LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   iptables drop packets as invalid between 2 end-network connected through VPN (https://www.linuxquestions.org/questions/linux-server-73/iptables-drop-packets-as-invalid-between-2-end-network-connected-through-vpn-793413/)

nass 03-05-2010 09:28 AM
iptables drop packets as invalid between 2 end-network connected through VPN
 
hello everyone,
i am setting up a linux box as router / firewall.currently, im setting up the firewall on that machine..

the situation is :

there are 2 networks, the home network and the work network.

i am connecting the 2 with a vpn connection. the openvpn server is a pc in the home network..

the router/ firewall linux box is another pc in the home network, which i 'inserted' between the ISP modem and the internal switch of my home network.

i have managed to connect the vpn server in the home net to the vpn client at work net and so i can ping directly from the home net (192.168.0.0/24) to the work net (192.168.1.0/24) without using the vpn ip space at all (192.168.150.0/24). which is great..

i did however try to open a remote desktop connection from a home windows pc to a work windows pc and it didnt work. checking the output with dmesg in the firewall linux box it says
Quote:
Invalid packet: IN=eth0 OUT=eth0 SRC=192.168.0.3 DST=192.168.1.107 LEN=59 TOS=0x00 PREC=0x00 TTL=127 ID=35708 PROTO=TCP SPT=2016 DPT=3389 WINDOW=65535 RES=0x00 ACK PSH URGP=0
any ideas why the packet is considered invalid?

nass 03-05-2010 09:56 AM
EDIT: my FORWARD chain looks like

Quote:
echo "Process FORWARD chain ..."


$IPT -A FORWARD -p ALL -j bad_packets #this is were the problem occurs
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

#traffic from (192.168.150.0/24) and from (192.168.1.0/24)
$IPT -A FORWARD -p tcp -s $VPN_NET -j ACCEPT
$IPT -A FORWARD -p tcp -s $WORK_NET -j ACCEPT

#to listening port ofvpn server
$IPT -A FORWARD -p tcp --destination-port 1194 -j ACCEPT
$IPT -A FORWARD -p udp --destination-port 1194 -j ACCEPT
and bad_packets chain contains the following relevant part

Quote:
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet: "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
so guess i could place the accept rule for the work_net traffic above the -j bad_packets redirection... but i'm not sure this is good practice....

also is there some big security hole in the forward chain that i could do without??

thank you for your help


All times are GMT -5. The time now is 03:49 AM.