I don't know why, but Gmail is flagging your messages as spam. Whatever crazy thing you're doing, I suggest you knock it off :)
-wes On Wed, Feb 2, 2011 at 12:18 PM, Daniel M. Head <[email protected]> wrote: > Hey all, > > I tried to send this yesterday, but was having some issues with the > wireless network. I didn't receive it from the list, so I'm resending. > Any suggestions on what the problem may be would be _greatly_ > appreciated. If others have already received this, please accept my most > humble apologies. > > > I have the openvpn client rules set up (as per my question earlier this > week - thank you again EJ), and the correct virtual ip is being assigned > to my test account when i connect through openvpn. > > Now, I am trying to restrict that test account to only be able to access > one specific server. All other traffic of any form should be allowed. As > it is, my test account is not able to access anything except the openvpn > server itself. If I turn iptables off, everything is talking to > everything again. > > Here is the output of the iptables file (I have also added comments to > the five custom entries I made in iptables. Also, IPs and names have > been changed, not that it matters, no one could identify anything with a > private IP.): > > [dan@server1 sysconfig]# cat iptables > # Firewall configuration written by system-config-securitylevel > # Manual customization of this file is not recommended. > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A FORWARD -i tun0 -s 192.168.0.1/30 -d 172.16.0.50 -j ACCEPT #This > client should be able to access this one server. > -A FORWARD -i tun0 -s 192.168.0.1/30 -j DROP #The same client should not > be able to access anything else. > -A FORWARD -i tun0 -j ACCEPT #Everyone else should be able to access > everything else. > -A INPUT -j ACCEPT #All traffic directed directly to this machine should > be allowed. > -A INPUT -j ACCEPT #All traffic originating from this machine should be > allowed. > -A OUTPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j > ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > [dan@server1 sysconfig]# > > The output from iptables-L looks good (to me anyway) too: > > [dan@server1 sysconfig]# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere > RH-Firewall-1-INPUT all -- anywhere anywhere > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- 192.168.0.1/30 server4.acompany.com > DROP all -- 192.168.0.1/30 anywhere > ACCEPT all -- anywhere anywhere > RH-Firewall-1-INPUT all -- anywhere anywhere > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT icmp -- anywhere anywhere icmp any > ACCEPT esp -- anywhere anywhere > ACCEPT ah -- anywhere anywhere > ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns > ACCEPT udp -- anywhere anywhere udp dpt:ipp > ACCEPT tcp -- anywhere anywhere tcp dpt:ipp > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:ssh > REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > [dan@server1 sysconfig]# > > It was my understanding that iptables read rules from the top down, and > that once a rule condition was met, it skipped any further rules. Does > anyone see a problem with the above? Thanks in advance! > -- > Best regards, > Daniel M. Head > http://www.linkedin.com/in/dmhead > Cell Phone: (360) 980-5885 > Home/Message Phone: (360) 210-5492 > E-mail: [email protected] > > "/If we want to set our lives aright and find peace, > it is not the tolerant attitude of others that will do it for us. > It will come about, rather, by our learning how to show them compassion./" > - John Cassian > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
