[TriLUG] having trouble writing firewall rules for openvpn
Joseph Mack NA3T
jmack at wm7d.net
Mon May 7 22:50:04 EDT 2012
I can't seem to write an iptables INPUT rule on an openvpn
server that accepts the ssh connection from the client. The
connection is made if the server has no input rules. Here's
the setup
client: tun0 10.88.0.6 -> eth0 50.55.x.x -
server: eth2 50.55.y.y -> tun0 10.8.0.1
server network 192.168.2.0/24 is visible to the client.
I'm not quite sure how the packets go. Traceroute from the
client gets to the server 192.168.2.0/24 in one hop. I
assume the tcp IPIP packet (10.8.0.6->10.8.0.1:T22) is
encapsulated in a regular IP packet
(50.55.x.x->50.55.y.y:U1194). I assume a ssh connect request
from the client arrives as an IPIP packet at the
server:U1194. So I did this
#default INPUT policy
iptables -P INPUT DROP #I have to comment this out to get an openvpn connection
#I assume the packet arrives on server:eth2:U1194, here I'm just logging
iptables -A INPUT -p udp -j LOG --log-prefix "UDP"
iptables -A INPUT -p tcp -j LOG --log-prefix "TCP"
iptables -A INPUT -i eth2 -j LOG --log-prefix "eth2"
iptables -A INPUT -i tun0 -j LOG --log-prefix "tun0"
next I try to accept the packet
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
I don't see any entries in /var/log/messages. The only way I
get a connection if if the default INPUT policy DROP rule is
commented out. I assume the rule accepting udp packets to
port 1194 is not being triggered. An INPUT rule ACCEPTing
port 22 doesn't accept connections either.
I'm no iptables expert. Can anyone see what I'm doing that's
wrong? To get an ssh connection client->server I have to
remove the default DROP policy.
Thanks Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
More information about the TriLUG
mailing list