Please note that LinuxExchange will be shutting down on December 31st, 2016. Visit this thread for additional information and to provide feedback.

Hi, i think i got some probs with my iptables firewall, my setup is i got a pc (debian installed) with 2 ethernetcard, eth0 connected to my lan(192.168.1.0/24) eth1 for internet connection (ppp0) I have an openvpn server on that pc in bridged mode, the vpn clients can connect but can't ping the server or any other pc on my lan and the server or my lan pcs can't ping the clients. The bridge is setup correctly and the setup of the openvpn server looks right and the clients got an ip from my lan and a route to it so routing looks fine, problem must be the iptables firewall. The requierements for the firewall are : my Lan can do anything except receiving or posting windows shares, netbios etc over the internet or vpn the vpn clients can do anything except receiving or posting windows shares, netbios etc over the vpn and they can not access the internet over the vpn.

Please if someone could have a look at my script?

Heres the interesting part of my firewall script:

The iptables command. Shorter and sure

ipt="/sbin/iptables"

The network interface

ifLan=eth0 ifWan=ppp0 ifVpnB=br0 ifVpn=tap+

VPN_PORT=1195

FIREWALL STOP

...

FIREWALL START/RELOAD/RESTART

echo "Building firewall..."

Modules

modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_MASQUERADE modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat modprobe iptable_filter

Flush current rules.

$ipt -F INPUT $ipt -F OUTPUT $ipt -F FORWARD $ipt -t nat -F PREROUTING $ipt -t nat -F POSTROUTING $ipt -t nat -F OUTPUT $ipt -F $ipt -X

Set default policies

$ipt --policy INPUT DROP $ipt --policy OUTPUT ACCEPT $ipt --policy FORWARD DROP $ipt -t nat --policy PREROUTING ACCEPT $ipt -t nat --policy POSTROUTING ACCEPT

SYN flood protection

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

LOOPBACK

echo "Setting LOOPBACK rules" $ipt -A INPUT -i lo -j ACCEPT

$ipt -A OUTPUT -o lo -j ACCEPT

WAN

echo "Setting WAN rules" $ipt -A INPUT -i $ifWan -p udp --dport $VPN_PORT -m state --state NEW -j ACCEPT $ipt -A INPUT -p tcp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p tcp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -i $ifWan -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -A OUTPUT -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p tcp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -o $ifWan -j ACCEPT

$ipt -A FORWARD -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p tcp --dport 445 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 445 -o $ifWan -j DROP

$ipt -A FORWARD -i $ifWan -o $ifLan -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $ifWan -o $ifVpnB -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $ifWan -o $ifVpn -m state --state ESTABLISHED,RELATED -j ACCEPT

VPN

echo "Setting VPN rules" $ipt -A INPUT -i $ifVpn -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -A OUTPUT -o $ifVpn -j ACCEPT

$ipt -A FORWARD -i $ifVpn -o $ifLan -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifVpnB -j ACCEPT

BRIDGE

echo "Setting BRIDGE rules" $ipt -A INPUT -i $ifVpnB -j ACCEPT

$ipt -A OUTPUT -o $ifVpnB -j ACCEPT

$ipt -A FORWARD -i $ifVpnB -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifLan -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifVpn -j ACCEPT

LAN

echo "Setting LAN rules" $ipt -A INPUT -i $ifLan -j ACCEPT

$ipt -A OUTPUT -o $ifLan -j ACCEPT

$ipt -A FORWARD -i $ifLan -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifLan -o $ifVpnB -j ACCEPT $ipt -A FORWARD -i $ifLan -o $ifVpn -j ACCEPT

Portforwarding

...

Masquerading

$ipt -t nat -A POSTROUTING -j MASQUERADE echo "Done!"

thx Grobi

asked 09 Jul '10, 17:10

Grobi's gravatar image

Grobi
111
accept rate: 0%




I can honestly see your issue being anywhere in layers 2-7 of the OSI model. Layer 1 seems fine. I think before you can assume that it's iptables that is the cause of the issue, you need to take it step by step through each layer.

Layer 1 - Physical, you have ruled out because of what you've said.

Layer 2 - Data Link Layer (which has 2 sub-layers, Logical Link Control and MAC) could be the issue, but I doubt it in this case, unless you are using MAC filtering or something of that nature. Bridges do work at this layer though, as do layer 2 switches.

Layer 3 - Network - lots to chew on here. Switches and routers operate here. Do you have a managed switch involved?

Layer 4 - Transport - maybe. It could be a protocol issue, but you need to work through the lower layers first.

Layer 5 - Session - since you are using VPN, that creates a session (just like applications create sessions too. Could it be something like the session isn't being fully established? Again.. more information is needed.)

Layer 6 - Presentation.

Layer 7 - Application.

As for what you wrote....

So eth0 is LAN-side and ppp0 is WAN side, but the vpn clients can connect but can't ping the server or any other pc on my lan and the server or my lan pcs can't ping the clients."

Are you connecting your VPN clients from outside your LAN or testing this from within it? Is the server in a DMZ? Is the server in a DMZ that is completely isolated from the LAN or not? Did you subnet something somewhere?

Again... more information is needed. We need to rule some things out, gather more data to properly assess the situation.

