[TriLUG] having trouble writing firewall rules for openvpn

Joseph Mack NA3T jmack at wm7d.net
Tue May 8 09:52:17 EDT 2012


On Tue, 8 May 2012, Bill Farrow wrote:

> On Mon, May 7, 2012 at 10:50 PM, Joseph Mack NA3T <jmack at wm7d.net> wrote:
>> #default INPUT policy
>> iptables -P INPUT DROP  #I have to comment this out to get an openvpn
>>
>> iptables -A INPUT -p udp -j LOG --log-prefix "UDP"
>> iptables -A INPUT -p tcp -j LOG --log-prefix "TCP"
>> iptables -A INPUT -i eth2 -j LOG --log-prefix "eth2"
>> iptables -A INPUT -i tun0 -j LOG --log-prefix "tun0"
>> iptables -A INPUT -p udp --dport 1194 -j ACCEPT
>>
>> I don't see any entries in /var/log/messages. The only way I get a
>> connection if if the default INPUT policy DROP rule is commented out. I
>> assume the rule accepting udp packets to port 1194 is not being triggered.
>> An INPUT rule ACCEPTing port 22 doesn't accept connections either.
>>
>> I'm no iptables expert. Can anyone see what I'm doing that's wrong? To get
>> an ssh connection client->server I have to remove the default DROP policy.
>
> Joe,
> So it looks like you are not matching the required packets, which is
> really strange, since your LOG rules for tcp and udp should be getting
> run.

Hi Bill,

 	I'm steeling myself for a long and difficult 
session. I've turned log level upto debug and I'm getting 
lots of logging now ;-\ including to port 1194 (yea!). Not 
sure what was wrong before yet. I assume stupidity for the 
moment.


> Double check the order of the rules in your INPUT chain:
>  iptables -L INPUT
>
> If they are out of order, try inserting rules:
> iptables -I INPUT 1 -p udp -j LOG --log-prefix "UDP"
> iptables -I INPUT 2 -p tcp -j LOG --log-prefix "TCP"
>
> If you are running OpenWRT or some other reduced distro, make sure you
> have the iptables logging module installed and running:
> lsmod | grep ipt_LOG

it's there

> Install it on OpenWRT if required:
> ipkg install iptables-mod-extra

OpenWrt is my eventual target. I thought doing it on a 
desktop machine would be easier, but I have to unplug my 
router from the internet when I'm messing with the rules, as 
the only time I can openvpn into my router, is when INPUT is 
open

Perhaps I should have started with OpenWrt

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!


More information about the TriLUG mailing list