marvelsoft
asked on
OpenVPN 1149 via NAT/Firewall
Experts,
I've got troubled on this script. The script funtion is NAT(eth1) and FIREWAL. But my problem is how can I incorporate in this script the OpenVPN(1149?). My internal IP is 192.168.11.0/24. What about the IP i'm going to use in OpenVPN to see/browse the entire LAN?
The working script:
============
echo -e "\n\nLoading required stateful/NAT kernel modules..."
INTIF="eth0"
INTNET="192.168.11.0/24"
INTIP="192.168.11.10"
EXTIF="eth1"
EXTIP="202.x.x.x"
UNIVERSE="0.0.0.0/0"
echo 1 > /proc/sys/net/ipv4/ip_forw ard
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
echo -e " - Loading INPUT rulesets"
########################## ########## ########## ########## ########## #####
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
########################## ########## ########## ########## ########## #####
# TRUST ANYTHING COMING IN ON LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j DROP
# these are necessary for basic networking functionality
iptables -A INPUT -i $INTIF -p icmp -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP -j ACCEPT
# THIS ALLOWS ANY TRAFFIC TO COME IN ON THE INTERNAL
# CARD - THIS IS FAR TOO STRONG. THE RULES BELOW
# ARE MORE SELECTIVE
#iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
########################## ########## ########## ########## ########## #####
# HERE ARE RULES FOR WHICH TRAFFIC ORIGINATING ON THE LOCAL
# NETWORK IS ALLOWED TO ACCESS THE FIREWALL ITSELF -
# THIS HAS NOTHING TO DO WITH WHAT IS FORWARDED THROUGH!!!
########################## ########## ########## ########## ########## #####
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# ping/echo
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
# DNS requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
# WWW requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 80 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 80 -j ACCEPT
# FTP requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 20:21 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT
# FTP Passive Ports requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 49152:65534 -j ACCEPT
# MYSQL requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 3306 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 3306 -j ACCEPT
# ident/auth
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 113 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 113 -j ACCEPT
# ssh
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 22 -j ACCEPT
# UNCOMMENT THIS STANZA FOR WEB CACHE/PROXY SUPPORT
# USING A DANSGUARDIAN/SQUID SETUP
#iptables -A INPUT -i $INTIF -p tcp --dport 8080 -j ACCEPT
# Redirect port 80 to Dansguardian (port 8080)
#iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-ports 8080
# THIS ALLOWS ANYTHING TO COME IN ON THE EXTERNAL INTERFACE.
# THIS IS FAR TOO LENIENT. UNCOMMENT ONLY FOR TESTING
# PURPOSES
#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
########################## ########## ########## ########## ########## #####
# HERE ARE RULES FOR WHICH *INBOUND* TRAFFIC IS ALLOWED
# ON THE EXTERNAL INTERFACE - THIS IS THE CRITICAL PART!!!
# ANY SERVICE SPECIFIED HERE MUST BE EITHER PROVIDED BY
# THE FIREWALL ITSELF, OR THE PORT MUST BE FORWARDED TO
# SOME SPECIFIC MACHINE ON THE INTERNAL LAN
# SEE BOTTOM OF SCRIPT FOR PORT FORWARDING EXAMPLE
########################## ########## ########## ########## ########## #####
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# ping/echo
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 7 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 7 -j ACCEPT
# ident/auth
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 113 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 113 -j ACCEPT
# ssh
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT
# FTP requests
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 20:21 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 21 -j ACCEPT
# FTP Passive Ports requests
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 49152:65534 -j ACCEPT
# http
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
########################## ########## ########## ########## ########## #####
# SEE SCRIPT AT BEGINNING OF THIS WEBPAGE TO
# LOCATE MORE SERVICES THAT YOU MIGHT WANT
# ADD YOUR OWN RULES
########################## ########## ########## ########## ########## #####
# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo -e " - Loading OUTPUT rulesets"
########################## ########## ########## ########## ########## #####
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# YOU WILL PROBABLY NOT NEED TO MODIFY THE OUTGOING RULES
# UNLESS YOU REALLY WANT A BOMBPROOF FIREWALL
# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j DROP
