OpenVPN & IP Tables issue

jester77 · 01-08-2013 08:31AM #1

Hi,

I recently installed openVPN on a server and the rules in my IP Tables are no longer working correctly and I can't figure it out, not really understanding the FORWARD directive. The bolded parts are what I added for openVPN. OpenVPN is working fine, but every machine now has access to ports 22, 3551, 9091 & 9092, both over VPN and the local network. This was not the case before I added the bolded parts.

[B]*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT[/B]
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -s 192.168.0.2 -m conntrack --ctstate NEW -m tcp -m multiport --dports 3551,9091,9092 -j ACCEPT
-A INPUT -i eth0 -p tcp -s 192.168.0.5 -m conntrack --ctstate NEW -m tcp -m multiport --dports 22,9091,9092 -j ACCEPT
-A INPUT -i eth0 -p tcp -s 192.168.0.19 -m conntrack --ctstate NEW -m tcp -m multiport --dports 22,9091,9092 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
[B]-A FORWARD -i eth0 -o tun0 -m conntrack --csstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT[/B]
COMMIT

The problem seems to be with this line:

-A FORWARD -i eth0 -o tun0 -m conntrack --csstate RELATED,ESTABLISHED -j ACCEPT

When left out the rules work ok locally but then openVPN is not accessible. What is happening here that this allows all NEW connections to these ports from any IP address.

jester77 · 02-08-2013 10:46AM

opps, nevermind... was a silly typo

-A FORWARD -i eth0 -o tun0 -m conntrack --c[B]t[/B]state RELATED,ESTABLISHED -j ACCEPT

OpenVPN & IP Tables issue

Comments