* help with bridged firewall with openvpn
[not found] <250999BCC487ED429E1673DCFA26CDCC2A7BDA6E15@postman>
@ 2011-12-28 14:46 ` Barry Smoke
2011-12-28 16:53 ` Barry Smoke
2012-01-02 15:33 ` Andrew Beverley
0 siblings, 2 replies; 4+ messages in thread
From: Barry Smoke @ 2011-12-28 14:46 UTC (permalink / raw)
To: 'netfilter@vger.kernel.org'
Most of the online docs I've found deal with bridging, and virtualization. I'm trying to use bridging to link openvpn clients with our internal network, without nat(for a voip implementation on yealink phones).
I've created a bridge on centos 5.6, and have openvpn using tap0. At this point, I'm not sure if I'm having trouble with my bridge config, or my iptables script.
Brctl showmacs br0, does show my openvpn client mac, however it is not listed as local(not sure if it is supposed to), and through tcpdump on br0, I'm seeing my internal lan client that is trying to ping the openvpn client get the mac address, however my ping requests never make it to br0.
I'm on kernel 2.6.18-274.12.1.el5, and I modified a firewall script we were previously using to work with the br0 interface instead.
What we are seeing, is that vpn clients can ping the openvpn server. I can ping the clients from the openvpn server. I can't get internal machines to ping an openvpn client, nor can I get an openvpn client pinging anything else on the network.
The openvpn config pushes a reserved internal range to the vpn clients(10.0.28.x)
I've added tap0, and br0 to the forwarding table.
Here is my current firewall script:
# Set INTERFACE equal to the interface your OUTGOING connection is on.
echo 1 > /proc/sys/net/ipv4/ip_forward
INTERFACE=eth1
#Delete user made chains. Flush and zero the tables.
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
#Delete `nat' and `mangle' targets.
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
#Create a new log and drop (LDROP) convenience target
/sbin/iptables -N LDROP
# --log-level 7 makes it stop logging to the console.
# --log-prefix iptables: makes for easy syslog-ng filtering
/sbin/iptables -A LDROP -j LOG --log-level 4 --log-prefix iptables:
/sbin/iptables -A LDROP -j DROP
#Create a new target (GOOD) to test for good intentions.
/sbin/iptables -N GOOD
#Allow but limit some ICMP (needed for pinging and tracerouting)
/sbin/iptables -A GOOD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A GOOD -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A GOOD -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT
#Check State (Only allow incoming connections that have a ESTABLISHED or RELATED outgoing connection)
/sbin/iptables -A GOOD -m state --state ESTABLISHED,RELATED -i ${INTERFACE} -j ACCEPT
#Allowing specific protocols in. Add any you use.
#Allow SSH
/sbin/iptables -A GOOD -p tcp --dport 22 -j ACCEPT
#openvpn
/sbin/iptables -A GOOD -p udp -i eth1 -d 170.94.21.4 --dport 1194 -j ACCEPT
#Setting default input rule to DROP
/sbin/iptables -P INPUT DROP
#Allow all traffic on the local interfaces (Any interface EXCEPT the interface in $INTERFACE)
#/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -i br0 -j ACCEPT
/sbin/iptables -A INPUT -i tap0 -j ACCEPT
#Test for good intentions (Adds the GOOD target to the INPUT chain)
/sbin/iptables -A INPUT -j GOOD
#Otherwise Log and Drop (This gets rid of anything we might have missed)
/sbin/iptables -A INPUT -j LDROP
#Setting default forwarding rule to DROP
/sbin/iptables -P FORWARD DROP
#Let non-evil stuff out
#/sbin/iptables -A FORWARD -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i br0 -j ACCEPT
/sbin/iptables -A FORWARD -i tap0 -j ACCEPT
/sbin/iptables -A FORWARD -i lo -j ACCEPT
/sbin/iptables -A FORWARD -s 10.0.0.0/16 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.0.0.0/16 -j ACCEPT
#Test for good intentions (Adds the GOOD target to the FORWARD chain)
/sbin/iptables -A FORWARD -j GOOD
#Otherwise Log and Drop
/sbin/iptables -A FORWARD -j LDROP
#Setting default output rule to ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
#Allow all traffic to the lo interface
#/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#allows internal lan clients to use this server as a gateway
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -d ! 10.0.0.0/16 -o ${INTERFACE} -j MASQUERADE
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: help with bridged firewall with openvpn
2011-12-28 14:46 ` help with bridged firewall with openvpn Barry Smoke
@ 2011-12-28 16:53 ` Barry Smoke
2011-12-29 15:59 ` Barry Smoke
2012-01-02 15:33 ` Andrew Beverley
1 sibling, 1 reply; 4+ messages in thread
From: Barry Smoke @ 2011-12-28 16:53 UTC (permalink / raw)
To: 'netfilter@vger.kernel.org'
echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
I've added the above lines to my script, and can't arping my openvpn client either...
