ziger Posted April 18, 2020 Report Share Posted April 18, 2020 Witam , plik konfiguracyjny serwera openvpn dev tun local x.x.x.x proto udp port 1194 server 10.0.0.0 255.255.255.0 ca /etc/pki/openvpn/umlapy-ca.crt cert /etc/pki/openvpn/umlapy-server.crt key /etc/pki/openvpn/umlapy-server.key dh /etc/pki/openvpn/dh2048.pem tls-auth /etc/pki/openvpn/ta.key 0 max-clients 10 persist-tun persist-key keepalive 10 120 cipher AES-256-CBC comp-lzo verb 4 user openvpn group openvpn #push "redirect-gateway def1" push "redirect-gateway" push "dhcp-option DNS 192.168.1.1" push "dhcp-option DNS 89.231.1.206" push "dhcp-option DNS 217.172.224.160" push "dhcp-option DNS 217.172.224.100" #push "dhcp-option DNS 8.8.8.8" #push "dhcp-option DNS 8.8.4.4" push "route 192.168.1.0 255.255.255.0" log /var/log/openvpn/openvpn.log status /var/log/openvpn/openvpn-status.log jakie mam reguły dodać do iptables żeby mi chodził openvpn o to plik konfiguracyjny iptables *nat :PREROUTING ACCEPT [383:26706] :INPUT ACCEPT [367:25585] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth2 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.1.39:80 -A PREROUTING -i eth2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.33:443 -A PREROUTING -i eth2 -p tcp -m tcp --dport 4443 -j DNAT --to-destination 192.168.1.32:443 -A PREROUTING -i eth2 -p tcp -m tcp --dport 9022 -j DNAT --to-destination 192.168.1.32:22 -A PREROUTING -i eth2 -p tcp -m tcp --dport 9122 -j DNAT --to-destination 192.168.1.33:22 ############################Platan -A PREROUTING -i eth2 -p tcp -m tcp --dport 60443 -j DNAT --to-destination 192.168.1.95 -A PREROUTING -i eth2 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.1.95 -A PREROUTING -i eth2 -p udp -m udp --dport 4500 -j DNAT --to-destination 192.168.1.95 -A PREROUTING -i eth2 -p udp -m udp --dport 10000 -j DNAT --to-destination 192.168.1.95 ############################Platan -A POSTROUTING ! -s x.x.x.x/29 -o eth2 -j SNAT --to-source x2.x2.x2.x2 COMMIT *filter :INPUT ACCEPT [691:84966] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [24345:76681917] -A INPUT -p icmp -j ACCEPT ##################################################### -A INPUT -s y.0.0.0/8 -i eth2 -j DROP ##################################################### -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 222 -j ACCEPT -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 10090:10100 -j ACCEPT -A INPUT -i eth2 -j REJECT --reject-with icmp-host-prohibited ############################ -A FORWARD -i eth1 -m mac --mac-source 00:26:22:3d:2d:bc -j DROP -A FORWARD -i eth1 ! -s 192.168.1.199 -d x3.x3.x3. -j DROP -A FORWARD -s 192.168.1.0/24 -i eth1 -j ACCEPT -A FORWARD -d 192.168.1.0/24 -i eth2 -j ACCEPT -A FORWARD -s x.x.x.x/29 -i eth0 -j ACCEPT -A FORWARD -d x.x.x.x/29 -i eth2 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT Nie z am się za bardzo na iptables i niechce za mocno namieszać w tych regułach gdzie x.x.x.x adres publiczny 1 , x2.x2.x2.x2 adres publiczny drugi ,x3.x3.x3.x3 adres publiczny trzeci Link to comment Share on other sites More sharing options...
Rathann Posted May 19, 2020 Report Share Posted May 19, 2020 Przed regułami DROP/REJECT dodaj regułki z -j LOG i zobacz, co jest odrzucane. Potem dodaj odpowiednie reguły zezwalające na ruch, który chcesz przepuścić. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now