[iptables] OpenVPN + Debian in a LAN, not gateway (NatHack)
Posted: Sat Oct 18, 2014 11:48 pm
Hi !
I have the following configuration working in my office lan:
What I have:
* Road warriors can access all resources of the local LAN (ping PCS, print, view shares)
* Road warriors can access all resources on the 3 servers (NatHack).
* All routes are working Okey (openvpn pushes to client route 172.16.1.0)
This is my little iptables config (copied from this forum) (living in /etc/rc.local)
My goal:
* Road warriors only access the 2 windows servers (all ports of them, 80, 25, 8080) and the linux server.
* Road warriors can´t access the others PCs/Printers on the LAN
What I need
* Help configuring iptables to avoid VPN (tun0) accessing some resources on the LAN (eth0)
* Is correct to do this iptables config in /etc/rc.local ? (I´m newbie in Linux) some advice?
Many thanks in advance, thanks to this forum I have learned a lot!
I have the following configuration working in my office lan:
What I have:
* Road warriors can access all resources of the local LAN (ping PCS, print, view shares)
* Road warriors can access all resources on the 3 servers (NatHack).
* All routes are working Okey (openvpn pushes to client route 172.16.1.0)
This is my little iptables config (copied from this forum) (living in /etc/rc.local)
Code: Select all
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
* Road warriors only access the 2 windows servers (all ports of them, 80, 25, 8080) and the linux server.
* Road warriors can´t access the others PCs/Printers on the LAN
What I need
* Help configuring iptables to avoid VPN (tun0) accessing some resources on the LAN (eth0)
* Is correct to do this iptables config in /etc/rc.local ? (I´m newbie in Linux) some advice?
Many thanks in advance, thanks to this forum I have learned a lot!