-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Barry Smoke
Sent: Wednesday, December 28, 2011 8:47 AM
To: 'netfilter@vger.kernel.org'
Subject: help with bridged firewall with openvpn
Most of the online docs I've found deal with bridging, and virtualization. I'm trying to use bridging to link openvpn clients with our internal network, without nat(for a voip implementation on yealink phones).
I've created a bridge on centos 5.6, and have openvpn using tap0. At this point, I'm not sure if I'm having trouble with my bridge config, or my iptables script.
Brctl showmacs br0, does show my openvpn client mac, however it is not listed as local(not sure if it is supposed to), and through tcpdump on br0, I'm seeing my internal lan client that is trying to ping the openvpn client get the mac address, however my ping requests never make it to br0.
I'm on kernel 2.6.18-274.12.1.el5, and I modified a firewall script we were previously using to work with the br0 interface instead.
What we are seeing, is that vpn clients can ping the openvpn server. I can ping the clients from the openvpn server. I can't get internal machines to ping an openvpn client, nor can I get an openvpn client pinging anything else on the network.
The openvpn config pushes a reserved internal range to the vpn clients(10.0.28.x) I've added tap0, and br0 to the forwarding table.
Here is my current firewall script:
# Set INTERFACE equal to the interface your OUTGOING connection is on.
echo 1 > /proc/sys/net/ipv4/ip_forward
INTERFACE=eth1
#Delete user made chains. Flush and zero the tables.
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
#Delete `nat' and `mangle' targets.
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
#Create a new log and drop (LDROP) convenience target /sbin/iptables -N LDROP # --log-level 7 makes it stop logging to the console.
# --log-prefix iptables: makes for easy syslog-ng filtering /sbin/iptables -A LDROP -j LOG --log-level 4 --log-prefix iptables:
/sbin/iptables -A LDROP -j DROP
#Create a new target (GOOD) to test for good intentions.
/sbin/iptables -N GOOD
#Allow but limit some ICMP (needed for pinging and tracerouting) /sbin/iptables -A GOOD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT /sbin/iptables -A GOOD -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT /sbin/iptables -A GOOD -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT
#Check State (Only allow incoming connections that have a ESTABLISHED or RELATED outgoing connection) /sbin/iptables -A GOOD -m state --state ESTABLISHED,RELATED -i ${INTERFACE} -j ACCEPT
#Allowing specific protocols in. Add any you use.
