Hello,
I am a bit new to ipfilter stuff and didnt succeed in forwarding my OpenVPN traffic. Maybe someone is able to tell me the iptables commands.
Situation: I got a dedicated Rootserver with one network interface. Some days ago I setup a OpenVPN server (IP-Range 10.47.11.0/24) on that box which works for itself. At home I have a OpenVPN client connected to the server, which works, too. I can ping the tun Interface of the server, I can login through the VPN channel on the server and I can dig @tun-interface any-domain.
The routing table of my client shows the default gateway is VPN:
client:~ # netstat -rn
Kernel IP routing table
Ziel Router Genmask Flags MSS Fenster irtt Iface
10.47.11.1 10.47.11.5 255.255.255.255 UGH 0 0 0 tun0
61.169.136.161 192.168.1.64 255.255.255.255 UGH 0 0 0 eth2 # my DSL-Box internal IP
10.47.11.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.128.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.47.11.5 0.0.0.0 UG 0 0 0 tun0
My problem: at the server there has to be set a FORWARD rule to NAT all traffic and send it to the default gateway. I dont get this to work. Anybody out the who can explain my fault and tell me the right iptable commands? Thanks in advance for any help.
server:~ # netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.47.11.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
61.169.136.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.47.11.0 10.47.11.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 61.169.136.1 0.0.0.0 UG 0 0 0 eth0
server:~ # ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.47.11.1 P-t-P:10.47.11.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3601 errors:0 dropped:0 overruns:0 frame:0
TX packets:3514 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:163083 (159.2 Kb) TX bytes:144786 (141.3 Kb)
server:~ # ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0E:A6:76:C4:36
inet addr:61.169.136.161 Bcast:61.169.136.161 Mask:255.255.255.255
inet6 addr: fe80::20e:a6ff:fe76:c436/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2833852643 errors:0 dropped:0 overruns:0 frame:0
TX packets:2928710841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1070053355 (1020.4 Mb) TX bytes:1932364652 (1842.8 Mb)
The iptables output:
server:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
DROP tcp -- anywhere anywhere tcp dpt:poppassd
DROP tcp -- anywhere anywhere tcp dpt:mysql
DROP tcp -- anywhere anywhere tcp dpt:postgresql
DROP tcp -- anywhere anywhere tcp dpt:9008
DROP tcp -- anywhere anywhere tcp dpt:glrpc
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp type 8 code 0
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT udp -- 10.47.11.0/24 anywhere
ACCEPT tcp -- 10.47.11.0/24 anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Attachment:
signature.asc
Description: This is a digitally signed message part.
