OpenVPN 1149 via NAT/Firewall

Experts,

I've got troubled on this script. The script funtion is NAT(eth1) and FIREWAL. But my problem is how can I incorporate in this script the OpenVPN(1149?). My internal IP is 192.168.11.0/24. What about the IP i'm going to use in OpenVPN to see/browse the entire LAN?

The working script:
============
      echo -e "\n\nLoading required stateful/NAT kernel modules..."

      INTIF="eth0"
      INTNET="192.168.11.0/24"
      INTIP="192.168.11.10"

      EXTIF="eth1"
      EXTIP="202.x.x.x"

      UNIVERSE="0.0.0.0/0"

      echo 1 > /proc/sys/net/ipv4/ip_forward

      # Clear any existing rules and setting default policy to DROP
      iptables -P INPUT DROP
      iptables -F INPUT
      iptables -P OUTPUT DROP
      iptables -F OUTPUT
      iptables -P FORWARD DROP
      iptables -F FORWARD
      iptables -F -t nat

      # Flush the user chain.. if it exists
      if [ "`iptables -L | grep drop-and-log-it`" ]; then
         iptables -F drop-and-log-it
      fi

      # Delete all User-specified chains
      iptables -X

      # Reset all IPTABLES counters
      iptables -Z

      # Creating a DROP chain
      iptables -N drop-and-log-it
      iptables -A drop-and-log-it -j LOG --log-level info
      iptables -A drop-and-log-it -j REJECT

      echo -e "     - Loading INPUT rulesets"

      #######################################################################
      # INPUT: Incoming traffic from various interfaces.  All rulesets are
      #        already flushed and set to a default policy of DROP.
      #######################################################################

      # TRUST ANYTHING COMING IN ON LOOPBACK
      iptables -A INPUT -i lo -j ACCEPT

      # remote interface, claiming to be local machines, IP spoofing, get lost
      iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j DROP

      # these are necessary for basic networking functionality
      iptables -A INPUT -i $INTIF -p icmp -s $INTNET -d $UNIVERSE -j ACCEPT
      iptables -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP -j ACCEPT

      # THIS ALLOWS ANY TRAFFIC TO COME IN ON THE INTERNAL
      # CARD - THIS IS FAR TOO STRONG.  THE RULES BELOW
      # ARE MORE SELECTIVE
      #iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

      #######################################################################
      # HERE ARE RULES FOR WHICH TRAFFIC ORIGINATING ON THE LOCAL
      # NETWORK IS ALLOWED TO ACCESS THE FIREWALL ITSELF -
      # THIS HAS NOTHING TO DO WITH WHAT IS FORWARDED THROUGH!!!
      #######################################################################

      # Allow any related traffic coming back to the MASQ server in
      iptables -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

      # ping/echo
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT

      # DNS requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT

      # WWW requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 80 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 80 -j ACCEPT

      # FTP requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 20:21 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT

      # FTP Passive Ports requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 49152:65534 -j ACCEPT

      # MYSQL requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 3306 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 3306 -j ACCEPT

      # ident/auth
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 113 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 113 -j ACCEPT

      # ssh
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 22 -j ACCEPT

      # UNCOMMENT THIS STANZA FOR WEB CACHE/PROXY SUPPORT
      # USING A DANSGUARDIAN/SQUID SETUP
      #iptables -A INPUT -i $INTIF -p tcp --dport 8080 -j ACCEPT
      # Redirect port 80 to Dansguardian (port 8080)
      #iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-ports 8080

 
      # THIS ALLOWS ANYTHING TO COME IN ON THE EXTERNAL INTERFACE.
      # THIS IS FAR TOO LENIENT.  UNCOMMENT ONLY FOR TESTING
      # PURPOSES
      #iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

      #######################################################################
      # HERE ARE RULES FOR WHICH *INBOUND* TRAFFIC IS ALLOWED
      # ON THE EXTERNAL INTERFACE - THIS IS THE CRITICAL PART!!!
      # ANY SERVICE SPECIFIED HERE MUST BE EITHER PROVIDED BY
      # THE FIREWALL ITSELF, OR THE PORT MUST BE FORWARDED TO
      # SOME SPECIFIC MACHINE ON THE INTERNAL LAN
      # SEE BOTTOM OF SCRIPT FOR PORT FORWARDING EXAMPLE
      #######################################################################

      # Allow any related traffic coming back to the MASQ server in
      iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

      # ping/echo
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 7 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 7 -j ACCEPT

      # ident/auth
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 113 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 113 -j ACCEPT

