Question

OpenVPN can only ping, no other services are available

Asked by: SRG041808

I have a fedora 11 machine set up on my network as a openvpn server.  clients can connect to the server and even ping hosts on the lan.  But that is all, no telnet, RDP, share drives.  I have opened the linux firewall to commonly used services like telnet, ssh, http.

##########################server config
port 1194
proto tcp
dev tap
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
 
 
server-bridge 192.168.8.5 255.255.255.0 192.168.8.128 192.168.8.254
 
 
 
 
client-config-dir ccd
 
push "dhcp-option DNS 66.255.85.8"
push "dhcp-option DNS 66.255.85.9"
#Below trying to route clients to network
push "route 192.168.1.0 255.255.255.0 192.168.8.5"
push "route 192.168.2.0 255.255.255.252"
push "route 192.168.8.0 255.255.255.0 192.168.8.5"
push "route 192.168.0.0 255.255.255.0 192.168.8.5"
push "route 192.168.1.229 255.255.255.255 192.168.8.5"
push "route 192.168.1.1 255.255.255.255 192.168.8.5"
push "route 192.168.1.21 255.255.255.255 192.168.8.5"
push "route 192.168.1.5 255.255.255.255 192.168.8.5"
route 192.168.0.0 255.255.255.0 192.168.8.5
route 192.168.1.0 255.255.255.0 192.168.8.5
route 192.168.2.0 255.255.255.252 192.168.8.5
route 192.168.8.0 255.255.255.0 192.168.8.5
 
 
#client-to-client makes it so clients can see each other
client-to-client
 
 
ifconfig-pool-persist ipp.txt
#next line used to be push "redirect-gateway"
push "redirect-gateway 192.168.8.5 255.255.255.255"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 5
 
 
##########################client config
client
dev tap
proto tcp
 
#Change my.publicdomain.com to your public domain or IP address
#changed my public ip to xxx for security
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
 
 
ca ca.crt
cert client3.crt
key client3.key
 
ns-cert-type server
 
#DNS Options here, CHANGE THESE !!
push "dhcp-option DNS 66.255.85.8"
push "dhcp-option DNS 66.255.85.9"
 
#below for windows
route-method exe
route-delay 2
push "redirect-gateway 192.168.8.5 255.255.255.255"
 
#below will clear arp cache in windows
push "netsh interface ip delete arpcache"
 
 
#verb is logging 0-15 higher the number the more info logged
verb 5
 
comp-lzo
 
 
 
#############################below is IP tables config in the /etc/init.d/openvpn file
 echo 1 > /proc/sys/net/ipv4/ip_forward
 iptables -I INPUT -i tun0 -j ACCEPT
 iptables -I FORWARD -i tun0 -j ACCEPT
 iptables -I FORWARD -o tun0 -j ACCEPT
 iptables -I OUTPUT -o tun0 -j ACCEPT
 iptables -A INPUT -i tap0 -j ACCEPT
 iptables -A INPUT -i br0 -j ACCEPT
 iptables -A FORWARD -i br0 -j ACCEPT
 iptables -A FORWARD -i tap0 -j ACCEPT
 iptables -I OUTPUT -o tap0 -j ACCEPT
 #iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -o eth0 -j MASQUERADE

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-28 at 05:46:22ID24689567
Tags

OPenVPN

,

Fedora

,

iptables

,

VPN

Topics

Virtual Private Networking (VPN)

,

Linux

,

IP Tables/IP Chains

Participating Experts
1
Points
500
Comments
12

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Can ping, cannot telnet
    Hi I can ping my RED HAT server but I cannot telnet from my XP PC, Networking has been set up (using GUI for now) and all seems ok. In the network configuration in settings I think I have done all that is needed. Any other ideas? I might not have started the telnet daemon,...
  2. telnet
    The following help eas posted, 1st : check if telnet service is enabled #cat /etc/xinetd.d/telnet should have string 'disable = no' This had already been done. 2nd : check if firewall blocks port 23 /etc/rc.d/init.d/iptables status if there is a rule to DROP in INPUT chain...
  3. Ping fails but telnet and ssh works fine
    Hello All, I have a problem going on a 2 Veritas cluster nodes. Both are sunfire 420r servers. When oracle backups are running, I can't ping server but I can able to telnet and ssh to the server. If any body faced this problem please put some light on this issue. I tried to ...
  4. Enable Telnet server on Fedora core 4
    Hello, I am using Linux Fedora core 4. Now, I want to enable Telnet service on this server.How should i do now ? Regards.
  5. Install Telnet server on Fedora core 4
    Hello, I am using Linux Fedora core 4. I want to use Telnet in place of SSH. Now I want to install Telnet server on this Linux Server. I downloaded telnet-server-0.17-35.i386.rpm file and install and received the errors as follows: [root@SaigonBank sources]# rpm -i telnet...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: nociPosted on 2009-08-28 at 06:34:25ID: 25207450

Is forwarding enables on the fedora machine? (/proc/sys/net/ipv4/ip_forward )
Are the systems routing traffic that should go through the tunnels to your fedora machine?

 

by: SRG041808Posted on 2009-08-28 at 06:39:08ID: 25207500

Forwarding is enabled.  I am thinking that if I can ping a machine then routing is working fine.....  

The bottom of the code snippet shows the iptables configuration.


 

by: nociPosted on 2009-08-28 at 07:45:51ID: 25208213

I missed the forward there... ;-) and yes ping does mainly check the routing.

Those iptables rules are updates on the existing tables without all other rules it is hard to evaluate.
They cause anything to pass between tun0, br0 & tap0
Except -o br0 on FORWARD, OUTPUT and -o tap0 on FORWARD.

The iptables rules do an insert (-I, before the first rules) for tun0, but append (-A, at the end) possibly after rules that block other interface rules, and then only partly. See before.
Also the Default policies on the tables come into play.

You could insert a logrule in the front of every chain so you have proof of what is passing in the logfiles. (or use tcpdump to see what traffic passes an interface).
a statement like
-I FORWARD -i tun0 -p tcp --syn -j LOG --log-prefix "FROM TUNNEL: "
-I FORWARD -o tun0 -p tcp --syn -j LOG --log-prefix "TO   TUNNEL: "

to only track tcp session setup. If you want it only between br0 & tun0 then:
-I FORWARD -i tun0 -o br0 -p tcp --syn -j LOG --log-prefix "TUNNEL==LAN: "
-I FORWARD -i br0 -o tun0 -p tcp --syn -j LOG --log-prefix "LAN==TUNNEL: "

Also there is a tool call tcptraceroute that can be helpfull to see where a problem might be:
http://michael.toren.net/code/tcptraceroute/

 

by: SRG041808Posted on 2009-08-28 at 08:20:19ID: 25208574

I will see if I can get logging running.  Meanwhile I am still open to suggestions....

Thanks for the tip

 

by: SRG041808Posted on 2009-08-28 at 08:26:52ID: 25208647


###used below command to show my iptables config  Not a whole lot is denied...still working on logging...just wanted to give more info for now
iptables -L -n -v


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
 290K  102M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   44  2867 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
  550 33096 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
 447K   46M ACCEPT     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  Auto_tap0 *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1194
  965 78366 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137
  374 91722 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:139
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:23
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:23
   42  9035 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
   23  1476 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   23  1476 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  Auto_tap0 *       0.0.0.0/0            0.0.0.0/0          
  386 41282 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 369K packets, 377M bytes)
pkts bytes target     prot opt in     out     source               destination        
  678  124K ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
   64 10979 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          


 

by: nociPosted on 2009-08-28 at 11:31:33ID: 25210383

In forward is your answer:

   23  1476 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   23  1476 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  Auto_tap0 *       0.0.0.0/0            0.0.0.0/0          
  386 41282 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

The icmp rule allows icmp == ping (and more)
then next hit = 386 packets rejected for All port all interfaces all addresses REJECT
and it gets hit... (about 386 times)

Also you need a rule cleanup, appearantly  you started openvpn a lot and it added all those same rules up front. This just takes CPU time (if the first isn'thit)...

 

by: nociPosted on 2009-08-28 at 12:02:23ID: 25210630

In general the appended rules just don't work.

And the rule insert needs to be more discriminate about when to insert rules.
The rules for br0 should not be in your OpenVPN config.
Also add rules to the down script(s) to remove iptables filter rules.

 

by: SRG041808Posted on 2009-08-28 at 13:28:35ID: 25211314

Thanks for the info... I feel like I am getting somewhere now.....  Now for the task of working with iptables.....  When this is working I will be sure to reward the points.....  


I will post comment if this resolves issue....



 

by: SRG041808Posted on 2009-08-31 at 10:53:52ID: 25224816

I figured out how to remove the duplicates....
I removed the  reject-with icmp-host-prohibited  statements...

I have restarted the machine.....

The VPN was working.....

Then I needed to add a couple ports to be allowed...

Using the GUI firewall interface messed up my config and now I have no ping or anything....

Just below is an output that I see when I do a "tcpdump -i tap0"

IP 192.168.8.5 > 192.168.8.128: ICMP host 192.168.1.13 unreachable, length 114

192.168.8.5 is vpn adapter, 192.168.8.128 is vpn client , 192.168.1.13 is host on the LAN

I think if I can get the pings to work it should clear up my trouble....

below is new iptables code and packet stats....

It appears all services that need to be running are running......

Let this be a lesson to others to BACKUP/SAVE YOUR CONFIGS!!!!!!

Thanks for the help :)


#################################################################IPTABLES CONFIG
 
 Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i tap0 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -i ppp+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i Auto_tap0 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 23 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 33333 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5670 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A FORWARD -i ppp+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i Auto_tap0 -j ACCEPT
-A FORWARD -i tap0 -j ACCEPT
-I FORWARD -o tun0 -j ACCEPT
-I OUTPUT -p icmp -j ACCEPT
-I OUTPUT -o tun0 -j ACCEPT
-I OUTPUT -o tap0 -j ACCEPT
COMMIT
 
##############################################Packet STATS
 
 
 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   505 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0           
 7711  364K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    60 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 2444  226K ACCEPT     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  Auto_tap0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1194 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:445 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:137 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:138 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:23 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:23 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:33333 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:5670 
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    4   240 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  Auto_tap0 *       0.0.0.0/0            0.0.0.0/0           
   68  7430 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0           
 
Chain OUTPUT (policy ACCEPT 9860 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   35  5038 ACCEPT     all  --  *      tap0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0  
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:

Select allOpen in new window

 

by: SRG041808Posted on 2009-08-31 at 13:49:12ID: 25226401

Disregard my last statement...

I got it working!!!!!


Thanks for the help people!!!!

 

by: SRG041808Posted on 2009-08-31 at 13:51:15ID: 31621681

Make this info easy to get to.... I'm sure more people could use it!

 

by: nociPosted on 2009-09-01 at 01:53:53ID: 25229578

The reject should be at the end or the policy of a chain should be DROP ...


iptables -P INPUT -j DROP
iptables -P FORWARD -j DROP
iptables -P OUTPUT -j DROP

Otherwise all traffic can pass through,

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...