[TriLUG] OpenVPN and IP routing
Jim Tuttle
jjtuttle at trilug.org
Tue Oct 28 15:51:58 EDT 2008
So, I've been building my iptables back up from barebones trying to get
OpenVPN and masquerading to work. At the top of my script I have a
bunch of syctl options set, then some variables set to IP addresses.
Next I dropped in my OpenVPN rules. That worked fine. However, the
firewall was still completely open. When I add in default actions to
drop all traffic, the VPN client can't access the network anymore.
Here is the relevant portion of the iptables script:
###############################################################################
# OpenVPN
$IPTABLES -A INPUT -i $VPN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $VPN_IFACE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $VPN -o $INET_IFACE -j MASQUERADE
###############################################################################
# Defaults
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
If I don't add in defaults, it works. Later on, I define some user
chains, drop fragmented packets, accept a few hosts on a few ports, etc.
I have udp_input and tcp_input chains defined later for that.
I wrote this all a long time ago and wasn't that skilled even then. Can
someone give me some advice regarding how to open up the VPN port,
masquerade VPN packets, and selectively block other stuff?
I'd be glad to email all of my rules, if that isn't a security no-no.
It's sort of lengthy, of course.
Thanks,
Jim
--
--
---Jim Tuttle
------------------------------------------------------
http://www.braggtown.com
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x69B69B08
More information about the TriLUG
mailing list