"The bridge is setup correctly and the setup of the openvpn server looks right and the clients got an ip from my lan and a route to it so routing looks fine"

These are assumptions. From what you've described thus far, I doubt that things are setup correctly in these areas or on this network or it would all work. Do not rule anything out based on assumptions. When you said the client PCs on the LAN get an IP, I am reading that as you are using DHCP vs. static IPs on your LAN, correct?

"problem must be the iptables firewall."

Do not assume that. Work through the OSI layers first and be methodical, not jumping around from here to there guessing what it may or may not be. Rule things out after researching and testing first. then move onto the next layer.

"The requirements for the firewall are : my Lan can do anything except receiving or posting windows shares, netbios etc over the internet or vpn the vpn clients can do anything except receiving or posting windows shares, netbios etc over the vpn and they can not access the internet over the vpn."

So you have blocked port 445 and opened port 1723, correct? How are you enforcing these rules of what people can and cannot do? Solely via iptables or do you have other methods of control involved? Other permissions set elsewhere may be part of, or the cause of your issue.

More information is required.

Starting at Layer 2, please research, test, confirm that it's working and then post your results here.

link

answered 09 Jul '10, 20:28

Ron's gravatar image

Ron ♦
9361718
accept rate: 13%

the vpn clients connect from wan side, my dhcp server is configured to provide 192.168.1.2 - 192.168.1.127 to the pcs on my lan and the openvpn internal dhcp gives the clients an ip from 192.168.1.129 - 192.168.1.254, so no collision of those dhcp servers. The only static ip i have is 192.168.1.1 (the server/router/gateway). There is no DMZ, managed routers or switches or what so ever. The vpn session is fully established says the clients log. As you can see in the firewall script i am blocking ports 137-139, 445 (windows shares/netbios stuff) on nearly every interface and opening port 1195 for vpn on ppp0 so that the vpn clients could connect over the internet.

link

answered 10 Jul '10, 10:56

Grobi%201's gravatar image

Grobi 1
1
accept rate: 0%

something worked out now, the vpn clients can ping each other and the server but no pc on my lan, the server and the pcs on my lan CAN NOT ping the vpn clients. i changed the firewall a litle :

The iptables command. Shorter and sure.

ipt="/sbin/iptables"

The network interface.

ifWan=ppp0 ifVpnB=br0 ifVpn=tap+

VPN_PORT=1195

FIREWALL STOP

...

FIREWALL START/RELOAD/RESTART

echo "Building firewall..."

Modules

modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_MASQUERADE modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat modprobe iptable_filter

Flush current rules.

$ipt -F INPUT $ipt -F OUTPUT $ipt -F FORWARD $ipt -t nat -F PREROUTING $ipt -t nat -F POSTROUTING $ipt -t nat -F OUTPUT $ipt -F $ipt -X

Set default policies

$ipt --policy INPUT DROP $ipt --policy OUTPUT ACCEPT $ipt --policy FORWARD DROP $ipt -t nat --policy PREROUTING ACCEPT $ipt -t nat --policy POSTROUTING ACCEPT

SYN flood protection

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

LOOPBACK

echo "Setting LOOPBACK rules" $ipt -A INPUT -i lo -j ACCEPT

$ipt -A OUTPUT -o lo -j ACCEPT

WAN

echo "Setting WAN rules" $ipt -A INPUT -i $ifWan -p udp --dport $VPN_PORT -m state --state NEW -j ACCEPT $ipt -A INPUT -p tcp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p tcp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -i $ifWan -j ACCEPT

$ipt -A OUTPUT -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p tcp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -o $ifWan -j ACCEPT

$ipt -A FORWARD -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p tcp --dport 445 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 445 -o $ifWan -j DROP

$ipt -A FORWARD -i $ifWan -o $ifVpnB -j ACCEPT $ipt -A FORWARD -i $ifWan -o $ifVpn -j ACCEPT

VPN

echo "Setting VPN rules" $ipt -A INPUT -i $ifVpn -j ACCEPT

$ipt -A OUTPUT -o $ifVpn -j ACCEPT

$ipt -A FORWARD -i $ifVpn -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifVpnB -j ACCEPT

BRIDGE

echo "Setting BRIDGE rules" $ipt -A INPUT -i $ifVpnB -j ACCEPT

$ipt -A OUTPUT -o $ifVpnB -j ACCEPT

$ipt -A FORWARD -i $ifVpnB -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifVpn -j ACCEPT

Portforwarding

...

Masquerading

$ipt -t nat -A POSTROUTING -j MASQUERADE echo "Done!"

link

answered 10 Jul '10, 19:01

Grobi%201's gravatar image

Grobi 1
1
accept rate: 0%

Why do you want the VPN clients to be able to ping the LAN clients that are not connecting VPN?

(12 Jul '10, 18:44) Ron ♦

Firstly, why are you using Bridged mode if you are blocking NetBIOS communication between clients and network? This is the main reason to use bridged mode in my opinion. If you don't need to access Windows shares over the VPN then I would suggest routed mode which will simplify the configuration.

Having said that, far be it from me to tell you what to do so, have you checked that the network interface adaptor used as part of your bridged interface has sucessfully enabled promiscuous mode? This is a requirement for bridged networking, and a common reason why traffic is not passed from the LAN to the VPN clients.

Regards, Lozman.

link

answered 03 Aug '10, 11:24

Lozman's gravatar image

Lozman
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×5
×5

Asked: 09 Jul '10, 17:10

Seen: 6,344 times

Last updated: 30 Mar '11, 00:22

powered by OSQA