Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Here's just an example of what that stuff would look like if it were in the format of your firewall script in the second code block you posted:
First, I defined the empty variables with some stuff, based on my own machine settings:
Code:
bash-3.1# EXTIF=eth0 # the external internet-facing interface
bash-3.1# VPNIF=tun0 # the interface to the VPN
bash-3.1# INTIF=eth1 # my internal interface (??)
bash-3.1# UNIVERSE=0/0 # everywhere
bash-3.1# EXTIP=111.222.333.444 # imaginary internet-facing IP address that people use to find me
bash-3.1# VPNNET="172.16.0.0/24"
bash-3.1# VPNIP="172.16.0.1"
Now, with those variables set, I can echo that script above and see a realistic output:
Code:
bash-3.1# echo "
### OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT # OpenVPN
$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT "
Gives output like:
### OpenVPN
-A INPUT -i eth0 -p tcp -s 0/0 -d 111.222.333.444 --destination-port 1723 -j ACCEPT # OpenVPN
-A INPUT -i eth0 -p tcp -s 0/0 -d 111.222.333.444 --destination-port 1723 -j ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
-A OUTPUT -o eth1 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
-A OUTPUT -o tun0 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT # OpenVPN
-A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o eth1 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
-A FORWARD -o tun0 -s 111.222.333.444 -d 172.16.0.1 -j ACCEPT
-A FORWARD -o eth0 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
-A FORWARD -o tun0 -s MISSING -d 172.16.0.0/24 -j ACCEPT
bash-3.1#
Now, NOTE: I assume "UNIVERSE" means "everywhere", which in iptables-speak is "0/0" so I set $UNIVERSE to "0/0"
NOTE 2: See the last line, where it says "MISSING" -- I suppose the idea there is to put the IP/mask of the network referred to as $INTNET, but to complete my example, I'm not sure what to put there. The documentation you are going by, should be able to clarify that for you.
Finally, since it appears that all the above belongs in the *filter table, which is what you are running now anyhow, it's just a matter of inserting these new lines in an orderly fashion, into your existing script posted above (of course, replace any IP addresses with the actual ones you want to use).
Hope this helps you get a start at it
Sasha
Last edited by GrapefruiTgirl; 01-05-2010 at 01:06 PM.
Here's just an example of what that stuff would look like if it were in the format of your firewall script in the second code block you posted:
First, I defined the empty variables with some stuff, based on my own machine settings:
Code:
bash-3.1# EXTIF=eth0 # the external internet-facing interface
bash-3.1# VPNIF=tun0 # the interface to the VPN
bash-3.1# INTIF=eth1 # my internal interface (??)
bash-3.1# UNIVERSE=0/0 # everywhere
bash-3.1# EXTIP=111.222.333.444 # imaginary internet-facing IP address that people use to find me
bash-3.1# VPNNET="172.16.0.0/24"
bash-3.1# VPNIP="172.16.0.1"
Now, with those variables set, I can echo that script above and see a realistic output:
Code:
bash-3.1# echo "
### OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT # OpenVPN
$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT "
Gives output like:
### OpenVPN
-A INPUT -i eth0 -p tcp -s 0/0 -d 111.222.333.444 --destination-port 1723 -j ACCEPT # OpenVPN
-A INPUT -i eth0 -p tcp -s 0/0 -d 111.222.333.444 --destination-port 1723 -j ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
-A OUTPUT -o eth1 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
-A OUTPUT -o tun0 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT # OpenVPN
-A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o eth1 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
-A FORWARD -o tun0 -s 111.222.333.444 -d 172.16.0.1 -j ACCEPT
-A FORWARD -o eth0 -s 111.222.333.444 -d 172.16.0.0/24 -j ACCEPT
-A FORWARD -o tun0 -s MISSING -d 172.16.0.0/24 -j ACCEPT
bash-3.1#
Now, NOTE: I assume "UNIVERSE" means "everywhere", which in iptables-speak is "0/0" so I set $UNIVERSE to "0/0"
NOTE 2: See the last line, where it says "MISSING" -- I suppose the idea there is to put the IP/mask of the network referred to as $INTNET, but to complete my example, I'm not sure what to put there. The documentation you are going by, should be able to clarify that for you.
