You are not logged in.

Pages: 1

#1 2014-10-18 04:59:32

Nimue
Member
Registered: 2011-03-20
Posts: 7

iptables logic headache >.<

Hey! So currently, I'm trying to forward a port through a VPN so I can host some services behind a University firewall. Here's my core setup


Linode VPN-------University Firewall-------Home Server (10.8.0.4)

I'd like to be able to access services on my mobile devices from my Home Server behind the firewall. To do this, I obviously need a VPN. I've set up OpenVPN and I can connect to it just fine and appear to be from the UK (yay BBC iPlayer).

However, I cannot seem to get ports forwarded properly to my home server so that daemons there can be accessed properly. I know you need to do something with iptables and I've tried several things to no avail... Here's the output of iptables -L

[root@rainbowbrite nimue]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             10.8.0.4             udp dpt:47201
ACCEPT     tcp  --  anywhere             10.8.0.4             tcp dpt:47201
ACCEPT     tcp  --  anywhere             10.8.0.4             tcp dpt:47201
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Likewise, here are my config files...

server.config

port 42000
proto udp
dev tap

ca /etc/openvpn/ca.crt
cert /etc/openvpn/rainbowbrite.crt
dh /etc/openvpn/dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120

comp-lzo
user vpnuser
group vpnuser
persist-key
persist-tun
status openvpn-status.log
verb 3

client.cfg

client
dev tap
proto udp

remote linodeurl.com 42000
resolv-retry infinite

nobind
persist-key
persist-tun

ca C:\\Users\\RainbowBrite\\Documents\\OpenVPN\\ca.crt
cert C:\\Users\\RainbowBrite\\Documents\\OpenVPN\\homepc.crt
key C:\\Users\\RainbowBrite\\Documents\\OpenVPN\\homepc.key

ns-cert-type server
tls-auth C:\\Users\\RainbowBrite\\Documents\\OpenVPN\\ta.key 1

comp-lzo
verb 3

But when I use a program on 10.8.0.4 using the client.cfg posted above, port 47201 isn't opened to me. Huh?

Offline

#2 2014-10-18 06:22:19

Rexilion
Member
Registered: 2013-12-23
Posts: 784

Re: iptables logic headache >.<

How are you addressing 47201?

Like 10.8.0.1:47201 ?

Your firewall contains superflous rules and is quite unstructured.

fs/super.c : "Self-destruct in 5 seconds.  Have a nice day...\n",

Offline

#3 2014-10-18 08:05:37

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: iptables logic headache >.<

Show the output of:

iptables-save

So we can properly see your rules.

As a general hint: Use logndrop, rather than just REJECT/DROP, to get good info on the packets you're rejecting.

Offline

#4 2014-10-19 00:13:25

Nimue
Member
Registered: 2011-03-20
Posts: 7

Re: iptables logic headache >.<

Rexilion wrote:

Your firewall contains superflous rules and is quite unstructured.

I apologise. I am still learning.

brebs wrote:

Show the output of:

iptables-save

So we can properly see your rules.
As a general hint: Use logndrop, rather than just REJECT/DROP, to get good info on the packets you're rejecting.

[root@rainbowbrite nimue]# iptables-save 
# Generated by iptables-save v1.4.21 on Sun Oct 19 00:11:54 2014
*security
:INPUT ACCEPT [32980690:41894911488]
:FORWARD ACCEPT [1303024:1205519397]
:OUTPUT ACCEPT [32566282:45670932606]
COMMIT
# Completed on Sun Oct 19 00:11:54 2014
# Generated by iptables-save v1.4.21 on Sun Oct 19 00:11:54 2014
*raw
:PREROUTING ACCEPT [34286038:43100654944]
:OUTPUT ACCEPT [32566288:45670933326]
COMMIT
# Completed on Sun Oct 19 00:11:54 2014
# Generated by iptables-save v1.4.21 on Sun Oct 19 00:11:54 2014
*nat
:PREROUTING ACCEPT [3580:214545]
:INPUT ACCEPT [1726:101002]
:OUTPUT ACCEPT [2124:131288]
:POSTROUTING ACCEPT [2124:131288]
-A PREROUTING -i tap0 -p tcp -m tcp --dport 47201 -j DNAT --to-destination 10.8.0.4
-A PREROUTING -i tap0 -p udp -m udp --dport 47201 -j DNAT --to-destination 10.8.0.4
-A PREROUTING -p tcp -m tcp --dport 47201 -j DNAT --to-destination 10.8.0.4
-A PREROUTING -p udp -m udp --dport 47201 -j DNAT --to-destination 10.8.0.4
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -o tap0 -j MASQUERADE
COMMIT
# Completed on Sun Oct 19 00:11:54 2014
# Generated by iptables-save v1.4.21 on Sun Oct 19 00:11:54 2014
*mangle
:PREROUTING ACCEPT [34286038:43100654944]
:INPUT ACCEPT [32980690:41894911488]
:FORWARD ACCEPT [1304309:1205585205]
:OUTPUT ACCEPT [32566288:45670933326]
:POSTROUTING ACCEPT [33869333:46876453857]
COMMIT
# Completed on Sun Oct 19 00:11:54 2014
# Generated by iptables-save v1.4.21 on Sun Oct 19 00:11:54 2014
*filter
:INPUT ACCEPT [973088:938495146]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [993111:1038288028]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A FORWARD -d 10.8.0.4/32 -i tap0 -p udp -m udp --dport 47201 -j ACCEPT
-A FORWARD -d 10.8.0.4/32 -i tap0 -p tcp -m tcp --dport 47201 -j ACCEPT
-A FORWARD -d 10.8.0.4/32 -i tap0 -p tcp -m tcp --dport 47201 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
COMMIT
# Completed on Sun Oct 19 00:11:54 2014
[root@elbereth nimue]# iptables-save 
# Generated by iptables-save v1.4.21 on Sun Oct 19 00:11:54 2014
*security
:INPUT ACCEPT [32980690:41894911488]
:FORWARD ACCEPT [1303024:1205519397]
:OUTPUT ACCEPT [32566282:45670932606]
COMMIT
# Completed on Sun Oct 19 00:11:54 2014
# Generated by iptables-save v1.4.21 on Sun Oct 19 00:11:54 2014
*raw
:PREROUTING ACCEPT [34286038:43100654944]
:OUTPUT ACCEPT [32566288:45670933326]
COMMIT
# Completed on Sun Oct 19 00:11:54 2014
# Generated by iptables-save v1.4.21 on Sun Oct 19 00:11:54 2014
*nat
:PREROUTING ACCEPT [3580:214545]
:INPUT ACCEPT [1726:101002]
:OUTPUT ACCEPT [2124:131288]
:POSTROUTING ACCEPT [2124:131288]
-A PREROUTING -i tap0 -p tcp -m tcp --dport 47201 -j DNAT --to-destination 10.8.0.4
-A PREROUTING -i tap0 -p udp -m udp --dport 47201 -j DNAT --to-destination 10.8.0.4
-A PREROUTING -p tcp -m tcp --dport 47201 -j DNAT --to-destination 10.8.0.4
-A PREROUTING -p udp -m udp --dport 47201 -j DNAT --to-destination 10.8.0.4
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -o tap0 -j MASQUERADE
COMMIT
# Completed on Sun Oct 19 00:11:54 2014
# Generated by iptables-save v1.4.21 on Sun Oct 19 00:11:54 2014
*mangle
:PREROUTING ACCEPT [34286038:43100654944]
:INPUT ACCEPT [32980690:41894911488]
:FORWARD ACCEPT [1304309:1205585205]
:OUTPUT ACCEPT [32566288:45670933326]
:POSTROUTING ACCEPT [33869333:46876453857]
COMMIT
# Completed on Sun Oct 19 00:11:54 2014
# Generated by iptables-save v1.4.21 on Sun Oct 19 00:11:54 2014
*filter
:INPUT ACCEPT [973088:938495146]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [993111:1038288028]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A FORWARD -d 10.8.0.4/32 -i tap0 -p udp -m udp --dport 47201 -j ACCEPT
-A FORWARD -d 10.8.0.4/32 -i tap0 -p tcp -m tcp --dport 47201 -j ACCEPT
-A FORWARD -d 10.8.0.4/32 -i tap0 -p tcp -m tcp --dport 47201 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
COMMIT
# Completed on Sun Oct 19 00:11:54 2014

Offline

#5 2014-10-19 15:28:56

Rexilion
Member
Registered: 2013-12-23
Posts: 784

Re: iptables logic headache >.<

It seems you have kept adding rules which were not effective since you had catch-all rules above them.

I suggest you start over (iptables -F + iptables -X INPUT -t nat etc etc) and then try again.

You can use tcpdump -i tun0 to monitor whether the packets are entering/exiting the VPN.

fs/super.c : "Self-destruct in 5 seconds.  Have a nice day...\n",

Offline

#6 2014-10-19 18:32:44

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,416

Re: iptables logic headache >.<

It looks like you are trying to setup a tap interface for qemu or VirtualBox.

I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

Pages: 1

Board footer

Powered by FluxBB