# loopback is valid
iptables -A OUTPUT -o lo -j ACCEPT
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -d $INTNET -j ACCEPT
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo -e " - Loading FORWARD rulesets"
########################## ########## ########## ########## ########## #####
# FORWARD: Enable Forwarding and thus IPMASQ
########################## ########## ########## ########## ########## #####
########################## ########## ########## ########## ########## #####
# ADD PORT FORWARDING RULES HERE
# ANY ENTRY HERE MUST HAVE A CORRESPONDING ENTRY IN THE
# "INPUT ON THE EXTERNAL INTERFACE" SECTION - SEE ABOVE
########################## ########## ########## ########## ########## #####
########################## ########## ########## ########## ########## #####
# EXAMPLE FORWARD PORT 80 TO COMPUTER ON LAN WITH IP 192.168.200.5
#iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
# -j DNAT --to-destination 192.168.200.5
# iptables -A FORWARD -i $EXTIF p tcp --dport 80 -j ACCEPT
########################## ########## ########## ########## ########## #####
# ADD YOUR RULES HERE FOR TRAFFIC THAT WILL BE
# FORWARDED FROM THE INTERNAL INTERFACE TO THE
# EXTERNAL INTERFACE - this is not as critical as
# the INCOMING filter above, but still worthwhile
########################## ########## ########## ########## ########## #####
# Enable (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $EXTIF -j MASQUERADE
# allow any previously established traffic through
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP protocol necessary for ping, etc
iptables -A FORWARD -i $INTIF -p icmp -j ACCEPT
# high port numbers allowed out
iptables -A FORWARD -i $INTIF -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 1024:65535 -j ACCEPT
# ping/echo
iptables -A FORWARD -i $INTIF -p tcp --dport 7 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 7 -j ACCEPT
# DNS
iptables -A FORWARD -i $INTIF -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 53 -j ACCEPT
# ident/auth
iptables -A FORWARD -i $INTIF -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 113 -j ACCEPT
# ssh
iptables -A FORWARD -i $INTIF -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 22 -j ACCEPT
# http
iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 80 -j ACCEPT
# https
iptables -A FORWARD -i $INTIF -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 443 -j ACCEPT
# ftp
iptables -A FORWARD -i $INTIF -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 21 -j ACCEPT
# this allows everything through
#iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j DROP
echo -e "NAT/Firewall server rule loading complete\n\n"
===========
end.
Thank you very much.
I've got troubled on this script. The script funtion is NAT(eth1) and FIREWAL. But my problem is how can I incorporate in this script the OpenVPN(1149?). My internal IP is 192.168.11.0/24. What about the IP i'm going to use in OpenVPN to see/browse the entire LAN?
The working script:
============
echo -e "\n\nLoading required stateful/NAT kernel modules..."
INTIF="eth0"
INTNET="192.168.11.0/24"
INTIP="192.168.11.10"
EXTIF="eth1"
EXTIP="202.x.x.x"
UNIVERSE="0.0.0.0/0"
echo 1 > /proc/sys/net/ipv4/ip_forw
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
echo -e " - Loading INPUT rulesets"
##########################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
##########################
# TRUST ANYTHING COMING IN ON LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j DROP
# these are necessary for basic networking functionality
iptables -A INPUT -i $INTIF -p icmp -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP -j ACCEPT
# THIS ALLOWS ANY TRAFFIC TO COME IN ON THE INTERNAL
# CARD - THIS IS FAR TOO STRONG. THE RULES BELOW
# ARE MORE SELECTIVE
#iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
##########################
# HERE ARE RULES FOR WHICH TRAFFIC ORIGINATING ON THE LOCAL
# NETWORK IS ALLOWED TO ACCESS THE FIREWALL ITSELF -
# THIS HAS NOTHING TO DO WITH WHAT IS FORWARDED THROUGH!!!
##########################
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# ping/echo
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
# DNS requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
# WWW requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 80 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 80 -j ACCEPT
# FTP requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 20:21 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT
# FTP Passive Ports requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 49152:65534 -j ACCEPT
# MYSQL requests
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 3306 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 3306 -j ACCEPT
