|
|
|
The ones you list won't help as traffic on the 10.0.0.0 subnet is only
going to be seen on the internal interface of your firewall and on the
tun adaptor (usually tun0) If the VPN connection is being established correctly, then you shouldn't need to add any new rules for eth1 or eth0. Try these more simple ones to start with: iptables -A INPUT -i tun0 -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT iptables -A FORWARD -i tun0 -j ACCEPT This allows all traffic into and out of your firewall on the tun adaptor. Given that any traffic on this adaptor is already authenticated and encrypted, it should be too much of a security hole, temporarily. If this works, then you can start adding specific IP addresses and port numbers in order to nail it down. Also worth noting here, is that INPUT and OUTPUT respectively only deal with traffic destined for or orginating from the firewall machine itself. If you don't want your clients connecting or talking to the firewall machine over the VPN, you should be able to remove the first two rules I've listed to leave you with just the FORWARD one. Here's a good overview of which chains do whatin iptables/netfilter: http://www.shorewall.net/NetfilterOverview.html HTH. Terry. Emmanuel Polet wrote: I'm not quite sure what iptables rules to add... iptables -A OUTPUT -s 10.3.0.2 -o eth1 -p udp -m udp --dport 137:138 -j ACCEPT ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2004-11/msg00080.html on line 217 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2004-11/msg00080.html on line 217 |