August 20, 2009 at 4:48 pm #41871
Ok basic iptables question for you guys:
I have a non-bridged Host – LAN VPN setup.
Normal interface setup:
ETH00 – LAN 10.1.8.1/255.255.0.0
ETH01 – Internet x.x.x.x/27
VPN99 – 10.1.8.1 client range 10.1.8.10-20
Firewall chains are set:
What rules do I need to add to the chains to allow all traffic between client and connected LAN to pass?
Thanks guys.August 20, 2009 at 9:52 pm #48655
There is something wrong here. ETH00 and VPN99 have the same IP. If you want them to have the same IP you have to bridge them and if you do that the firewall will not interfere with the traffic properly.
My suggestion is to change the subnet of VPN99 to 10.1.10.1/255.255.255.240 (which provides you with the 10 IPs you want for VPN) and change the FORWARD chain to ACCEPT. You have a router there and you should treat it like a router and not a firewall that blocks everything. Then you can make specific rules of what you want to block from VPN to ETH.August 20, 2009 at 10:35 pm #48656
Ok will do. I’ll see what I can come up with. I was able to bridge vpn – eth00 and everything worked ok but I don’t want all the broadcast traffic that this seems to include. I’ll change the subnets are you suggested and will post my results.
ThanksAugust 17, 2010 at 8:36 pm #48657
I have roughly the same situation as TS.
i try to make a pptp connection
eth00 lan 192.168.8.0/24
eth01 dhcp internet
i have edited the pptpd.conf with a local ip in my eth00 range.
i have to use the zeroshell box as a firewall and a router, since its my outside connection.
i have the input, output, forward chains so that everything from lan can go everywhere and from internet is blocked except for related and established.
the default policy for input and forward is block.
now my problem is: (test) connecting from my lan works ok, but no internet or other network resources. When i put the forward chain to accept as default then everything works.
Can someone tell me what (how) i have to make accept ruels for in the forward chain?
i tried GRE and tcp port 1723, but i can’t get it to work.
Does anyone know what i should do?August 18, 2010 at 1:36 am #48658
Post here the accept rules you tried and didn’t work. Also mention the source IP, destination IP, source port and destination port you were trying.August 19, 2010 at 10:24 pm #48659
Below i will post the screenshots of what i tried. i trie this on beta 12, since radius did not work on beta 13, (see my bug post)
my output chain is on accept all the time, since i see no need to secure it ( am i right?)
i test this from my lan to the zeroshel box. so the connection starts via eth00. i would like that it would both work when im on the same lan and also when at someone elses house, so at a different public ip.
Forward chain in accepting mode, internet through pptp works:
forward chain to drop. tcp 1723 and GRE destination. no internet:
forward chainto drop. tcp 1723 and GRE source and the one above this one. still no internet:
input chain tcp 1723 and GRE destination, combined with the above picture. No internet:
Do i also need to make a virtual server in the router page?August 21, 2010 at 11:47 am #48660
Your input firewall rules permit traffic destined to the ZS server itself. INPUT rules #3 and #4 are needless as packets will always be matched by rule #1. In FORWARD chain rules #3-6 are needless as you are describing traffic sourcing from or destined to ZS, which is taken care at OUTPUT and INPUT chains.
You should not have any trouble accessing 192.168.8.1 from the LAN.
From the wan side you will need to port forward from the NATed WAN interface to the internal server, if the server is located in the LAN. This can be done with Virtual Servers. Otherwise if the server is ZS itself you’ll have to enable on the firewall the specific type of traffic.August 22, 2010 at 9:25 am #48661
Thanx for your answer. i thougd somewhat the same as what u desribe. But still the problem. u tell me that if i connect from the lan side, my chains are configered correct if i remove the rules described by u.
If i connect my vpn from lan, i have no internet connection anymore when the forward chain is in drop mode. when i put it to accept, i have working internet again during my pptp session.
