Hi, [...]
>>> If someone can point me in the right direction to create a specific >>> firewall rule for the forward chain I would be grateful. My thoughts [...] >>> >> If you want to allow all traffic to and from the tun network(s) to be >> forwarded then add something like >> >> iptables -A FORWARD -i tun+ -j ACCEPT >> iptables -A FORWARD -o tun+ -j ACCEPT >> >> remember that when forwarding traffic you need to write rules for both >> incoming and outgoing traffic. >> >> HTH, >> >> JJK >> > Thanks for the pointers. I am doing some research now reading through > the iptables man page and reading other examples. I suspect that my > initial forwarding rule attempt was lacking because I was only addressing > one direction and not the bi-directional nature of forwarding. > If I have some time this evening I will give this a try. > Thanks. > > Jeff For me a typical iptables firewall looks like this. In this case ALL outbound traffic from the box, and the internal network, is allowed. I use some variables to have the stuff that can change at the top. -----<Quote>--------------- KEEPSTATE=" -m state --state ESTABLISHED,RELATED" WORLD_NET=0.0.0.0/0 IPTABLES=/sbin/iptables # If NAT is needed... WORLD_IF=eth0 WORLD_NAT=false # Set policies $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # Flush all rules in all chains and then delete all chains chains=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $chains; do $IPTABLES -t $i -F; done for i in $chains; do $IPTABLES -t $i -X; done # Reset all counters for default chains $IPTABLES -Z # Accept return traffic. $IPTABLES -A FORWARD -j ACCEPT $KEEPSTATE $IPTABLES -A INPUT -j ACCEPT $KEEPSTATE # SSH allowed $IPTABLES -A INPUT -s $WORLD_NET -p TCP --dport ssh -j ACCEPT # Loopback interface allow all $IPTABLES -A INPUT -i lo -j ACCEPT # We accept ping etc $IPTABLES -A INPUT -p icmp -j ACCEPT if [ $WORLD_NAT = true ] ; then $IPTABLES --table nat -A POSTROUTING -o $WORLD_IF -j MASQUERADE fi -----</Quote>--------------- In here the "Accept return traffic" rules cover the return traffic so I only have to worry about the outgoing stuff in my other rules. For OpenVPN I need to add just a few more rules: -----<Quote>--------------- # OpenVPN allowed (UDP and TCP) $IPTABLES -A INPUT -s $WORLD_NET -p UDP --dport openvpn -j ACCEPT $IPTABLES -A INPUT -s $WORLD_NET -p TCP --dport openvpn -j ACCEPT # Allow all traffic to the tunnel $IPTABLES -A FORWARD -i tun+ -j ACCEPT -----</Quote>--------------- In my case the return traffic is covered as we still accept all established and related traffic. But the second line from Jan $IPTABLES -A FORWARD -o tun+ -j ACCEPT Covers that a bit more explicitly. This is my basic firewall rule set for a "simple" Linux box acting sometimes as a router if no additional filters are needed for outbound traffic. Bonno Bloksma ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
