I'm at my wits end. I'm trying to, from a remote client (Box 1), via
OpenVPN, tunnel to a Linux Box 2 with firewall and NAT, and forward
packets to a Web Server (Box 3) on the LAN.
1) The OpenVPN tunneling to Box 2 works great. No problems.
2) From the Client (Box1), I can VPN tunnel and access services like
FTP, Telnet, and
Web on Box 2. Even block them by editing the iptables file.
3) But, I can not figure out how to force Box 2 to forward Web
requests to Box 3,
and Web responses back to Box 2, then Box 1.
I assume as far as the iptables within Box 2, the VPN has nothing to do
with the forwarding.
I simply want to forward the Web traffic entering eth0 (1.2.3.4) and NAT
to the Web Server
at 10.0.1.2, and back out the the Client.
Please take a look at the bottom of my iptables script. I know I'm doing
something wrong.
Any help is greatly appreciated as it will preserve my sanity for
another month.
Thanks bunches,
Kelli
Box 1 (Remote) Box 2
(On LAN w/box below)
Client ISP Tunnel Addresses with OpenVPN ISP
(Linux w/2 NICs)
---------- --------- ------------------------------------ ----------
/ -----------
(10.0.2.1) (4.5.6.7) [192.168.250.253 -- 192.168.250.254] (1.2.3.4)
NAT (10.0.1.1)
eth0 \/ eth1
|
|
Forward Packets arriving
@ 1.2.3.4 to
|
Linux Web Server
(10.0.1.2)
Box 3 Serves
Box 1, via Box 2
(GW for
Box 3 is Box 2)
#!/bin/bash
# eth0 is connected to the internet.
# eth1 is connected to a private subnet.
PRIVATE=10.0.1.0/24
# Loopback address
LOOP=127.0.0.1
echo "1" > /proc/sys/net/ipv4/ip_forward
# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F
# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Prevent external packets from using loopback addr
iptables -A INPUT -i eth0 -s $LOOP -j DROP
iptables -A FORWARD -i eth0 -s $LOOP -j DROP
iptables -A INPUT -i eth0 -d $LOOP -j DROP
iptables -A FORWARD -i eth0 -d $LOOP -j DROP
# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
# Block outgoing NetBios (if you have windows machines running
# on the private subnet). This will not affect any NetBios
# traffic that flows over the VPN tunnel, but it will stop
# local windows machines from broadcasting themselves to
# the internet.
iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
# Check source address validity on packets going out to internet
iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT
# Allow incoming pings (can be disabled)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Allow services such as www and ssh (can be disabled)
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Allow incoming OpenVPN packets
# Duplicate the line below for each
# OpenVPN tunnel, changing --dport n
# to match the OpenVPN UDP port.
#
# In OpenVPN, the port number is
# controlled by the --port n option.
# If you put this option in the config
# file, you can remove the leading '--'
#
# If you taking the stateful firewall
# approach (see the OpenVPN HOWTO),
# then comment out the line below.
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
# Allow packets from TUN/TAP devices.
# When OpenVPN is run in a secure mode,
# it will authenticate packets prior
# to their arriving on a tun or tap
# interface. Therefore, it is not
# necessary to add any filters here,
# unless you want to restrict the
# type of packets which can flow over
# the tunnel.
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masquerade local subnet
iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
################################################## #######################
# The above apparently works. Just trying to forward Web traffic to Box
3
# I know there are problems here...
# Redirect HTTP for a transparent proxy
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to
10.0.1.2:80
# POSTROUTING chain
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
|
Similar Threads
Linear Mode
