Re: [Openvpn-users] Issue getting to LAN behind VPN Server
Hi Jeff, Jeff Boyce wrote: > Thanks for the pointers. I am doing some research now reading through > the iptables man page and reading other examples. I recommend this howto: http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html It was written for Linux 2.4, but all the iptables concepts are still valid. HTH, Mathias. -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue getting to LAN behind VPN Server
One small remark below: -Original Message- From: Bonno Bloksma [mailto:b.blok...@tio.nl] Sent: dinsdag 12 januari 2016 8:33 To: openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] Issue getting to LAN behind VPN Server # Set policies $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT Why would you allow unrestricted outgoing traffic? I would suggest to set also that policy to 'DROP', only allow what you expect, and allow in either direction statefull packages. (just my 0.02 cents) __ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue getting to LAN behind VPN Server
Hi, On Tue, Jan 12, 2016 at 01:41:09PM +0100, David Sommerseth wrote: > > In the FORWARD chain, the easiest approach - and reasonably secure, > > unless you distrust your VPN clients - is to permit everything > > coming in via tun0 > > > > iptables -I INPUT -i tun0 -j FORWARD > > > > (or similar to this, typing from memory) > > I presume Gert meant: > > iptables -I FORWARD -i tun0 -j ACCEPT Right. Should drink more coffee before posting in the morning. thanks, gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue getting to LAN behind VPN Server
Hi, Ok, this getting away from OpenVPN so just this one reply. > One small remark below: > > > >> # Set policies >> $IPTABLES -P INPUT DROP >> $IPTABLES -P FORWARD DROP >> $IPTABLES -P OUTPUT ACCEPT >> > > > Why would you allow unrestricted outgoing traffic? > I would suggest to set also that policy to 'DROP', > only allow what you expect, and allow in either direction statefull packages. This is what I set up for small systems / sites, it is also perfect for private situations like my firewall/gateway at home. Remember OUTPUT is only what starts at the system itself. That can never be more then what is coming from the running services unless it is a workstation system. I have almost none of those, only Linux servers. But even then The use of port filtering is greatly reduced nowadays where most applications simply use port 80 or 443 when they want to go outside and the default option is denied. Or our larger sites I used to have a firewall with outbound ports listed and everything else would get denied. On those systems 90% percent of the traffic was port 80 and 443, and it wasn't only web traffic. A few months ago we switched to Palo Alto firewalls which inspect the traffic and filter on that. I can now filter on for instance allow facebook traffic but deny facebook games. That level of filtering is "a bit more then we need" ;-) but it is nice to have. Bonno Bloksma -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Issue getting to LAN behind VPN Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/01/16 08:50, Gert Doering wrote: > Hi, > > On Mon, Jan 11, 2016 at 01:06:18PM -0800, Jeff Boyce wrote: >> Now, I don't want to leave my firewall with a default Accept All >> setting on the forwarding chain, so I need to identify a rule >> specific to the packet type / traffic that I want to allow. I am >> little less knowledgeable on firewall rules than routing so if >> someone could provide a suggestion here I would appreciate it. I >> tried making a rule that allowed all UDP TUN traffic, but that >> blocked my ping again. I think then I tried adding a port >> specific rule, but that didn't help either. At that point I ran >> out of time to conduct any additional tests. > > You need to allow UDP (for OpenVPN) in the INPUT chain, because > that is consumed by the VPN server (-> INPUT), not forwarded > elsewhere. > > In the FORWARD chain, the easiest approach - and reasonably secure, > unless you distrust your VPN clients - is to permit everything > coming in via tun0 > > iptables -I INPUT -i tun0 -j FORWARD > > (or similar to this, typing from memory) I presume Gert meant: iptables -I FORWARD -i tun0 -j ACCEPT This will allow traffic coming in on tun0 to be forwarded anywhere. It will not enable access to the this particular host. For that you need to modify the INPUT chain. To allow hosts on this box's network to access hosts on the tun0 "net", you must add: iptables -I FORWARD -o tun0 -j ACCEPT This allows forwarded packets to exit on the tun0 device. - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlaU9GQACgkQDC186MBRfrqpzACgqp3BwlXiYwoxGAodLH/IHyU7 YesAmwSEXMl/SWPl1i6LMe79AiGJrgUP =oSyC -END PGP SIGNATURE- -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users