|
|
On Tuesday 13 March 2007 18:34:40 Jeff Boyce wrote: > Also after seeing the iptables output I looked at the file > /etc/sysconfig/iptables and I have posted it also. Good call. > I generally set or > change my firewall security settings using either the Gnome GUI or through > Webmin. The /etc/sysconfig/iptables file reflects what is shown in both of > these GUIs. (Why is the output of iptables -n -L different?). Hosts allow > and deny are both blank. See below. > [root@Bison root]# iptables -n -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 > ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp > dpt:22 > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-host-prohibited My suggestion was incomplete, I should have directed you to use "iptables -L -n -v" in order to show additional information like this: Chain RH-Firewall-1-INPUT (2 references) p b target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited but this is not really necessary, the information below tells us that the first three ACCEPTs above are for the lo, eth0 and tun0 interfaces. > /etc/sysconfig/iptables > # Firewall configuration written by redhat-config-securitylevel > # Manual customization of this file is not recommended. > *filter > > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT > -A RH-Firewall-1-INPUT -i tun0 -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j > ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT The above firewall configuration should allow all traffic through tun0, but you probably want to use "tun+" instead as that covers all tun interfaces. Since you get "administratively prohibited" I think you're hitting the bottom of the RH-Firewall-1 chain. As you guessed, tcp_wrappers has no bearing on the matter. Overall, however, if the "netstat -rn" output matches the firewall, the problem must lie somewhere else, because the interface was tun0 and that should have been allowed by the above firewall rules. I suggest you use "tun+" when specifying trusted interfaces, verify with "iptables -L -n -v" that the expected rules are in effect, start the OpenVPN tunnel and try the connection again. Hope this helps, Davide Bolcioni -- http://eleganceofreason.blogspot.com ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |