vpn – firewall rules question

Home Page Forums Network Management Networking vpn – firewall rules question

This topic contains 13 replies, has 0 voices, and was last updated by  vasili 5 years, 5 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #41871

    vasili
    Member

    Ok basic iptables question for you guys:

    I have a non-bridged Host – LAN VPN setup.

    Normal interface setup:
    ETH00 – LAN 10.1.8.1/255.255.0.0
    ETH01 – Internet x.x.x.x/27
    VPN99 – 10.1.8.1 client range 10.1.8.10-20

    Firewall chains are set:
    INPUT DROP
    OUTPUT DROP
    FORWARD DROP

    What rules do I need to add to the chains to allow all traffic between client and connected LAN to pass?

    Thanks guys.

    #48655

    ppalias
    Member

    There is something wrong here. ETH00 and VPN99 have the same IP. If you want them to have the same IP you have to bridge them and if you do that the firewall will not interfere with the traffic properly.
    My suggestion is to change the subnet of VPN99 to 10.1.10.1/255.255.255.240 (which provides you with the 10 IPs you want for VPN) and change the FORWARD chain to ACCEPT. You have a router there and you should treat it like a router and not a firewall that blocks everything. Then you can make specific rules of what you want to block from VPN to ETH.

    #48656

    vasili
    Member

    Ok will do. I’ll see what I can come up with. I was able to bridge vpn – eth00 and everything worked ok but I don’t want all the broadcast traffic that this seems to include. I’ll change the subnets are you suggested and will post my results.

    Thanks

    #48657

    Akula
    Member

    I have roughly the same situation as TS.
    i try to make a pptp connection
    eth00 lan 192.168.8.0/24
    eth01 dhcp internet
    vpn99 ??
    i have edited the pptpd.conf with a local ip in my eth00 range.

    i have to use the zeroshell box as a firewall and a router, since its my outside connection.
    i have the input, output, forward chains so that everything from lan can go everywhere and from internet is blocked except for related and established.
    the default policy for input and forward is block.

    now my problem is: (test) connecting from my lan works ok, but no internet or other network resources. When i put the forward chain to accept as default then everything works.
    Can someone tell me what (how) i have to make accept ruels for in the forward chain?
    i tried GRE and tcp port 1723, but i can’t get it to work.
    Does anyone know what i should do?

    #48658

    ppalias
    Member

    Post here the accept rules you tried and didn’t work. Also mention the source IP, destination IP, source port and destination port you were trying.

    #48659

    Akula
    Member

    Below i will post the screenshots of what i tried. i trie this on beta 12, since radius did not work on beta 13, (see my bug post)
    my output chain is on accept all the time, since i see no need to secure it ( am i right?)

    i test this from my lan to the zeroshel box. so the connection starts via eth00. i would like that it would both work when im on the same lan and also when at someone elses house, so at a different public ip.

    Forward chain in accepting mode, internet through pptp works:

    forward chain to drop. tcp 1723 and GRE destination. no internet:

    forward chainto drop. tcp 1723 and GRE source and the one above this one. still no internet:

    input chain tcp 1723 and GRE destination, combined with the above picture. No internet:

    Do i also need to make a virtual server in the router page?

    #48660

    ppalias
    Member

    Your input firewall rules permit traffic destined to the ZS server itself. INPUT rules #3 and #4 are needless as packets will always be matched by rule #1. In FORWARD chain rules #3-6 are needless as you are describing traffic sourcing from or destined to ZS, which is taken care at OUTPUT and INPUT chains.
    You should not have any trouble accessing 192.168.8.1 from the LAN.
    From the wan side you will need to port forward from the NATed WAN interface to the internal server, if the server is located in the LAN. This can be done with Virtual Servers. Otherwise if the server is ZS itself you’ll have to enable on the firewall the specific type of traffic.

    #48661

    Akula
    Member

    Thanx for your answer. i thougd somewhat the same as what u desribe. But still the problem. u tell me that if i connect from the lan side, my chains are configered correct if i remove the rules described by u.

