Firewall (iptables) blocking server ping of client

[msellers]

I am attempting to set up an OpenVpN on my Centos 6 server to connect a remote client (Mac os x).

With firewall disabled on both server and client, everything works great! I can ping the client from the server, and I can ping the server from the client and the connection is active.

When I enable a simple firewall on the server, I can no longer ping the client over the VPN interface. After about a minute, the client VPN loses contact as the server and shuts down the interface due to keepalive expiring.

Here is the content of the iptables.rules script that I am using to debug this situation. The script is based on examples from the OpenVPN HOWTO and is not really a complete firewall:
----------------------------------------------------------------------------------
#--------------------------------------------------------------
# Interfaces
# em1 - internet
# em2 - LAN
# tun0 - vpn interface
#--------------------------------------------------------------
# Flush and reset all iptables
#--------------------------------------------------------------
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

#--------------------------------------------------------------
# Setup default policy
#--------------------------------------------------------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#--------------------------------------------------------------
# VPN rules
#--------------------------------------------------------------

# Allow traffic on OpenVPN udp port
iptables -A INPUT -i em1 -p udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -o em1 -p udp --dport 1194 -j ACCEPT

# Allow traffic in/out tun0
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

# Allow icmp in/out
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
----------------------------------------------------------------------------------------------------------------

I would appreciate your help, as I really need to firewall this server, and so far have been unable to enable a firewall and keep the VPN connection active.

Thanks,
Mark

[msellers]

I forgot to say that net.ipv4.ipforward=1

Server conf:
local 96.236.66.53
port 1194
proto udp
dev tun

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name

server 10.8.0.0 255.255.255.0
#push "route 192.168.0.0 255.255.255.0"
topology subnet

keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
user nobody
group nobody
daemon
log-append /var/log/openvpn.log

Client conf:
client
dev tun
proto udp
remote 96.236.66.53 1194
resolve-retry infinite
nobind
user-nobody
group-nobody
persist-key
persist-tun

ca /User/msellers/Desktop/waltz-vpn.tblk/ca.crt
cert /User/msellers/Desktop/waltz-vpn.tblk/waltz.crt
key /User/msellers/Desktop/waltz-vpn.tblk/waltz.key

auth-user-pass

comp-lo
verb 3

Note that the VPN works as long as the firewall is off!

Thanks,
Mark

[msellers]

Solved my problem. Upon inspection of the firewall rules, I noticed that I provided complete tunnel pass through, but didn't enable outputs through the WAN and LAN interfaces.

Adding these two rules solved the problem:

Code: Select all

iptable -A OUTPUT -o em1 -d 10.8.0.0/24 -j ACCEPT
iptable -A OUTPUT -o em2 -d 192.168.0.0/24 -j ACCEPT

I hope this helps someone else with their firewall when the default OUTPUT is to DROP the packet. Most often, the default OUTPUT is to ACCEPT, but the more robust firewall limits outputs also.

Regards,
Mark

[msellers]

Just to finish this thread with what I found actually works, please see this section of my iptables that is for VPN filtering. Note that the VPN server lives on the same server for the LAN router, so no need to forward to a different box (life is good):

Code: Select all

#--------------------------------------------------------------
# VPN rules
# IFWAN is the internet interface
# IFLAN is the LAN interface
# IFVPN is the tunnel interface
# NTVPN is the VPN created network
# NTLAN is the server's LAN
#--------------------------------------------------------------
IFWAN="em1"
IFLAN="em2"
IFVPN="tun+"

NTVPN="10.8.0.0/24"
NTLAN="192.168.0.0/24"

# Allow traffic on OpenVPN udp port
iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state ESTABLISHED -j ACCEPT

# Allow traffic in/out tun
iptables -A INPUT -i $IFVPN -j ACCEPT
iptables -A FORWARD -i $IFVPN -j ACCEPT
iptables -A OUTPUT -o $IFVPN -j ACCEPT

# Forward vpn traffic 
iptables -A FORWARD -i $IFLAN -s $NTLAN -d $NTVPN -j ACCEPT
iptables -A FORWARD -i $IFWAN -s $NTVPN -d $NTLAN -j ACCEPT