Pomocy Fedora 21 Openvpn i iptables

ziger · April 18, 2020

Witam , plik konfiguracyjny serwera openvpn

dev tun
local x.x.x.x
proto udp
port 1194
server 10.0.0.0 255.255.255.0
ca /etc/pki/openvpn/umlapy-ca.crt
cert /etc/pki/openvpn/umlapy-server.crt
key /etc/pki/openvpn/umlapy-server.key
dh /etc/pki/openvpn/dh2048.pem
tls-auth /etc/pki/openvpn/ta.key 0
max-clients 10
persist-tun
persist-key
keepalive 10 120
cipher AES-256-CBC
comp-lzo
verb 4
user openvpn
group openvpn
#push "redirect-gateway def1"
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 89.231.1.206"
push "dhcp-option DNS 217.172.224.160"
push "dhcp-option DNS 217.172.224.100"

#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
push "route 192.168.1.0 255.255.255.0"

log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log

jakie mam reguły dodać do iptables żeby mi chodził openvpn

o to plik konfiguracyjny iptables

*nat
:PREROUTING ACCEPT [383:26706]
:INPUT ACCEPT [367:25585]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth2 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.1.39:80
-A PREROUTING -i eth2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.33:443
-A PREROUTING -i eth2 -p tcp -m tcp --dport 4443 -j DNAT --to-destination 192.168.1.32:443
-A PREROUTING -i eth2 -p tcp -m tcp --dport 9022 -j DNAT --to-destination 192.168.1.32:22
-A PREROUTING -i eth2 -p tcp -m tcp --dport 9122 -j DNAT --to-destination 192.168.1.33:22
############################Platan
-A PREROUTING -i eth2 -p tcp -m tcp --dport 60443 -j DNAT --to-destination 192.168.1.95
-A PREROUTING -i eth2 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.1.95
-A PREROUTING -i eth2 -p udp -m udp --dport 4500 -j DNAT --to-destination 192.168.1.95
-A PREROUTING -i eth2 -p udp -m udp --dport 10000 -j DNAT --to-destination 192.168.1.95
############################Platan
-A POSTROUTING ! -s x.x.x.x/29 -o eth2 -j SNAT --to-source x2.x2.x2.x2
COMMIT
*filter
:INPUT ACCEPT [691:84966]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24345:76681917]
-A INPUT -p icmp -j ACCEPT
#####################################################
-A INPUT -s y.0.0.0/8 -i eth2 -j DROP
#####################################################
-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 222 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 10090:10100 -j ACCEPT
-A INPUT -i eth2 -j REJECT --reject-with icmp-host-prohibited
############################
-A FORWARD -i eth1 -m mac --mac-source 00:26:22:3d:2d:bc -j DROP
-A FORWARD -i eth1 ! -s 192.168.1.199 -d x3.x3.x3. -j DROP
-A FORWARD -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -i eth2 -j ACCEPT
-A FORWARD -s x.x.x.x/29 -i eth0 -j ACCEPT
-A FORWARD -d x.x.x.x/29 -i eth2 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Nie z am się za bardzo na iptables i niechce za mocno namieszać w tych regułach
gdzie x.x.x.x adres publiczny 1 , x2.x2.x2.x2 adres publiczny drugi ,x3.x3.x3.x3 adres publiczny trzeci

Rathann · May 19, 2020

Przed regułami DROP/REJECT dodaj regułki z -j LOG i zobacz, co jest odrzucane. Potem dodaj odpowiednie reguły zezwalające na ruch, który chcesz przepuścić.

Sign In

Pomocy Fedora 21 Openvpn i iptables

Recommended Posts

ziger

Link to comment

Share on other sites

Rathann

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Browse

Activity

Fedora.pl