OpenVPN 1149 via NAT/Firewall

Experts,

I've got troubled on this script. The script funtion is NAT(eth1) and FIREWAL. But my problem is how can I incorporate in this script the OpenVPN(1149?). My internal IP is 192.168.11.0/24. What about the IP i'm going to use in OpenVPN to see/browse the entire LAN?

The working script:
============
      echo -e "\n\nLoading required stateful/NAT kernel modules..."

      INTIF="eth0"
      INTNET="192.168.11.0/24"
      INTIP="192.168.11.10"

      EXTIF="eth1"
      EXTIP="202.x.x.x"

      UNIVERSE="0.0.0.0/0"

      echo 1 > /proc/sys/net/ipv4/ip_forward

      # Clear any existing rules and setting default policy to DROP
      iptables -P INPUT DROP
      iptables -F INPUT
      iptables -P OUTPUT DROP
      iptables -F OUTPUT
      iptables -P FORWARD DROP
      iptables -F FORWARD
      iptables -F -t nat

      # Flush the user chain.. if it exists
      if [ "`iptables -L | grep drop-and-log-it`" ]; then
         iptables -F drop-and-log-it
      fi

      # Delete all User-specified chains
      iptables -X

      # Reset all IPTABLES counters
      iptables -Z

      # Creating a DROP chain
      iptables -N drop-and-log-it
      iptables -A drop-and-log-it -j LOG --log-level info
      iptables -A drop-and-log-it -j REJECT

      echo -e "     - Loading INPUT rulesets"

      #######################################################################
      # INPUT: Incoming traffic from various interfaces.  All rulesets are
      #        already flushed and set to a default policy of DROP.
      #######################################################################

      # TRUST ANYTHING COMING IN ON LOOPBACK
      iptables -A INPUT -i lo -j ACCEPT

      # remote interface, claiming to be local machines, IP spoofing, get lost
      iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j DROP

      # these are necessary for basic networking functionality
      iptables -A INPUT -i $INTIF -p icmp -s $INTNET -d $UNIVERSE -j ACCEPT
      iptables -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP -j ACCEPT

      # THIS ALLOWS ANY TRAFFIC TO COME IN ON THE INTERNAL
      # CARD - THIS IS FAR TOO STRONG.  THE RULES BELOW
      # ARE MORE SELECTIVE
      #iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

      #######################################################################
      # HERE ARE RULES FOR WHICH TRAFFIC ORIGINATING ON THE LOCAL
      # NETWORK IS ALLOWED TO ACCESS THE FIREWALL ITSELF -
      # THIS HAS NOTHING TO DO WITH WHAT IS FORWARDED THROUGH!!!
      #######################################################################

      # Allow any related traffic coming back to the MASQ server in
      iptables -A INPUT -i $INTIF -s $INTNET -d $INTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

      # ping/echo
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 7 -j ACCEPT

      # DNS requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 53 -j ACCEPT

      # WWW requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 80 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 80 -j ACCEPT

      # FTP requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 20:21 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 21 -j ACCEPT

      # FTP Passive Ports requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 49152:65534 -j ACCEPT

      # MYSQL requests
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 3306 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 3306 -j ACCEPT

      # ident/auth
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 113 -j ACCEPT
      iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 113 -j ACCEPT

      # ssh
      iptables -A INPUT -i $INTIF -p tcp -s $INTNET -d $UNIVERSE --dport 22 -j ACCEPT

      # UNCOMMENT THIS STANZA FOR WEB CACHE/PROXY SUPPORT
      # USING A DANSGUARDIAN/SQUID SETUP
      #iptables -A INPUT -i $INTIF -p tcp --dport 8080 -j ACCEPT
      # Redirect port 80 to Dansguardian (port 8080)
      #iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-ports 8080

 
      # THIS ALLOWS ANYTHING TO COME IN ON THE EXTERNAL INTERFACE.
      # THIS IS FAR TOO LENIENT.  UNCOMMENT ONLY FOR TESTING
      # PURPOSES
      #iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

      #######################################################################
      # HERE ARE RULES FOR WHICH *INBOUND* TRAFFIC IS ALLOWED
      # ON THE EXTERNAL INTERFACE - THIS IS THE CRITICAL PART!!!
      # ANY SERVICE SPECIFIED HERE MUST BE EITHER PROVIDED BY
      # THE FIREWALL ITSELF, OR THE PORT MUST BE FORWARDED TO
      # SOME SPECIFIC MACHINE ON THE INTERNAL LAN
      # SEE BOTTOM OF SCRIPT FOR PORT FORWARDING EXAMPLE
      #######################################################################

      # Allow any related traffic coming back to the MASQ server in
      iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

      # ping/echo
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 7 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 7 -j ACCEPT

      # ident/auth
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 113 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 113 -j ACCEPT

