LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-22-2007, 11:33 AM   #1
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 78

Rep: Reputation: 15
IPTables is blocking my OpenVPN internet access!


Hi,I thought I'd re-post this as a new thread/problem.

I've set up OpenVPN to redirect my client traffic through the OpenVPN server. I've also added the following rules into my IPTables Script to enable NAT:

Code:
#!/bin/sh

IPT="/usr/local/bin/iptables"

LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"

ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# ADDED THESE RULES BELOW HERE FOR NAT:

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT

# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT

# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT

#Set up Masquerading
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
However, I'm getting the following errors when trying to ping www.google.com from the client machine which is connected to the OpenVPN server.

Code:
Jan 20 23:43:52 TuxServer OUTPUT DROP: IN= OUT=eth0 SRC=192.168.0.4 DST=192.168.0.255 LEN=244 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=224 
Jan 20 23:43:52 TuxServer OUTPUT DROP: IN= OUT=tun0 SRC=10.8.0.1 DST=10.8.0.255 LEN=244 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=224 
Jan 20 23:43:57 TuxServer OUTPUT DROP: IN= OUT=eth0 SRC=10.8.0.1 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 
Jan 20 23:43:57 TuxServer OUTPUT DROP: IN= OUT=tun0 SRC=10.8.0.1 DST=10.8.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Does anyone know what the problem is?

Thanks!
 
Old 01-23-2007, 04:08 AM   #2
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I thought ping used ICMP ports 0 and 8. 137 and 138 are netbios ports
 
Old 01-23-2007, 02:40 PM   #3
eponymous
Member
 
Registered: Oct 2004
Distribution: Gentoo
Posts: 78

Original Poster
Rep: Reputation: 15
Hi, Yes you are right. *kicks self*

I managed to solve the problem.

Turns out I had not put in the following line:


iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
blocking specific websites, but allowing internet access poiuytrewq Linux - General 6 09-01-2006 12:45 AM
allow internet access from LAN using IPTABLES cccc Linux - Networking 2 03-24-2006 05:47 PM
IPTables Scripts Won't allow Firewall Internet Access rootking Linux - Networking 3 09-12-2004 03:50 PM
iptables blocking internal access? complus Linux - Networking 17 03-09-2004 12:14 AM
linux squid and iptables for secure lan for internet access. pune_abhishek Linux - Networking 4 11-30-2003 08:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration