Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
laser_xf
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Oct 18, 2014 11:19 pm
- Location: France
Post
by laser_xf » Sat Oct 18, 2014 11:48 pm
Hi !
I have the following configuration working in my office lan:
What I have:
* Road warriors can access all resources of the local LAN (ping PCS, print, view shares)
* Road warriors can access all resources on the 3 servers (NatHack).
* All routes are working Okey (openvpn pushes to client route 172.16.1.0)
This is my
little iptables config (copied from this forum) (living in /etc/rc.local)
Code: Select all
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
My goal:
* Road warriors only access the 2 windows servers (all ports of them, 80, 25, 8080) and the linux server.
* Road warriors can´t access the others PCs/Printers on the LAN
What I need
* Help configuring iptables to avoid VPN (tun0) accessing some resources on the LAN (eth0)
* Is correct to do this iptables config in /etc/rc.local ? (I´m newbie in Linux) some advice?
Many thanks in advance, thanks to this forum I have learned a lot!
-
laser_xf
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Oct 18, 2014 11:19 pm
- Location: France
Post
by laser_xf » Tue Oct 21, 2014 8:45 pm
Working!!
This is my full iptables (/etc/iptables.rules) config now:
Code: Select all
[B]# Allow TUN interface connections to OpenVPN server[/B]
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
[B]# Allow destination ONLY to three servers[/B]
iptables -A FORWARD -i tun+ -d 172.16.1.10 -j ACCEPT
iptables -A FORWARD -i tun+ -d 172.16.1.100 -j ACCEPT
iptables -A FORWARD -i tun+ -d 172.16.1.200 -j ACCEPT
[B]# Permit established/related traffic[/B]
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[B]# Reject forwarded traffic if it hasn't matched rules yet[/B]
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
[B]# NAT for accesing the LAN[/B]
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
Another lite questions from a newbie:
- Server 10 (Debian VPN) - I don't want that roadwarriors can connect to SSH to it. (Not via 10.8.0.1 and not via the pushed route 172.16.1.10)
- Server 100 (Windows) - All okey. (maybe only needed rdp 3389 and rpd2 3390)
- Server 200 (Windows) - Only have a webserver at port 80, can I drop all the other trafic from tun+ to it to prevent viewing shares from it?
Is advisable to open only the ports that I need, like :80 to server 200, and then DROP all the other traffic?
Many thanks for all the help!! linux is amazing!