Hey everyone,
Sorry about the newbie questions... This one is giving me fits. I have
the openvpn client rules set up (as per my question yesterday - thank
you again EJ), and the correct ip is being assigned to my test account.
Now, I am trying to restrict that test account to only be able to access
one specific server. All other traffic of any form should be allowed. As
it is, my test account is not able to access anything except the openvpn
server itself. If I turn iptables off, everything is talking to
everything again.
Here is the output of the iptables file (I have also added comments to
the five custom entries I made in iptables. Also, IPs and names have
been changed, not that it really matters):
[dan@server1 sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -i tun0 -s 192.168.0.1/30 -d 172.16.0.50 -j ACCEPT #This
client should be able to access this one server.
-A FORWARD -i tun0 -s 192.168.0.1/30 -j DROP #The same client should not
be able to access anything else.
-A FORWARD -i tun0 -j ACCEPT #Everyone else should be able to access
everything else.
-A INPUT -j ACCEPT #All traffic directed directly to this machine should
be allowed.
-A INPUT -j ACCEPT #All traffic originating from this machine should be
allowed.
-A OUTPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[dan@server1 sysconfig]#
The output from iptables-L looks good (to me anyway):
[dan@server1 sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.1/30 server4.acompany.com
DROP all -- 192.168.0.1/30 anywhere
ACCEPT all -- anywhere anywhere
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
[dan@server1 sysconfig]#
It was my understanding that iptables processed rules from the top down,
and that once a rule condition was met, it skipped any further rules.
Maybe I'm wrong. Does anyone see a problem with the above? Thanks in
advance!
--
Best regards,
Daniel M. Head
http://www.linkedin.com/in/dmhead
Cell Phone: (360) 980-5885
Home/Message Phone: (360) 210-5492
E-mail: [email protected]
"/If we want to set our lives aright and find peace,
it is not the tolerant attitude of others that will do it for us.
It will come about, rather, by our learning how to show them compassion./"
- John Cassian
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