      # ssh
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

      # FTP requests
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 20:21 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 21 -j ACCEPT

      # FTP Passive Ports requests
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 49152:65534 -j ACCEPT

      # http
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

      #######################################################################
      # SEE SCRIPT AT BEGINNING OF THIS WEBPAGE TO
      # LOCATE MORE SERVICES THAT YOU MIGHT WANT
      # ADD YOUR OWN RULES
      #######################################################################

      # Catch all rule, all other incoming is denied and logged.
      iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP

      
      echo -e "     - Loading OUTPUT rulesets"

      #######################################################################
      # OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
      #         already flushed and set to a default policy of DROP.
      #

      # YOU WILL PROBABLY NOT NEED TO MODIFY THE OUTGOING RULES
      # UNLESS YOU REALLY WANT A BOMBPROOF FIREWALL

      # outgoing to local net on remote interface, stuffed routing, deny
      iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j DROP

      # loopback is valid
      iptables -A OUTPUT -o lo -j ACCEPT

      # local interface, any source going to local net is valid
      iptables -A OUTPUT -o $INTIF -d $INTNET -j ACCEPT

      # anything else outgoing on remote interface is valid
      iptables -A OUTPUT -o $EXTIF -j ACCEPT

      # Catch all rule, all other outgoing is denied and logged.
      iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP

      echo -e "     - Loading FORWARD rulesets"

      #######################################################################
      # FORWARD: Enable Forwarding and thus IPMASQ
      #######################################################################

      #######################################################################
      # ADD PORT FORWARDING RULES HERE
      # ANY ENTRY HERE MUST HAVE A CORRESPONDING ENTRY IN THE
      # "INPUT ON THE EXTERNAL INTERFACE" SECTION - SEE ABOVE
      #######################################################################

      #######################################################################
      # EXAMPLE FORWARD PORT 80 TO COMPUTER ON LAN WITH IP 192.168.200.5
      #iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
      #  -j DNAT --to-destination 192.168.200.5
      # iptables -A FORWARD -i $EXTIF p tcp --dport 80 -j ACCEPT

      #######################################################################
      # ADD YOUR RULES HERE FOR TRAFFIC THAT WILL BE
      # FORWARDED FROM THE INTERNAL INTERFACE TO THE
      # EXTERNAL INTERFACE - this is not as critical as
      # the INCOMING filter above, but still worthwhile
      #######################################################################

      # Enable (MASQUERADE) functionality on $EXTIF
      iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $EXTIF -j MASQUERADE

      # allow any previously established traffic through
      iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

      # ICMP protocol necessary for ping, etc
      iptables -A FORWARD -i $INTIF -p icmp -j ACCEPT

      # high port numbers allowed out
      iptables -A FORWARD -i $INTIF -p tcp --dport 1024:65535 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 1024:65535 -j ACCEPT

      # ping/echo
      iptables -A FORWARD -i $INTIF -p tcp --dport 7 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 7 -j ACCEPT

      # DNS
      iptables -A FORWARD -i $INTIF -p tcp --dport 53 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 53 -j ACCEPT

      # ident/auth
      iptables -A FORWARD -i $INTIF -p tcp --dport 113 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 113 -j ACCEPT
      
      # ssh
      iptables -A FORWARD -i $INTIF -p tcp --dport 22 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 22 -j ACCEPT

      # http
      iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 80 -j ACCEPT

      # https
      iptables -A FORWARD -i $INTIF -p tcp --dport 443 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 443 -j ACCEPT

      # ftp
      iptables -A FORWARD -i $INTIF -p tcp --dport 20:21 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 21 -j ACCEPT

      # this allows everything through
      #iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

      # Catch all rule, all other forwarding is denied and logged.
      iptables -A FORWARD -j DROP


      echo -e "NAT/Firewall server rule loading complete\n\n"

===========
end.

Thank you very much.
marvelsoftAsked:
Who is Participating?
 
MyrandorCommented:
Make sure to open the UDP or TCP port which was configured on your openvpn conf file.

For example, you could add this line
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 1149 -j ACCEPT
if you are using the default config.
0
 
evangineerXCommented:
0
 
marvelsoftAuthor Commented:
Experts,

I've already tried your suggestions guys its works already. Thank you.
Another thing is that how can I see/browse my entire LAN using OpenVPN? Is there any other routing procedures to configure?

My Internal LAN is "192.168.11.0/24".

And this is my OpenVPN server.conf

=====================
port 1194
proto udp
dev tun
dh dh1024.pem
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
=====================

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.