Well, I actually allready add these rules set :)
However, I have added this other rule : "-A RH-Firewall-1-INPUT -i tun+
-j ACCEPT" in the "ipchains" file, and now it works !! I can map
network drives and everything ! This is all due to this weird syntax in
Fedora iptables conf file...
Anyway.
I have however one problem left : I have 3 servers on my LAN, one
WinNT, one Win2000 and a samba (on RedHat 8.0). My LAN is managed by a
domain controller, ie the WinNT box. The 2000 is in stand alone mode ;
I can map drives on the samba and NT, but 2000 simply replies my
password is wrong (while it is not ;))... It obviously a problem of
rights. However I cannot install active directory on my 2000 as it
wounldn't integrate in my NT domain (or would it ?). Does anyone would
know any workaround ?
Thanks again everyone for your great help !!
Emmanuel
Terry Dooher wrote:
The
ones you list won't help as traffic on the 10.0.0.0 subnet is only
going to be seen on the internal interface of your firewall and on the
tun adaptor (usually tun0)
If the VPN connection is being established correctly, then you
shouldn't need to add any new rules for eth1 or eth0.
Try these more simple ones to start with:
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
This allows all traffic into and out of your firewall on the tun
adaptor. Given that any traffic on this adaptor is already
authenticated and encrypted, it should be too much of a security hole,
temporarily. If this works, then you can start adding specific IP
addresses and port numbers in order to nail it down.
Also worth noting here, is that INPUT and OUTPUT respectively only deal
with traffic destined for or orginating from the firewall machine
itself.
If you don't want your clients connecting or talking to the firewall
machine over the VPN, you should be able to remove the first two rules
I've listed to leave you with just the FORWARD one.
Here's a good overview of which chains do whatin iptables/netfilter:
http://www.shorewall.net/NetfilterOverview.html
HTH.
Terry.
Emmanuel Polet wrote:
I'm not quite sure what iptables rules to
add...
Would this do :
iptables -A INPUT -s 10.3.0.2 -i eth0 -p udp -m udp --dport 137:138 -j
ACCEPT
iptables -A OUTPUT -s 10.3.0.2 -o eth1 -p udp
-m udp --dport 137:138 -j ACCEPT
etc. ?
Would that be enough ?
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|