#Allow SSH
/sbin/iptables -A GOOD -p tcp --dport 22 -j ACCEPT
#openvpn
/sbin/iptables -A GOOD -p udp -i eth1 -d 170.94.21.4 --dport 1194 -j ACCEPT
#Setting default input rule to DROP
/sbin/iptables -P INPUT DROP
#Allow all traffic on the local interfaces (Any interface EXCEPT the interface in $INTERFACE) #/sbin/iptables -A INPUT -i eth0 -j ACCEPT /sbin/iptables -A INPUT -i br0 -j ACCEPT /sbin/iptables -A INPUT -i tap0 -j ACCEPT
#Test for good intentions (Adds the GOOD target to the INPUT chain) /sbin/iptables -A INPUT -j GOOD
#Otherwise Log and Drop (This gets rid of anything we might have missed) /sbin/iptables -A INPUT -j LDROP
#Setting default forwarding rule to DROP /sbin/iptables -P FORWARD DROP
#Let non-evil stuff out
#/sbin/iptables -A FORWARD -i eth0 -j ACCEPT /sbin/iptables -A FORWARD -i br0 -j ACCEPT /sbin/iptables -A FORWARD -i tap0 -j ACCEPT
/sbin/iptables -A FORWARD -i lo -j ACCEPT /sbin/iptables -A FORWARD -s 10.0.0.0/16 -j ACCEPT /sbin/iptables -A FORWARD -d 10.0.0.0/16 -j ACCEPT
#Test for good intentions (Adds the GOOD target to the FORWARD chain) /sbin/iptables -A FORWARD -j GOOD #Otherwise Log and Drop /sbin/iptables -A FORWARD -j LDROP
#Setting default output rule to ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
#Allow all traffic to the lo interface
#/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#allows internal lan clients to use this server as a gateway /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -d ! 10.0.0.0/16 -o ${INTERFACE} -j MASQUERADE
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: help with bridged firewall with openvpn
2011-12-28 16:53 ` Barry Smoke
@ 2011-12-29 15:59 ` Barry Smoke
0 siblings, 0 replies; 4+ messages in thread
From: Barry Smoke @ 2011-12-29 15:59 UTC (permalink / raw)
To: 'netfilter@vger.kernel.org'
I'm just adding a note to my own thread, so that people having this problem in the future see it.
I never got this working with the bridge, however I took the bridge out, and used an example from the openvpn cookbook, chapter 2 proxy_arp example.
-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Barry Smoke
Sent: Wednesday, December 28, 2011 10:54 AM
To: 'netfilter@vger.kernel.org'
Subject: RE: help with bridged firewall with openvpn
echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
I've added the above lines to my script, and can't arping my openvpn client either...
-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Barry Smoke
Sent: Wednesday, December 28, 2011 8:47 AM
To: 'netfilter@vger.kernel.org'
Subject: help with bridged firewall with openvpn
Most of the online docs I've found deal with bridging, and virtualization. I'm trying to use bridging to link openvpn clients with our internal network, without nat(for a voip implementation on yealink phones).
I've created a bridge on centos 5.6, and have openvpn using tap0. At this point, I'm not sure if I'm having trouble with my bridge config, or my iptables script.
Brctl showmacs br0, does show my openvpn client mac, however it is not listed as local(not sure if it is supposed to), and through tcpdump on br0, I'm seeing my internal lan client that is trying to ping the openvpn client get the mac address, however my ping requests never make it to br0.
I'm on kernel 2.6.18-274.12.1.el5, and I modified a firewall script we were previously using to work with the br0 interface instead.
What we are seeing, is that vpn clients can ping the openvpn server. I can ping the clients from the openvpn server. I can't get internal machines to ping an openvpn client, nor can I get an openvpn client pinging anything else on the network.
The openvpn config pushes a reserved internal range to the vpn clients(10.0.28.x) I've added tap0, and br0 to the forwarding table.
Here is my current firewall script:
# Set INTERFACE equal to the interface your OUTGOING connection is on.
echo 1 > /proc/sys/net/ipv4/ip_forward
INTERFACE=eth1
#Delete user made chains. Flush and zero the tables.
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
#Delete `nat' and `mangle' targets.
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
#Create a new log and drop (LDROP) convenience target /sbin/iptables -N LDROP # --log-level 7 makes it stop logging to the console.
# --log-prefix iptables: makes for easy syslog-ng filtering /sbin/iptables -A LDROP -j LOG --log-level 4 --log-prefix iptables:
/sbin/iptables -A LDROP -j DROP
#Create a new target (GOOD) to test for good intentions.
/sbin/iptables -N GOOD
#Allow but limit some ICMP (needed for pinging and tracerouting) /sbin/iptables -A GOOD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT /sbin/iptables -A GOOD -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT /sbin/iptables -A GOOD -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT
#Check State (Only allow incoming connections that have a ESTABLISHED or RELATED outgoing connection) /sbin/iptables -A GOOD -m state --state ESTABLISHED,RELATED -i ${INTERFACE} -j ACCEPT
#Allowing specific protocols in. Add any you use.
#Allow SSH
/sbin/iptables -A GOOD -p tcp --dport 22 -j ACCEPT
#openvpn
/sbin/iptables -A GOOD -p udp -i eth1 -d 170.94.21.4 --dport 1194 -j ACCEPT
#Setting default input rule to DROP
/sbin/iptables -P INPUT DROP
#Allow all traffic on the local interfaces (Any interface EXCEPT the interface in $INTERFACE) #/sbin/iptables -A INPUT -i eth0 -j ACCEPT /sbin/iptables -A INPUT -i br0 -j ACCEPT /sbin/iptables -A INPUT -i tap0 -j ACCEPT
#Test for good intentions (Adds the GOOD target to the INPUT chain) /sbin/iptables -A INPUT -j GOOD
#Otherwise Log and Drop (This gets rid of anything we might have missed) /sbin/iptables -A INPUT -j LDROP
#Setting default forwarding rule to DROP /sbin/iptables -P FORWARD DROP
#Let non-evil stuff out
#/sbin/iptables -A FORWARD -i eth0 -j ACCEPT /sbin/iptables -A FORWARD -i br0 -j ACCEPT /sbin/iptables -A FORWARD -i tap0 -j ACCEPT
/sbin/iptables -A FORWARD -i lo -j ACCEPT /sbin/iptables -A FORWARD -s 10.0.0.0/16 -j ACCEPT /sbin/iptables -A FORWARD -d 10.0.0.0/16 -j ACCEPT
#Test for good intentions (Adds the GOOD target to the FORWARD chain) /sbin/iptables -A FORWARD -j GOOD #Otherwise Log and Drop /sbin/iptables -A FORWARD -j LDROP
#Setting default output rule to ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
#Allow all traffic to the lo interface
#/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#allows internal lan clients to use this server as a gateway /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -d ! 10.0.0.0/16 -o ${INTERFACE} -j MASQUERADE
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: help with bridged firewall with openvpn
2011-12-28 14:46 ` help with bridged firewall with openvpn Barry Smoke
2011-12-28 16:53 ` Barry Smoke
@ 2012-01-02 15:33 ` Andrew Beverley
1 sibling, 0 replies; 4+ messages in thread
From: Andrew Beverley @ 2012-01-02 15:33 UTC (permalink / raw)
To: Barry Smoke; +Cc: 'netfilter@vger.kernel.org'
On Wed, 2011-12-28 at 08:46 -0600, Barry Smoke wrote:
> Most of the online docs I've found deal with bridging, and
> virtualization. I'm trying to use bridging to link openvpn clients
> with our internal network, without nat(for a voip implementation on
> yealink phones).
<snip>
> however my ping requests never make it to br0.
>
I realise that you've solved this now using another script, but just
thought that I'd point out that it's always worth getting your scripts
working with no DROPing of packets (initially).
I noticed that in your rules you had various rules for LOGing and
DROPing, but that the default policies were DROP, so there is always a
chance that some packets could have been silently dropped.
Andy
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-01-02 15:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <250999BCC487ED429E1673DCFA26CDCC2A7BDA6E15@postman>
2011-12-28 14:46 ` help with bridged firewall with openvpn Barry Smoke
2011-12-28 16:53 ` Barry Smoke
2011-12-29 15:59 ` Barry Smoke
2012-01-02 15:33 ` Andrew Beverley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.