http://linuxexchange.org/questions/1017/iptables-firewall-problem-openvpn-bridged<p>Hi, i think i got some probs with my iptables firewall, my setup is i got a pc (debian installed) with 2 ethernetcard, eth0 connected to my lan(192.168.1.0/24) eth1 for internet connection (ppp0) I have an openvpn server on that pc in bridged mode, the vpn clients can connect but can't ping the server or any other pc on my lan and the server or my lan pcs can't ping the clients. The bridge is setup correctly and the setup of the openvpn server looks right and the clients got an ip from my lan and a route to it so routing looks fine, problem must be the iptables firewall. The requierements for the firewall are : my Lan can do anything except receiving or posting windows shares, netbios etc over the internet or vpn the vpn clients can do anything except receiving or posting windows shares, netbios etc over the vpn and they can not access the internet over the vpn.</p> <p>Please if someone could have a look at my script?</p> <p>Heres the interesting part of my firewall script: <code></p> <h3>The iptables command. Shorter and sure</h3> <p>ipt="/sbin/iptables"</p> <h3>The network interface</h3> <p>ifLan=eth0 ifWan=ppp0 ifVpnB=br0 ifVpn=tap+</p> <p>VPN_PORT=1195</p> <h3>FIREWALL STOP</h3> <p>...</p> <h3>FIREWALL START/RELOAD/RESTART</h3> <p>echo "Building firewall..."</p> <h3>Modules</h3> <p>modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_MASQUERADE modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat modprobe iptable_filter</p> <h3>Flush current rules.</h3> <p>$ipt -F INPUT $ipt -F OUTPUT $ipt -F FORWARD $ipt -t nat -F PREROUTING $ipt -t nat -F POSTROUTING $ipt -t nat -F OUTPUT $ipt -F $ipt -X</p> <h3>Set default policies</h3> <p>$ipt --policy INPUT DROP $ipt --policy OUTPUT ACCEPT $ipt --policy FORWARD DROP $ipt -t nat --policy PREROUTING ACCEPT $ipt -t nat --policy POSTROUTING ACCEPT</p> <h3>SYN flood protection</h3> <p>echo "1" > /proc/sys/net/ipv4/tcp_syncookies</p> <h3>Forwarding</h3> <p>echo "1" > /proc/sys/net/ipv4/ip_forward</p> <h3>LOOPBACK</h3> <p>echo "Setting LOOPBACK rules" $ipt -A INPUT -i lo -j ACCEPT</p> <p>$ipt -A OUTPUT -o lo -j ACCEPT</p> <h3>WAN</h3> <p>echo "Setting WAN rules" $ipt -A INPUT -i $ifWan -p udp --dport $VPN_PORT -m state --state NEW -j ACCEPT $ipt -A INPUT -p tcp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 137:139 -i $ifWan -j DROP $ipt -A INPUT -p tcp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -p udp --dport 445 -i $ifWan -j DROP $ipt -A INPUT -i $ifWan -m state --state ESTABLISHED,RELATED -j ACCEPT</p> <p>$ipt -A OUTPUT -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A OUTPUT -p tcp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -p udp --dport 445 -o $ifWan -j DROP $ipt -A OUTPUT -o $ifWan -j ACCEPT</p> <p>$ipt -A FORWARD -p tcp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 137:139 -o $ifWan -j DROP $ipt -A FORWARD -p tcp --dport 445 -o $ifWan -j DROP $ipt -A FORWARD -p udp --dport 445 -o $ifWan -j DROP</p> <p>$ipt -A FORWARD -i $ifWan -o $ifLan -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $ifWan -o $ifVpnB -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $ifWan -o $ifVpn -m state --state ESTABLISHED,RELATED -j ACCEPT</p> <h3>VPN</h3> <p>echo "Setting VPN rules" $ipt -A INPUT -i $ifVpn -m state --state ESTABLISHED,RELATED -j ACCEPT</p> <p>$ipt -A OUTPUT -o $ifVpn -j ACCEPT</p> <p>$ipt -A FORWARD -i $ifVpn -o $ifLan -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpn -o $ifVpnB -j ACCEPT</p> <h3>BRIDGE</h3> <p>echo "Setting BRIDGE rules" $ipt -A INPUT -i $ifVpnB -j ACCEPT </p> <p>$ipt -A OUTPUT -o $ifVpnB -j ACCEPT </p> <p>$ipt -A FORWARD -i $ifVpnB -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifLan -j ACCEPT $ipt -A FORWARD -i $ifVpnB -o $ifVpn -j ACCEPT</p> <h3>LAN</h3> <p>echo "Setting LAN rules" $ipt -A INPUT -i $ifLan -j ACCEPT </p> <p>$ipt -A OUTPUT -o $ifLan -j ACCEPT</p> <p>$ipt -A FORWARD -i $ifLan -o $ifWan -j ACCEPT $ipt -A FORWARD -i $ifLan -o $ifVpnB -j ACCEPT $ipt -A FORWARD -i $ifLan -o $ifVpn -j ACCEPT</p> <h3>Portforwarding</h3> <p>...</p> <h3>Masquerading</h3> <p>$ipt -t nat -A POSTROUTING -j MASQUERADE echo "Done!" </code></p> <p>thx Grobi</p>enFri, 20 Jan 2017 17:31:50 -0000