[iptables] OpenVPN + Debian in a LAN, not gateway (NatHack)

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
User avatar
laser_xf
OpenVpn Newbie
Posts: 2
Joined: Sat Oct 18, 2014 11:19 pm
Location: France

[iptables] OpenVPN + Debian in a LAN, not gateway (NatHack)

Post by laser_xf » Sat Oct 18, 2014 11:48 pm

Hi ! 8-)

I have the following configuration working in my office lan:

Image

What I have:

* Road warriors can access all resources of the local LAN (ping PCS, print, view shares)
* Road warriors can access all resources on the 3 servers (NatHack).
* All routes are working Okey (openvpn pushes to client route 172.16.1.0)


This is my little iptables config (copied from this forum) (living in /etc/rc.local)

Code: Select all

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
My goal:

* Road warriors only access the 2 windows servers (all ports of them, 80, 25, 8080) and the linux server.
* Road warriors can´t access the others PCs/Printers on the LAN


What I need
* Help configuring iptables to avoid VPN (tun0) accessing some resources on the LAN (eth0)
* Is correct to do this iptables config in /etc/rc.local ? (I´m newbie in Linux) some advice?

:mrgreen: Many thanks in advance, thanks to this forum I have learned a lot! :oops:

User avatar
laser_xf
OpenVpn Newbie
Posts: 2
Joined: Sat Oct 18, 2014 11:19 pm
Location: France

Re: [iptables] OpenVPN + Debian in a LAN, not gateway (NatHa

Post by laser_xf » Tue Oct 21, 2014 8:45 pm

Working!!

This is my full iptables (/etc/iptables.rules) config now:

Code: Select all

[B]# Allow TUN interface connections to OpenVPN server[/B]
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT

[B]# Allow destination ONLY to three servers[/B]
iptables -A FORWARD -i tun+ -d 172.16.1.10 -j ACCEPT
iptables -A FORWARD -i tun+ -d 172.16.1.100 -j ACCEPT
iptables -A FORWARD -i tun+ -d 172.16.1.200 -j ACCEPT

[B]# Permit established/related traffic[/B]
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

[B]# Reject forwarded traffic if it hasn't matched rules yet[/B]
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

[B]# NAT for accesing the LAN[/B]
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
Another lite questions from a newbie:
  • Server 10 (Debian VPN) - I don't want that roadwarriors can connect to SSH to it. (Not via 10.8.0.1 and not via the pushed route 172.16.1.10)
  • Server 100 (Windows) - All okey. (maybe only needed rdp 3389 and rpd2 3390)
  • Server 200 (Windows) - Only have a webserver at port 80, can I drop all the other trafic from tun+ to it to prevent viewing shares from it?
Is advisable to open only the ports that I need, like :80 to server 200, and then DROP all the other traffic?

Many thanks for all the help!! linux is amazing!

Post Reply