[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

OpenVPN 1149 via NAT/Firewall

Posted on 2006-04-21
3
Medium Priority
?
582 Views
Last Modified: 2013-12-15
Experts,

I've got troubled on this script. The script funtion is NAT(eth1) and FIREWAL. But my problem is how can I incorporate in this script the OpenVPN(1149?). My internal IP is 192.168.11.0/24. What about the IP i'm going to use in OpenVPN to see/browse the entire LAN?

The working script:
============
      echo -e "\n\nLoading required stateful/NAT kernel modules..."

      INTIF="eth0"
      INTNET="192.168.11.0/24"
      INTIP="192.168.11.10"

      EXTIF="eth1"
      EXTIP="202.x.x.x"

      UNIVERSE="0.0.0.0/0"

      echo 1 > /proc/sys/net/ipv4/ip_forward

      # Clear any existing rules and setting default policy to DROP
      iptables -P INPUT DROP
      iptables -F INPUT
      iptables -P OUTPUT DROP
      iptables -F OUTPUT
      iptables -P FORWARD DROP
      iptables -F FORWARD
      iptables -F -t nat

      # Flush the user chain.. if it exists
      if [ "`iptables -L | grep drop-and-log-it`" ]; then
         iptables -F drop-and-log-it
      fi

      # Delete all User-specified chains
      iptables -X

      # Reset all IPTABLES counters
      iptables -Z

      # Creating a DROP chain
      iptables -N drop-and-log-it
      iptables -A drop-and-log-it -j LOG --log-level info
      iptables -A drop-and-log-it -j REJECT

      echo -e "     - Loading INPUT rulesets"

      #######################################################################
      # INPUT: Incoming traffic from various interfaces.  All rulesets are
      #        already flushed and set to a default policy of DROP.
      #######################################################################

      # TRUST ANYTHING COMING IN ON LOOPBACK
      iptables -A INPUT -i lo -j ACCEPT

      # remote interface, claiming to be local machines, IP spoofing, get lost
      iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j DROP

      # these are necessary for basic networking functionality
      iptables -A INPUT -i $INTIF -p icmp -s $INTNET -d $UNIVERSE -j ACCEPT
      iptables -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP -j ACCEPT

      # THIS ALLOWS ANY TRAFFIC TO COME IN ON THE INTERNAL
      # CARD - THIS IS FAR TOO STRONG.  THE RULES BELOW
      # ARE MORE SELECTIVE
      #iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

      #######################################################################
      # HERE ARE RULES FOR WHICH TRAFFIC ORIGINATING ON THE LOCAL
      # NETWORK IS ALLOWED TO ACCESS THE FIREWALL ITSELF -
      # THIS HAS NOTHING TO DO WITH WHAT IS FORWARDED THROUGH!!!
      #######################################################################

      # Allow any related traffic coming back to the MASQ server in
      iptables -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

      # ping/echo
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT

      # DNS requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT

      # WWW requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 80 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 80 -j ACCEPT

      # FTP requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 20:21 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT

      # FTP Passive Ports requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 49152:65534 -j ACCEPT

      # MYSQL requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 3306 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 3306 -j ACCEPT

      # ident/auth
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 113 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 113 -j ACCEPT

      # ssh
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 22 -j ACCEPT

      # UNCOMMENT THIS STANZA FOR WEB CACHE/PROXY SUPPORT
      # USING A DANSGUARDIAN/SQUID SETUP
      #iptables -A INPUT -i $INTIF -p tcp --dport 8080 -j ACCEPT
      # Redirect port 80 to Dansguardian (port 8080)
      #iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-ports 8080

 
      # THIS ALLOWS ANYTHING TO COME IN ON THE EXTERNAL INTERFACE.
      # THIS IS FAR TOO LENIENT.  UNCOMMENT ONLY FOR TESTING
      # PURPOSES
      #iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

      #######################################################################
      # HERE ARE RULES FOR WHICH *INBOUND* TRAFFIC IS ALLOWED
      # ON THE EXTERNAL INTERFACE - THIS IS THE CRITICAL PART!!!
      # ANY SERVICE SPECIFIED HERE MUST BE EITHER PROVIDED BY
      # THE FIREWALL ITSELF, OR THE PORT MUST BE FORWARDED TO
      # SOME SPECIFIC MACHINE ON THE INTERNAL LAN
      # SEE BOTTOM OF SCRIPT FOR PORT FORWARDING EXAMPLE
      #######################################################################

      # Allow any related traffic coming back to the MASQ server in
      iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

      # ping/echo
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 7 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 7 -j ACCEPT

      # ident/auth
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 113 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 113 -j ACCEPT

      # ssh
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

      # FTP requests
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 20:21 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 21 -j ACCEPT