So my question is how to accomplish that one. with the forward chain on drop mode.August 22, 2010 at 4:14 pm #48662
First of all there is no point connecting to a vpn from the lan. The vpn is meant to connect from the wan in order to have access to the lan. So back to the board and think about what you want to achieve, so we can discuss if it can be done.August 23, 2010 at 7:45 am #48663
I wanted to connect from the LAN 1st: for testing purpose, the connection works and i dont see why it does not work with forward on drop.
2nd:, i want to build my lan so that other people can not listen in on my pc. to have a tunnel directly to my gateway does that i think.
I want also to be able to connect from the WAN 1st to acces my server and documents
2nd: to route my internet trafic through my home connection when i am at a public wireless internet place, like a railway station.
3rd: I sometimes work with sensitive data that is stored at my LAN, i dont want that to leave my LAN. With a vpn i can acces that data from anywhere.
Thanks for your help so far.
Could u post the firewall rules and in what chain to put them, as i am absolutely not familiar with iptables. if u want, u can post them as text (iptables, sport, dport, etc.)
Below i post a drawing of my network setup.
August 23, 2010 at 12:56 pm #48664
You can achieve that really easily by enabling OpenVPN on ZS. You just open port 1194 on the firewall for the WAN connection. Then you add the networks that will be pushed to the client for the OpenVPN server, or you can assign them on your client configuration. This way if you want to just browse your network, you only add the subnet of your LAN to be injected in your client PC routing table. If you want to redirect all traffic through OpenVPN you add the default route in the client configuration and this way all your traffic goes through OpenVPN server.August 23, 2010 at 6:53 pm #48665
Yes that ia possible. i’ve worked with openvpn before. the only thing is that with pptp i can connect from any windows machine without carrying my usb-stick with the openvpn-client or the certificates.
Openvpn works great with zeroshell.
i think i know now why is does not work as i want.
after establishing a pptp connection client traffic may not be recognised as coming from ETH00, but from ppp10, (i saw this connection appear with the ifconfig command). The ppp10 adapter does not show in the web-interface. So maybe it will work if i wrote the iptabels commandline command for allowing all traffic from ppp10, just like in my allow all traffic from ETH00 line.
Or do u think that i should look to change the adapter pptp binds to vpn99?
correct me if this line is wrong please.
iptables -A FORWARD -i ppp10 -j ACCEPTAugust 24, 2010 at 6:34 am #48666
The command is correct. However I have never tried the pptp nor DROP as default policy on FORWARD chain to be sure what is wrong. Maybe you are right and it is a firewall issue. Normally with a little test you can verify that.August 24, 2010 at 4:29 pm #48667
Thanks for ur thinkwork. now it works to have internet while pptp connected from within the lan. I clicked to add a new forward rule and added in the iptabels parameter section the following: -i ppp10. Then just clicked confirm (and save) and got the following rule:
9 * * ACCEPT all opt — in ppp10 out * 0.0.0.0/0 -> 0.0.0.0/0
now it works.
To allow acces from the wan i have added on input chain tcp port 1723 and the GRE protocol on ETH01. Tomorrow i can test if that works i hope.
Thanks for your nice and versatile router/firewall software!March 13, 2014 at 2:54 pm #48668
Just to update the thread as PPTP is include in 3.0.0, if your default FORWARD policy is DROP, you may need to add inbound and outbound PPP rules.
As per the previous post, in your FORWARD chain, create two new rules (you can use “+” as a wild card rather than specifying each of the ppp interfaces)
Create a new ACCEPT rule, select routed packets only and set IPTABLES Parameters: -i ppp+
Create a second ACCEPT rule, select routed packets only and set IPTABLES Parameters: -o ppp+
* * ACCEPT all opt — in ppp+ out * 0.0.0.0/0 -> 0.0.0.0/0 PHYSDEV match ! –physdev-is-bridged
* * ACCEPT all opt — in * out ppp+ 0.0.0.0/0 -> 0.0.0.0/0 PHYSDEV match ! –physdev-is-bridged
Works a treat.
You must be logged in to reply to this topic.