| View previous topic :: View next topic |
| Author |
Message |
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1604
Location: Fayetteville, NC, USA
|
 Posted: Wed Jan 15, 2025 7:17 pm Post subject: OpenVPN stopped passing data... |
 |
|
I have an OLD (2009) client running OpenVPN on a Linux server that has been solid for ages. Suddenly, this changed. OpenVPN connects, but we cannot access LAN resources. I BELIEVE it is due to an update that reset the firewall rules. I found an old firewall script I wrote, but it does not work. I can only reach the server itself.
LAN: 192.168.111.0/24
OpenVPN: 192.168.110.0/24
Server: 192.168.111.201
PCs: 192.168.111.101-15
Firewall Script:
| Code: |
#!/bin/bash
# Clear out everything
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Always allow lo unless you want to murder Linux
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Setup the input table
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A INPUT -i enp3s0 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -i enp3s0 -p udp --dport openvpn -j ACCEPT
iptables -A INPUT -i enp3s0 -p udp --dport bootps:bootpc -j ACCEPT
iptables -A INPUT -i enp3s0 -p udp --dport domain -j ACCEPT
iptables -A INPUT -i enp3s0 -p tcp --dport microsoft-ds -j ACCEPT
iptables -A INPUT -i enp3s0 -p tcp --dport netbios-ssn -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
# Setup the output table
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p udp --dport domain -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p udp --dport bootps:bootpc -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p tcp --dport http -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p udp --dport ntp -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p tcp --dport microsoft-ds -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p tcp --dport netbios-ssn -j ACCEPT
iptables -A OUTPUT -o enp3s0 -p tcp --dport rsync -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8/0 -j ACCEPT
# Setup the forward table
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.110.0/24 -i tun0 -o enps3s0 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 8/0 -j ACCEPT
# Setup the postrouting table
iptables -t nat -A POSTROUTING -s 192.168.110.0/24 -o enp3s0 -j MASQUERADE
# Setup logging
# iptables -A INPUT -j LOG --log-prefix "!!! IN "
# iptables -A OUTPUT -j LOG --log-prefix "!!! OUT "
# iptables -A FORWARD -j LOG --log-prefix "!!! FWD "
|
Does anybody have any ideas here?
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23003
|
| Posted: Wed Jan 15, 2025 7:37 pm Post subject: |
|
|
Is IPv4 forwarding enabled? Can you give an example of a specific connection that doesn't work?
Why is this done as a shell script with no error checking? Gentoo has the ability to save iptables rules and play them back on boot. |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1604
Location: Fayetteville, NC, USA
|
| Posted: Wed Jan 15, 2025 7:52 pm Post subject: |
|
|
This is an OLD system, but I just checked and net.ipv4.ip_forward is indeed set to 1. I wrote this script a decade ago. It is not run any more and instead iptables are saved and loaded as you said. The script got me this far.
| Code: |
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT icmp -- anywhere anywhere icmptype 8 code 0
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.110.0/24 anywhere
ACCEPT icmp -- anywhere anywhere icmptype 8 code 0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:rsync
ACCEPT icmp -- anywhere anywhere icmptype 8 code 0
[sv01 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.110.0/24 anywhere
|
Hope that helps.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
