[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] Re: Re: Re: Routing forever

Subject: Re: [Openvpn-users] Re: Re: Re: Routing forever
From: Terry Dooher <tdooher.lists@xxxxxxxxxxxxxxxxx>
Date: Thu, 20 Jan 2005 16:24:15 +0000

All of this so far looks like it should work. You might want to try the following rules, however. Where you've used:

> $IPTABLES -A FORWARD -d 10.128.0.10 -j my_log
> $IPTABLES -A INPUT -d 10.128.0.10 -j my_log
> $IPTABLES -A OUTPUT -d 10.128.0.10 -j my_log

exchange them for:

$IPTABLES -A FORWARD -i tun0 -j my_log
$IPTABLES -A INPUT -i tun0 -j my_log
$IPTABLES -A OUTPUT -o tun0 -j my_log

Which should blanket trap everything that's hitting tun0. (or use tun+ if you want to be even less specific)

The only extra firewall rule I needed to allow all traffic in and out was:

$IPTABLES -t filter -I FORWARD -i $TUN_IFACE -j ACCEPT

I've since locked that down to only the ports I want to allow.

Terry.

Jochen Witte wrote:

Am Thu, 20 Jan 2005 15:17:22 +0100 schrieb Mathias Sundman:

On Thu, 20 Jan 2005, Jochen Witte wrote:

If you would have seen it on some other interface, like ppp0, then it would have been a routing problem.

Hm, I do not agree. I log all traffic to example host 10.128.0.10 with:

        # Log-Chain
        ###########
        $IPTABLES -N my_log
        $IPTABLES -A my_log -p ICMP -j LOG --log-level info --log-prefix "LOG-ICMP "
        $IPTABLES -A my_log -p UDP -j LOG --log-level info --log-prefix "LOG-UDP "
        $IPTABLES -A my_log -p TCP -j LOG --log-level info --log-prefix "LOG-TCP "

This is one of the first things I do in my script.
I can see packages, when sending from the GW:

Jan 20 15:55:48 <host> kernel: LOG-ICMP IN= OUT=tun0 SRC=10.129.0.2 DST=10.128.0.10 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=51242 SEQ=0


But nothing happens, when sending from the inside host.

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

References:
- [Openvpn-users] Routing forever
  - From: Jochen Witte
- Re: [Openvpn-users] Routing forever
  - From: Mathias Sundman
- [Openvpn-users] Re: Routing forever
  - From: Jochen Witte
- Re: [Openvpn-users] Re: Routing forever
  - From: Mathias Sundman
- [Openvpn-users] Re: Re: Routing forever
  - From: Jochen Witte
- Re: [Openvpn-users] Re: Re: Routing forever
  - From: Mathias Sundman
- [Openvpn-users] Re: Re: Re: Routing forever
  - From: Jochen Witte

Prev by Date: [Openvpn-users] More thoughts on redirect-gateway
Next by Date: [Openvpn-users] Re: auth-user-pass problem
Previous by thread: [Openvpn-users] Re: Re: Re: Routing forever
Next by thread: Re: [Openvpn-users] Routing forever
Index(es):
- Date
- Thread