    If i connect my vpn from lan, i have no internet connection anymore when the forward chain is in drop mode. when i put it to accept, i have working internet again during my pptp session.
    So my question is how to accomplish that one. with the forward chain on drop mode.

    #48662

    ppalias
    Member

    First of all there is no point connecting to a vpn from the lan. The vpn is meant to connect from the wan in order to have access to the lan. So back to the board and think about what you want to achieve, so we can discuss if it can be done.

    #48663

    Akula
    Member

    ok .
    I wanted to connect from the LAN 1st: for testing purpose, the connection works and i dont see why it does not work with forward on drop.
    2nd:, i want to build my lan so that other people can not listen in on my pc. to have a tunnel directly to my gateway does that i think.
    I want also to be able to connect from the WAN 1st to acces my server and documents
    2nd: to route my internet trafic through my home connection when i am at a public wireless internet place, like a railway station.
    3rd: I sometimes work with sensitive data that is stored at my LAN, i dont want that to leave my LAN. With a vpn i can acces that data from anywhere.

    Thanks for your help so far.
    Could u post the firewall rules and in what chain to put them, as i am absolutely not familiar with iptables. if u want, u can post them as text (iptables, sport, dport, etc.)
    Below i post a drawing of my network setup.

    #48664

    ppalias
    Member

    You can achieve that really easily by enabling OpenVPN on ZS. You just open port 1194 on the firewall for the WAN connection. Then you add the networks that will be pushed to the client for the OpenVPN server, or you can assign them on your client configuration. This way if you want to just browse your network, you only add the subnet of your LAN to be injected in your client PC routing table. If you want to redirect all traffic through OpenVPN you add the default route in the client configuration and this way all your traffic goes through OpenVPN server.

    #48665

    Akula
    Member

    Yes that ia possible. i’ve worked with openvpn before. the only thing is that with pptp i can connect from any windows machine without carrying my usb-stick with the openvpn-client or the certificates.
    Openvpn works great with zeroshell.
    i think i know now why is does not work as i want.
    after establishing a pptp connection client traffic may not be recognised as coming from ETH00, but from ppp10, (i saw this connection appear with the ifconfig command). The ppp10 adapter does not show in the web-interface. So maybe it will work if i wrote the iptabels commandline command for allowing all traffic from ppp10, just like in my allow all traffic from ETH00 line.
    Or do u think that i should look to change the adapter pptp binds to vpn99?

    correct me if this line is wrong please.

    iptables -A FORWARD -i ppp10 -j ACCEPT

    #48666

    ppalias
    Member

    The command is correct. However I have never tried the pptp nor DROP as default policy on FORWARD chain to be sure what is wrong. Maybe you are right and it is a firewall issue. Normally with a little test you can verify that.

    #48667

    Akula
    Member

    Thanks for ur thinkwork. now it works to have internet while pptp connected from within the lan. I clicked to add a new forward rule and added in the iptabels parameter section the following: -i ppp10. Then just clicked confirm (and save) and got the following rule:
    9 * * ACCEPT all opt — in ppp10 out * 0.0.0.0/0 -> 0.0.0.0/0
    now it works.
    To allow acces from the wan i have added on input chain tcp port 1723 and the GRE protocol on ETH01. Tomorrow i can test if that works i hope.
    Thanks for your nice and versatile router/firewall software!

    #48668

    prowebuk
    Participant

    Just to update the thread as PPTP is include in 3.0.0, if your default FORWARD policy is DROP, you may need to add inbound and outbound PPP rules.

    As per the previous post, in your FORWARD chain, create two new rules (you can use “+” as a wild card rather than specifying each of the ppp interfaces)

    Create a new ACCEPT rule, select routed packets only and set IPTABLES Parameters: -i ppp+
    Create a second ACCEPT rule, select routed packets only and set IPTABLES Parameters: -o ppp+

    * * ACCEPT all opt — in ppp+ out * 0.0.0.0/0 -> 0.0.0.0/0 PHYSDEV match ! –physdev-is-bridged
    * * ACCEPT all opt — in * out ppp+ 0.0.0.0/0 -> 0.0.0.0/0 PHYSDEV match ! –physdev-is-bridged

    Works a treat.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.