      # ssh
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

      # FTP requests
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 20:21 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 21 -j ACCEPT

      # FTP Passive Ports requests
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 49152:65534 -j ACCEPT

      # http
      iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
      iptables -A INPUT -i $EXTIF -p udp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

      #######################################################################
      # SEE SCRIPT AT BEGINNING OF THIS WEBPAGE TO
      # LOCATE MORE SERVICES THAT YOU MIGHT WANT
      # ADD YOUR OWN RULES
      #######################################################################

      # Catch all rule, all other incoming is denied and logged.
      iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP

      
      echo -e "     - Loading OUTPUT rulesets"

      #######################################################################
      # OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
      #         already flushed and set to a default policy of DROP.
      #

      # YOU WILL PROBABLY NOT NEED TO MODIFY THE OUTGOING RULES
      # UNLESS YOU REALLY WANT A BOMBPROOF FIREWALL

      # outgoing to local net on remote interface, stuffed routing, deny
      iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j DROP

      # loopback is valid
      iptables -A OUTPUT -o lo -j ACCEPT

      # local interface, any source going to local net is valid
      iptables -A OUTPUT -o $INTIF -d $INTNET -j ACCEPT

      # anything else outgoing on remote interface is valid
      iptables -A OUTPUT -o $EXTIF -j ACCEPT

      # Catch all rule, all other outgoing is denied and logged.
      iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP

      echo -e "     - Loading FORWARD rulesets"

      #######################################################################
      # FORWARD: Enable Forwarding and thus IPMASQ
      #######################################################################

      #######################################################################
      # ADD PORT FORWARDING RULES HERE
      # ANY ENTRY HERE MUST HAVE A CORRESPONDING ENTRY IN THE
      # "INPUT ON THE EXTERNAL INTERFACE" SECTION - SEE ABOVE
      #######################################################################

      #######################################################################
      # EXAMPLE FORWARD PORT 80 TO COMPUTER ON LAN WITH IP 192.168.200.5
      #iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
      #  -j DNAT --to-destination 192.168.200.5
      # iptables -A FORWARD -i $EXTIF p tcp --dport 80 -j ACCEPT

      #######################################################################
      # ADD YOUR RULES HERE FOR TRAFFIC THAT WILL BE
      # FORWARDED FROM THE INTERNAL INTERFACE TO THE
      # EXTERNAL INTERFACE - this is not as critical as
      # the INCOMING filter above, but still worthwhile
      #######################################################################

      # Enable (MASQUERADE) functionality on $EXTIF
      iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $EXTIF -j MASQUERADE

      # allow any previously established traffic through
      iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

      # ICMP protocol necessary for ping, etc
      iptables -A FORWARD -i $INTIF -p icmp -j ACCEPT

      # high port numbers allowed out
      iptables -A FORWARD -i $INTIF -p tcp --dport 1024:65535 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 1024:65535 -j ACCEPT

      # ping/echo
      iptables -A FORWARD -i $INTIF -p tcp --dport 7 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 7 -j ACCEPT

      # DNS
      iptables -A FORWARD -i $INTIF -p tcp --dport 53 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 53 -j ACCEPT

      # ident/auth
      iptables -A FORWARD -i $INTIF -p tcp --dport 113 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 113 -j ACCEPT
      
      # ssh
      iptables -A FORWARD -i $INTIF -p tcp --dport 22 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 22 -j ACCEPT

      # http
      iptables -A FORWARD -i $INTIF -p tcp --dport 80 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 80 -j ACCEPT

      # https
      iptables -A FORWARD -i $INTIF -p tcp --dport 443 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 443 -j ACCEPT

      # ftp
      iptables -A FORWARD -i $INTIF -p tcp --dport 20:21 -j ACCEPT
      iptables -A FORWARD -i $INTIF -p udp --dport 21 -j ACCEPT

      # this allows everything through
      #iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

      # Catch all rule, all other forwarding is denied and logged.
      iptables -A FORWARD -j DROP


      echo -e "NAT/Firewall server rule loading complete\n\n"

===========
end.

Thank you very much.
marvelsoftAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

evangineerXCommented:
MyrandorCommented:
Make sure to open the UDP or TCP port which was configured on your openvpn conf file.

For example, you could add this line
iptables -A INPUT -i $INTIF -p udp -s $INTNET -d $UNIVERSE --dport 1149 -j ACCEPT
if you are using the default config.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marvelsoftAuthor Commented:
Experts,

I've already tried your suggestions guys its works already. Thank you.
Another thing is that how can I see/browse my entire LAN using OpenVPN? Is there any other routing procedures to configure?

My Internal LAN is "192.168.11.0/24".

And this is my OpenVPN server.conf

=====================
port 1194
proto udp
dev tun
dh dh1024.pem
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
=====================

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.