[TriLUG] having trouble writing firewall rules for openvpn
Bill Farrow
bill at arrowsreach.com
Tue May 8 09:05:39 EDT 2012
On Mon, May 7, 2012 at 10:50 PM, Joseph Mack NA3T <jmack at wm7d.net> wrote:
> #default INPUT policy
> iptables -P INPUT DROP #I have to comment this out to get an openvpn
>
> iptables -A INPUT -p udp -j LOG --log-prefix "UDP"
> iptables -A INPUT -p tcp -j LOG --log-prefix "TCP"
> iptables -A INPUT -i eth2 -j LOG --log-prefix "eth2"
> iptables -A INPUT -i tun0 -j LOG --log-prefix "tun0"
> iptables -A INPUT -p udp --dport 1194 -j ACCEPT
>
> I don't see any entries in /var/log/messages. The only way I get a
> connection if if the default INPUT policy DROP rule is commented out. I
> assume the rule accepting udp packets to port 1194 is not being triggered.
> An INPUT rule ACCEPTing port 22 doesn't accept connections either.
>
> I'm no iptables expert. Can anyone see what I'm doing that's wrong? To get
> an ssh connection client->server I have to remove the default DROP policy.
Joe,
So it looks like you are not matching the required packets, which is
really strange, since your LOG rules for tcp and udp should be getting
run.
Double check the order of the rules in your INPUT chain:
iptables -L INPUT
If they are out of order, try inserting rules:
iptables -I INPUT 1 -p udp -j LOG --log-prefix "UDP"
iptables -I INPUT 2 -p tcp -j LOG --log-prefix "TCP"
If you are running OpenWRT or some other reduced distro, make sure you
have the iptables logging module installed and running:
lsmod | grep ipt_LOG
Install it on OpenWRT if required:
ipkg install iptables-mod-extra
Bill
More information about the TriLUG
mailing list