Jump to content

Pomocy Fedora 21 Openvpn i iptables


ziger
 Share

Recommended Posts

Witam , plik konfiguracyjny serwera  openvpn

dev tun                                
local x.x.x.x                        
proto udp                                 
port 1194                                
server 10.0.0.0 255.255.255.0          
ca /etc/pki/openvpn/umlapy-ca.crt                           
cert /etc/pki/openvpn/umlapy-server.crt                    
key /etc/pki/openvpn/umlapy-server.key                    
dh /etc/pki/openvpn/dh2048.pem                       
tls-auth /etc/pki/openvpn/ta.key 0
max-clients 10                            
persist-tun                           
persist-key                         
keepalive 10 120                         
cipher AES-256-CBC                     
comp-lzo                              
verb 4                                 
user openvpn                          
group openvpn                              
#push "redirect-gateway def1"               
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 89.231.1.206"
push "dhcp-option DNS 217.172.224.160"
push "dhcp-option DNS 217.172.224.100"

 

#push "dhcp-option DNS 8.8.8.8"           
#push "dhcp-option DNS 8.8.4.4"            
push "route 192.168.1.0 255.255.255.0"    


log /var/log/openvpn/openvpn.log                           
status /var/log/openvpn/openvpn-status.log

jakie mam reguły dodać do iptables żeby mi chodził openvpn

o to plik konfiguracyjny iptables


*nat
:PREROUTING ACCEPT [383:26706]
:INPUT ACCEPT [367:25585]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth2 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.1.39:80
-A PREROUTING -i eth2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.33:443
-A PREROUTING -i eth2 -p tcp -m tcp --dport 4443 -j DNAT --to-destination 192.168.1.32:443
-A PREROUTING -i eth2 -p tcp -m tcp --dport 9022 -j DNAT --to-destination 192.168.1.32:22
-A PREROUTING -i eth2 -p tcp -m tcp --dport 9122 -j DNAT --to-destination 192.168.1.33:22
############################Platan
-A PREROUTING -i eth2 -p tcp -m tcp --dport 60443 -j DNAT --to-destination 192.168.1.95
-A PREROUTING -i eth2 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.1.95
-A PREROUTING -i eth2 -p udp -m udp --dport 4500 -j DNAT --to-destination 192.168.1.95
-A PREROUTING -i eth2 -p udp -m udp --dport 10000 -j DNAT --to-destination 192.168.1.95
############################Platan
-A POSTROUTING ! -s x.x.x.x/29 -o eth2 -j SNAT --to-source x2.x2.x2.x2
COMMIT
*filter
:INPUT ACCEPT [691:84966]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24345:76681917]
-A INPUT -p icmp -j ACCEPT
#####################################################
-A INPUT -s y.0.0.0/8 -i eth2 -j DROP
#####################################################
-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 222 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 10090:10100 -j ACCEPT
-A INPUT -i eth2 -j REJECT --reject-with icmp-host-prohibited
############################
-A FORWARD -i eth1 -m mac --mac-source 00:26:22:3d:2d:bc -j DROP
-A FORWARD -i eth1 ! -s 192.168.1.199 -d x3.x3.x3. -j DROP
-A FORWARD -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -i eth2 -j ACCEPT
-A FORWARD -s x.x.x.x/29 -i eth0 -j ACCEPT
-A FORWARD -d x.x.x.x/29 -i eth2 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
 


Nie z am się za bardzo na iptables i niechce za mocno namieszać w tych regułach
gdzie x.x.x.x adres publiczny 1 , x2.x2.x2.x2 adres publiczny drugi ,x3.x3.x3.x3  adres publiczny trzeci

 

 

 

 

 

 

 

 

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...