# ident/auth
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 113 -j ACCEPT
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 113 -j ACCEPT
# ssh
iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 22 -j ACCEPT
# UNCOMMENT THIS STANZA FOR WEB CACHE/PROXY SUPPORT
# USING A DANSGUARDIAN/SQUID SETUP
#iptables -A INPUT -i $INTIF -p tcp --dport 8080 -j ACCEPT
# Redirect port 80 to Dansguardian (port 8080)
#iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-ports 8080
# THIS ALLOWS ANYTHING TO COME IN ON THE EXTERNAL INTERFACE.
# THIS IS FAR TOO LENIENT. UNCOMMENT ONLY FOR TESTING
# PURPOSES
#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
##########################
# HERE ARE RULES FOR WHICH *INBOUND* TRAFFIC IS ALLOWED
# ON THE EXTERNAL INTERFACE - THIS IS THE CRITICAL PART!!!
# ANY SERVICE SPECIFIED HERE MUST BE EITHER PROVIDED BY
# THE FIREWALL ITSELF, OR THE PORT MUST BE FORWARDED TO
# SOME SPECIFIC MACHINE ON THE INTERNAL LAN
# SEE BOTTOM OF SCRIPT FOR PORT FORWARDING EXAMPLE
##########################
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# ping/echo
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 7 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 7 -j ACCEPT
# ident/auth
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 113 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 113 -j ACCEPT
# ssh
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT
# FTP requests
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 20:21 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 21 -j ACCEPT
# FTP Passive Ports requests
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 49152:65534 -j ACCEPT
# http
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
##########################
# SEE SCRIPT AT BEGINNING OF THIS WEBPAGE TO
# LOCATE MORE SERVICES THAT YOU MIGHT WANT
# ADD YOUR OWN RULES
##########################
# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo -e " - Loading OUTPUT rulesets"
##########################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# YOU WILL PROBABLY NOT NEED TO MODIFY THE OUTGOING RULES
# UNLESS YOU REALLY WANT A BOMBPROOF FIREWALL
# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j DROP
# loopback is valid
iptables -A OUTPUT -o lo -j ACCEPT
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -d $INTNET -j ACCEPT
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo -e " - Loading FORWARD rulesets"
##########################
# FORWARD: Enable Forwarding and thus IPMASQ
##########################
##########################
# ADD PORT FORWARDING RULES HERE
# ANY ENTRY HERE MUST HAVE A CORRESPONDING ENTRY IN THE
# "INPUT ON THE EXTERNAL INTERFACE" SECTION - SEE ABOVE
##########################
##########################
# EXAMPLE FORWARD PORT 80 TO COMPUTER ON LAN WITH IP 192.168.200.5
#iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
# -j DNAT --to-destination 192.168.200.5
# iptables -A FORWARD -i $EXTIF p tcp --dport 80 -j ACCEPT
##########################
# ADD YOUR RULES HERE FOR TRAFFIC THAT WILL BE
# FORWARDED FROM THE INTERNAL INTERFACE TO THE
# EXTERNAL INTERFACE - this is not as critical as
# the INCOMING filter above, but still worthwhile
##########################
# Enable (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $EXTIF -j MASQUERADE
# allow any previously established traffic through
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP protocol necessary for ping, etc
iptables -A FORWARD -i $INTIF -p icmp -j ACCEPT
# high port numbers allowed out
iptables -A FORWARD -i $INTIF -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 1024:65535 -j ACCEPT
# ping/echo
iptables -A FORWARD -i $INTIF -p tcp --dport 7 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 7 -j ACCEPT
# DNS
iptables -A FORWARD -i $INTIF -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 53 -j ACCEPT
# ident/auth
iptables -A FORWARD -i $INTIF -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 113 -j ACCEPT
# ssh
iptables -A FORWARD -i $INTIF -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 22 -j ACCEPT
# http
iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 80 -j ACCEPT
# https
iptables -A FORWARD -i $INTIF -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 443 -j ACCEPT
# ftp
iptables -A FORWARD -i $INTIF -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $INTIF -p udp --dport 21 -j ACCEPT
# this allows everything through
#iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j DROP
echo -e "NAT/Firewall server rule loading complete\n\n"
===========
end.
Thank you very much.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've already tried your suggestions guys its works already. Thank you.
Another thing is that how can I see/browse my entire LAN using OpenVPN? Is there any other routing procedures to configure?
My Internal LAN is "192.168.11.0/24".
And this is my OpenVPN server.conf
=====================
port 1194
proto udp
dev tun
dh dh1024.pem
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
=====================