Finally, since it appears that all the above belongs in the *filter table, which is what you are running now anyhow, it's just a matter of inserting these new lines in an orderly fashion, into your existing script posted above (of course, replace any IP addresses with the actual ones you want to use).
Hope this helps you get a start at it
Sasha
Thanks
I'm not sure what my internal network config is though.
I presume I need a LAN address like 10.x.x.x or 192.168.x.x but all I get from ifconfig is this:
tun0 has appeared from PPP but I can't get that working so am trying openvpn again
When an iptables-restore script such as this fails, iptables gives the line number where the failure occurred.
So, at your root console, if you do:
Code:
cat <this-file> | iptables-restore -c
it will say something like "Error occurred at line ###", telling you where to look for the problem. I suspect the problem(s) have to do with those xx.xxx.xxx.199 entries. I doubt that syntax makes iptables happy, so you need an actual IP address or network/mask there.
I don't see an obvious problem with the script besides that
When an iptables-restore script such as this fails, iptables gives the line number where the failure occurred.
So, at your root console, if you do:
Code:
cat <this-file> | iptables-restore -c
it will say something like "Error occurred at line ###", telling you where to look for the problem. I suspect the problem(s) have to do with those xx.xxx.xxx.199 entries. I doubt that syntax makes iptables happy, so you need an actual IP address or network/mask there.
I don't see an obvious problem with the script besides that
Sasha
I just covered out the IP address with x's so it wasn't public on this forum
I run service iptables restart when the script is done but fails.
Well, instead of using "service start", do it in the console using iptables-restore, so you can get the feedback from iptables telling you what line the error is on.
Sasha
HEY Wait!! A few of the longer lines appear to end with garbage:
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLI$
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHE$
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH -$
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds$
Fix those up
Last edited by GrapefruiTgirl; 01-06-2010 at 10:35 AM.
Well, instead of using "service start", do it in the console using iptables-restore, so you can get the feedback from iptables telling you what line the error is on.
Sasha
HEY Wait!! A few of the longer lines appear to end with garbage:
-A INPUT -d xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLI$
-A OUTPUT -s xx.xxx.xxx.198 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHE$
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --set --name SSH -$
-A INPUT -i eth0 -p tcp -m tcp --dport 1057 -m state --state NEW -m recent --update --seconds$
Fix those up
Nah, that;s the cut and paste not doing it's job in Linux.
LOL, ok well back to my initial suggestion: execute the script using cat <script> | iptables-restore -c and determine what line number(s) is causing the problem.
LOL, ok well back to my initial suggestion: execute the script using cat <script> | iptables-restore -c and determine what line number(s) is causing the problem.
Sasha
So, I edit the iptables script and then run the above command?
cat /etc/sysconfig/ipatbles | iptables-restore -c
If it fails, does that break my iptables current structure and throw out users or do they remain connected?
Well, it connected successfully!
However, none of my traffic on the client is being forwarded. I opened up a browser and it still gave me my IP rather than the server's IP.
LOL, ok well back to my initial suggestion: execute the script using cat <script> | iptables-restore -c and determine what line number(s) is causing the problem.
Sasha
Ok, VPN connected but not working 100% yet.
I am trying to do a NAT forward in iptables but get the following error:
Quote:
[root@server88-xxx-xxx-198 openvpn]# iptables -t nat -I POSTROUTING -i tun0 -o e
iptables v1.3.5: Can't use -i with POSTROUTING
Any ideas on what to do?
I have an OpenVON server running and I need the client to use the ports on the OpenVPN server
So, I edit the iptables script and then run the above command?
cat /etc/sysconfig/ipatbles | iptables-restore -c
Yep, just cat the script like that.
Quote:
If it fails, does that break my iptables current structure and throw out users or do they remain connected?
If it fails due to error, I *believe* it will not make any change, however, just incase, have your original working firewall script as a separate file than the one with these mods.
If the one with the mods fails, than just restart your working firewall with the original script to be sure the good copy is in use.
It may cause a 'bump' in service, but I don't think it will disconnect everyone connected (don't quote me here!)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.