LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPTables is blocking my OpenVPN internet access! (https://www.linuxquestions.org/questions/linux-security-4/iptables-is-blocking-my-openvpn-internet-access-521722/)

eponymous 01-22-2007 10:33 AM
IPTables is blocking my OpenVPN internet access!
 
Hi,I thought I'd re-post this as a new thread/problem.

I've set up OpenVPN to redirect my client traffic through the OpenVPN server. I've also added the following rules into my IPTables Script to enable NAT:

Code:
#!/bin/sh

IPT="/usr/local/bin/iptables"

LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"

ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# ADDED THESE RULES BELOW HERE FOR NAT:

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT

# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT

# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT

#Set up Masquerading
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
However, I'm getting the following errors when trying to ping www.google.com from the client machine which is connected to the OpenVPN server.

Code:
Jan 20 23:43:52 TuxServer OUTPUT DROP: IN= OUT=eth0 SRC=192.168.0.4 DST=192.168.0.255 LEN=244 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=224
Jan 20 23:43:52 TuxServer OUTPUT DROP: IN= OUT=tun0 SRC=10.8.0.1 DST=10.8.0.255 LEN=244 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=224
Jan 20 23:43:57 TuxServer OUTPUT DROP: IN= OUT=eth0 SRC=10.8.0.1 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Jan 20 23:43:57 TuxServer OUTPUT DROP: IN= OUT=tun0 SRC=10.8.0.1 DST=10.8.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Does anyone know what the problem is?

Thanks!

billymayday 01-23-2007 03:08 AM
I thought ping used ICMP ports 0 and 8. 137 and 138 are netbios ports

eponymous 01-23-2007 01:40 PM
Hi, Yes you are right. *kicks self*

I managed to solve the problem.

Turns out I had not put in the following line:


iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT


All times are GMT -5. The time now is 05:51 PM.