Jump to content
Sign in to follow this  
ziger

Pomocy Fedora 21 Openvpn i iptables

Recommended Posts

Witam , plik konfiguracyjny serwera  openvpn

dev tun                                
local x.x.x.x                        
proto udp                                 
port 1194                                
server 10.0.0.0 255.255.255.0          
ca /etc/pki/openvpn/umlapy-ca.crt                           
cert /etc/pki/openvpn/umlapy-server.crt                    
key /etc/pki/openvpn/umlapy-server.key                    
dh /etc/pki/openvpn/dh2048.pem                       
tls-auth /etc/pki/openvpn/ta.key 0
max-clients 10                            
persist-tun                           
persist-key                         
keepalive 10 120                         
cipher AES-256-CBC                     
comp-lzo                              
verb 4                                 
user openvpn                          
group openvpn                              
#push "redirect-gateway def1"               
push "redirect-gateway"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 89.231.1.206"
push "dhcp-option DNS 217.172.224.160"
push "dhcp-option DNS 217.172.224.100"

 

#push "dhcp-option DNS 8.8.8.8"           
#push "dhcp-option DNS 8.8.4.4"            
push "route 192.168.1.0 255.255.255.0"    


log /var/log/openvpn/openvpn.log                           
status /var/log/openvpn/openvpn-status.log

jakie mam reguły dodać do iptables żeby mi chodził openvpn

o to plik konfiguracyjny iptables


*nat
:PREROUTING ACCEPT [383:26706]
:INPUT ACCEPT [367:25585]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth2 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.1.39:80
-A PREROUTING -i eth2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.33:443
-A PREROUTING -i eth2 -p tcp -m tcp --dport 4443 -j DNAT --to-destination 192.168.1.32:443
-A PREROUTING -i eth2 -p tcp -m tcp --dport 9022 -j DNAT --to-destination 192.168.1.32:22
-A PREROUTING -i eth2 -p tcp -m tcp --dport 9122 -j DNAT --to-destination 192.168.1.33:22
############################Platan
-A PREROUTING -i eth2 -p tcp -m tcp --dport 60443 -j DNAT --to-destination 192.168.1.95
-A PREROUTING -i eth2 -p udp -m udp --dport 500 -j DNAT --to-destination 192.168.1.95
-A PREROUTING -i eth2 -p udp -m udp --dport 4500 -j DNAT --to-destination 192.168.1.95
-A PREROUTING -i eth2 -p udp -m udp --dport 10000 -j DNAT --to-destination 192.168.1.95
############################Platan
-A POSTROUTING ! -s x.x.x.x/29 -o eth2 -j SNAT --to-source x2.x2.x2.x2
COMMIT
*filter
:INPUT ACCEPT [691:84966]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24345:76681917]
-A INPUT -p icmp -j ACCEPT
#####################################################
-A INPUT -s y.0.0.0/8 -i eth2 -j DROP
#####################################################
-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 222 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 10090:10100 -j ACCEPT
-A INPUT -i eth2 -j REJECT --reject-with icmp-host-prohibited
############################
-A FORWARD -i eth1 -m mac --mac-source 00:26:22:3d:2d:bc -j DROP
-A FORWARD -i eth1 ! -s 192.168.1.199 -d x3.x3.x3. -j DROP
-A FORWARD -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -i eth2 -j ACCEPT
-A FORWARD -s x.x.x.x/29 -i eth0 -j ACCEPT
-A FORWARD -d x.x.x.x/29 -i eth2 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
 


Nie z am się za bardzo na iptables i niechce za mocno namieszać w tych regułach
gdzie x.x.x.x adres publiczny 1 , x2.x2.x2.x2 adres publiczny drugi ,x3.x3.x3.x3  adres publiczny trzeci

 

 

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

Przed regułami DROP/REJECT dodaj regułki z -j LOG i zobacz, co jest odrzucane. Potem dodaj odpowiednie reguły zezwalające na ruch, który chcesz przepuścić.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...