      # FTP Passive Ports requests
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 49152:65534 -j ACCEPT

      # http
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

      #######################################################################
      # SEE SCRIPT AT BEGINNING OF THIS WEBPAGE TO
      # LOCATE MORE SERVICES THAT YOU MIGHT WANT
      # ADD YOUR OWN RULES
      #######################################################################

      # Catch all rule, all other incoming is denied and logged.
      iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP

      
      echo -e "     - Loading OUTPUT rulesets"

      #######################################################################
      # OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
      #         already flushed and set to a default policy of DROP.
      #

      # YOU WILL PROBABLY NOT NEED TO MODIFY THE OUTGOING RULES
      # UNLESS YOU REALLY WANT A BOMBPROOF FIREWALL

      # outgoing to local net on remote interface, stuffed routing, deny
      iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j DROP

      # loopback is valid
      iptables -A OUTPUT -o lo -j ACCEPT

      # local interface, any source going to local net is valid
      iptables -A OUTPUT -o $INTIF -d $INTNET -j ACCEPT

      # anything else outgoing on remote interface is valid
      iptables -A OUTPUT -o $EXTIF -j ACCEPT

      # Catch all rule, all other outgoing is denied and logged.
      iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP

      echo -e "     - Loading FORWARD rulesets"

      #######################################################################
      # FORWARD: Enable Forwarding and thus IPMASQ
      #######################################################################

      #######################################################################
      # ADD PORT FORWARDING RULES HERE
      # ANY ENTRY HERE MUST HAVE A CORRESPONDING ENTRY IN THE
      # "INPUT ON THE EXTERNAL INTERFACE" SECTION - SEE ABOVE
      #######################################################################

      #######################################################################
      # EXAMPLE FORWARD PORT 80 TO COMPUTER ON LAN WITH IP 192.168.200.5
      #iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
      #  -j DNAT --to-destination 192.168.200.5
      # iptables -A FORWARD -i $EXTIF p tcp --dport 80 -j ACCEPT

      #######################################################################
      # ADD YOUR RULES HERE FOR TRAFFIC THAT WILL BE
      # FORWARDED FROM THE INTERNAL INTERFACE TO THE
      # EXTERNAL INTERFACE - this is not as critical as
      # the INCOMING filter above, but still worthwhile
      #######################################################################

      # Enable (MASQUERADE) functionality on $EXTIF
      iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $EXTIF -j MASQUERADE

      # allow any previously established traffic through
      iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

      # ICMP protocol necessary for ping, etc
      iptables -A FORWARD -i $INTIF -p icmp -j ACCEPT

      # high port numbers allowed out
      iptables -A FORWARD -i $INTIF -p tcp --dport 1024:65535 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 1024:65535 -j ACCEPT

      # ping/echo
      iptables -A FORWARD -i $INTIF -p tcp --dport 7 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 7 -j ACCEPT

      # DNS
      iptables -A FORWARD -i $INTIF -p tcp --dport 53 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 53 -j ACCEPT

      # ident/auth
      iptables -A FORWARD -i $INTIF -p tcp --dport 113 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 113 -j ACCEPT
      
      # ssh
      iptables -A FORWARD -i $INTIF -p tcp --dport 22 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 22 -j ACCEPT

      # http
      iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 80 -j ACCEPT

      # https
      iptables -A FORWARD -i $INTIF -p tcp --dport 443 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 443 -j ACCEPT

      # ftp
      iptables -A FORWARD -i $INTIF -p tcp --dport 20:21 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 21 -j ACCEPT

      # this allows everything through
      #iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

      # Catch all rule, all other forwarding is denied and logged.
      iptables -A FORWARD -j DROP


      echo -e "NAT/Firewall server rule loading complete\n\n"

===========
end.

Thank you very much.
0
Comment
Question by:marvelsoft
3 Comments
 
LVL 3

Assisted Solution

by:evangineerX
evangineerX earned 240 total points
ID: 16530267
0
 
LVL 4

Accepted Solution

by:
Myrandor earned 240 total points
ID: 16531343
Make sure to open the UDP or TCP port which was configured on your openvpn conf file.

For example, you could add this line
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 1149 -j ACCEPT
if you are using the default config.
0
 

Author Comment

by:marvelsoft
ID: 16559162
Experts,

I've already tried your suggestions guys its works already. Thank you.
Another thing is that how can I see/browse my entire LAN using OpenVPN? Is there any other routing procedures to configure?

My Internal LAN is "192.168.11.0/24".

And this is my OpenVPN server.conf

=====================
port 1194
proto udp
dev tun
dh dh1024.pem
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
=====================

0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
I have written articles previously comparing SARDU and YUMI.  I also included a couple of lines about Easy2boot (easy2boot.com).  I have now been using, and enjoying easy2boot as my sole multiboot utility for some years and realize that it deserves …
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month20 days, 1 hour left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question