[TriLUG] SOLVED Re: having trouble writing firewall rules for openvpn

[Joseph Mack NA3T]

On Tue, 8 May 2012, Joseph Mack NA3T wrote:

remember I wasn't seeing any packets to tun0 and I couldn't 
figure out how packets arrived at the server? It turns out 
that packets really do arrive at $extif:U1194 and next 
appear at tun0:T22.

I had a rule to accept packets at all intifs on my router, 
because the next step was to NAT them to the outside world. 
However I didn't want to nat out tun0 so I excluded tun0 
from my list of internal interfaces. Next I accepted packets 
at all intifs, but since tun0 wasn't on this list and the 
default policy was DROP, the decapsulated packet arriving at 
tun0:T22 was DROP'ed. All I had to do was ACCEPT to/from 
tun0 and openvpn now works with the default INPUT policy of 
DROP.

The logging problem? It turns out I was getting logging. I'd 
used "UDP" as my identifier. The actual log entry looks like 
this (where "INPUT firewall: " is my identifier, note ':' 
and the following blank in the identifier).

May 8 14:26:06 routerb kernel: INPUT firewall: IN=tun0 OUT= 
MAC= SRC=10.8.0.6 DST=192.168.2.252 LEN=60 TOS=0x00 
PREC=0x00 TTL=64 ID=42079 DF PROTO=TCP SPT=57501 DPT=22 
WINDOW=14600 RES=0x00 SYN URGP=0

Using "UDP" (no ':' or blank) as my identifier, the output 
had "UDPIN" as the start of the output. I didn't recognise 
this as being from my iptables entry (I thought it was a 
regular output from syslogd). I should have used "Joe" as my 
identifier instead.

Nothing to this stuff really. It's all rational after the 
fact. I'll go have some thorazine and whisky and read my 
copy of Computer Guru's Weekly to calm down.

Bill and Thomas - thanks for the help

Joe
-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!