[TriLUG] SOLVED Re: having trouble writing firewall rules for openvpn
Joseph Mack NA3T
jmack at wm7d.net
Tue May 8 20:08:15 EDT 2012
On Tue, 8 May 2012, Joseph Mack NA3T wrote:
> Nothing to this stuff really. It's all rational after the fact.
quite pleased with myself. I have nfs, ssh and ntp working
over the openvpn.
Writing iptables rules has been a bit of a mystery to me.
You have to read lots of webpages and take note of wierd
incantations to solve corner cases you're never likely to
encounter and you wonder where people came up with them all.
I found out.
You start with a LOG command as the first in a table (eg
INPUT). You do what you want with the connection and you
look in the logs, finding (among other things) your
connection. You write a rule to ACCEPT the packets you want
and put it in front of the LOG command. As you write rules,
more and more packets are accepted and less appear in the
logs. When you've ACCEPTed all the packets you need, you
change the LOG entry (now at the bottom of your file) to
--log-level debug
thus sending a notice of the non-ACCEPTED packets to
/var/log/debug and you let the default policy DROP handle
them.
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
More information about the TriLUG
mailing list