3.5: Can't use -i with POSTROUTING


As for the above, shouldn't that be:

iptables -t nat -A POSTROUTING....

Note the -A there..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Program in Ubuntu Linux to incorporate subtitles altella Ubuntu 1 11-27-2008 10:25 AM
Incorporate sendmail users to window ads mah_k333 Linux - Server 1 01-08-2008 10:43 AM
how do I incorporate yahoo online data with oocalc ? anindyanuri Linux - Software 0 07-11-2006 10:08 PM
Incorporate 'fortune' into HTML page rickh Programming 5 06-30-2006 12:01 PM
incorporate openssl nehal_b_s Linux - Software 0 10-28-2003 02:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration