Hi, i think i got some probs with my iptables firewall, my setup is i got a pc (debian installed) with 2 ethernetcard, eth0 connected to my lan(192.168.1.0/24) eth1 for internet connection (ppp0) I have an openvpn server on that pc in bridged mode, the vpn clients can connect but can't ping the server or any other pc on my lan and the server or my lan pcs can't ping the clients. The bridge is setup correctly and the setup of the openvpn server looks right and the clients got an ip from my lan and a route to it so routing looks fine, problem must be the iptables firewall. The requierements for the firewall are : my Lan can do anything except receiving or posting windows shares, netbios etc over the internet or vpn the vpn clients can do anything except receiving or posting windows shares, netbios etc over the vpn and they can not access the internet over the vpn. Please if someone could have a look at my script? Heres the interesting part of my firewall script:
The iptables command. Shorter and sureipt="/sbin/iptables" The network interfaceifLan=eth0 ifWan=ppp0 ifVpnB=br0 ifVpn=tap+ VPN_PORT=1195 FIREWALL STOP... FIREWALL START/RELOAD/RESTARTecho "Building firewall..." Modulesmodprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_MASQUERADE modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat modprobe iptable_filter Flush current rules.$ipt -F INPUT $ipt -F OUTPUT $ipt -F FORWARD $ipt -t nat -F PREROUTING $ipt -t nat -F POSTROUTING $ipt -t nat -F OUTPUT $ipt -F $ipt -X Set default policies$ipt --policy INPUT DROP $ipt --policy OUTPUT ACCEPT $ipt --policy FORWARD DROP $ipt -t nat --policy PREROUTING ACCEPT $ipt -t nat --policy POSTROUTING ACCEPT SYN flood protectionecho "1" > /proc/sys/net/ipv4/tcp_syncookies Forwardingecho "1" > /proc/sys/net/ipv4/ip_forward LOOPBACKecho "Setting LOOPBACK rules" $ipt -A INPUT -i lo -j ACCEPT $ipt -A OUTPUT -o lo -j ACCEPT WANecho "Setting WAN rules" $ipt -A INPUT -i $ifWan -p udp --dport $VPN_PORT -m state --state NEW -j ACCEPT $ipt -A INPUT -p tcp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p tcp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -i $ifWan -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A OUTPUT -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p tcp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -o $ifWan -j ACCEPT $ipt -A FORWARD -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p tcp --dport 445 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 445 -o $ifWan -j DROP $ipt -A FORWARD -i $ifWan -o $ifLan -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $ifWan -o $ifVpnB -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $ifWan -o $ifVpn -m state --state ESTABLISHED,RELATED -j ACCEPT VPNecho "Setting VPN rules" $ipt -A INPUT -i $ifVpn -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A OUTPUT -o $ifVpn -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifLan -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifVpnB -j ACCEPT BRIDGEecho "Setting BRIDGE rules" $ipt -A INPUT -i $ifVpnB -j ACCEPT $ipt -A OUTPUT -o $ifVpnB -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifLan -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifVpn -j ACCEPT LANecho "Setting LAN rules" $ipt -A INPUT -i $ifLan -j ACCEPT $ipt -A OUTPUT -o $ifLan -j ACCEPT $ipt -A FORWARD -i $ifLan -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifLan -o $ifVpnB -j ACCEPT $ipt -A FORWARD -i $ifLan -o $ifVpn -j ACCEPT Portforwarding... Masquerading$ipt -t nat -A POSTROUTING -j MASQUERADE echo "Done!" thx Grobi asked 09 Jul '10, 17:10 Grobi |
I can honestly see your issue being anywhere in layers 2-7 of the OSI model. Layer 1 seems fine. I think before you can assume that it's iptables that is the cause of the issue, you need to take it step by step through each layer. Layer 1 - Physical, you have ruled out because of what you've said. Layer 2 - Data Link Layer (which has 2 sub-layers, Logical Link Control and MAC) could be the issue, but I doubt it in this case, unless you are using MAC filtering or something of that nature. Bridges do work at this layer though, as do layer 2 switches. Layer 3 - Network - lots to chew on here. Switches and routers operate here. Do you have a managed switch involved? Layer 4 - Transport - maybe. It could be a protocol issue, but you need to work through the lower layers first. Layer 5 - Session - since you are using VPN, that creates a session (just like applications create sessions too. Could it be something like the session isn't being fully established? Again.. more information is needed.) Layer 6 - Presentation. Layer 7 - Application. As for what you wrote.... So eth0 is LAN-side and ppp0 is WAN side, but the vpn clients can connect but can't ping the server or any other pc on my lan and the server or my lan pcs can't ping the clients." Are you connecting your VPN clients from outside your LAN or testing this from within it? Is the server in a DMZ? Is the server in a DMZ that is completely isolated from the LAN or not? Did you subnet something somewhere? Again... more information is needed. We need to rule some things out, gather more data to properly assess the situation. "The bridge is setup correctly and the setup of the openvpn server looks right and the clients got an ip from my lan and a route to it so routing looks fine" These are assumptions. From what you've described thus far, I doubt that things are setup correctly in these areas or on this network or it would all work. Do not rule anything out based on assumptions. When you said the client PCs on the LAN get an IP, I am reading that as you are using DHCP vs. static IPs on your LAN, correct? "problem must be the iptables firewall." Do not assume that. Work through the OSI layers first and be methodical, not jumping around from here to there guessing what it may or may not be. Rule things out after researching and testing first. then move onto the next layer. "The requirements for the firewall are : my Lan can do anything except receiving or posting windows shares, netbios etc over the internet or vpn the vpn clients can do anything except receiving or posting windows shares, netbios etc over the vpn and they can not access the internet over the vpn." So you have blocked port 445 and opened port 1723, correct? How are you enforcing these rules of what people can and cannot do? Solely via iptables or do you have other methods of control involved? Other permissions set elsewhere may be part of, or the cause of your issue. More information is required. Starting at Layer 2, please research, test, confirm that it's working and then post your results here. answered 09 Jul '10, 20:28 Ron ♦ |
the vpn clients connect from wan side, my dhcp server is configured to provide 192.168.1.2 - 192.168.1.127 to the pcs on my lan and the openvpn internal dhcp gives the clients an ip from 192.168.1.129 - 192.168.1.254, so no collision of those dhcp servers. The only static ip i have is 192.168.1.1 (the server/router/gateway). There is no DMZ, managed routers or switches or what so ever. The vpn session is fully established says the clients log. As you can see in the firewall script i am blocking ports 137-139, 445 (windows shares/netbios stuff) on nearly every interface and opening port 1195 for vpn on ppp0 so that the vpn clients could connect over the internet. answered 10 Jul '10, 10:56 Grobi 1 |
something worked out now, the vpn clients can ping each other and the server but no pc on my lan, the server and the pcs on my lan CAN NOT ping the vpn clients. i changed the firewall a litle : The iptables command. Shorter and sure.ipt="/sbin/iptables" The network interface.ifWan=ppp0 ifVpnB=br0 ifVpn=tap+ VPN_PORT=1195 FIREWALL STOP... FIREWALL START/RELOAD/RESTARTecho "Building firewall..." Modulesmodprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_MASQUERADE modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat modprobe iptable_filter Flush current rules.$ipt -F INPUT $ipt -F OUTPUT $ipt -F FORWARD $ipt -t nat -F PREROUTING $ipt -t nat -F POSTROUTING $ipt -t nat -F OUTPUT $ipt -F $ipt -X Set default policies$ipt --policy INPUT DROP $ipt --policy OUTPUT ACCEPT $ipt --policy FORWARD DROP $ipt -t nat --policy PREROUTING ACCEPT $ipt -t nat --policy POSTROUTING ACCEPT SYN flood protectionecho "1" > /proc/sys/net/ipv4/tcp_syncookies Forwardingecho "1" > /proc/sys/net/ipv4/ip_forward LOOPBACKecho "Setting LOOPBACK rules" $ipt -A INPUT -i lo -j ACCEPT $ipt -A OUTPUT -o lo -j ACCEPT WANecho "Setting WAN rules" $ipt -A INPUT -i $ifWan -p udp --dport $VPN_PORT -m state --state NEW -j ACCEPT $ipt -A INPUT -p tcp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p tcp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -i $ifWan -j ACCEPT $ipt -A OUTPUT -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p tcp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -o $ifWan -j ACCEPT $ipt -A FORWARD -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p tcp --dport 445 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 445 -o $ifWan -j DROP $ipt -A FORWARD -i $ifWan -o $ifVpnB -j ACCEPT $ipt -A FORWARD -i $ifWan -o $ifVpn -j ACCEPT VPNecho "Setting VPN rules" $ipt -A INPUT -i $ifVpn -j ACCEPT $ipt -A OUTPUT -o $ifVpn -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifVpnB -j ACCEPT BRIDGEecho "Setting BRIDGE rules" $ipt -A INPUT -i $ifVpnB -j ACCEPT $ipt -A OUTPUT -o $ifVpnB -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifVpn -j ACCEPT Portforwarding... Masquerading$ipt -t nat -A POSTROUTING -j MASQUERADE echo "Done!" answered 10 Jul '10, 19:01 Grobi 1 Why do you want the VPN clients to be able to ping the LAN clients that are not connecting VPN?
(12 Jul '10, 18:44)
Ron ♦
|
Firstly, why are you using Bridged mode if you are blocking NetBIOS communication between clients and network? This is the main reason to use bridged mode in my opinion. If you don't need to access Windows shares over the VPN then I would suggest routed mode which will simplify the configuration. Having said that, far be it from me to tell you what to do so, have you checked that the network interface adaptor used as part of your bridged interface has sucessfully enabled promiscuous mode? This is a requirement for bridged networking, and a common reason why traffic is not passed from the LAN to the VPN clients. Regards, Lozman. answered 03 Aug '10, 11:24 Lozman |