Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Openvpn nat and iptables
Special Forums Cybersecurity Openvpn nat and iptables Post 302985097 by end on Friday 4th of November 2016 07:21:18 PM
Old 11-04-2016
Openvpn nat and iptables
good day good people

hi

first to tell that firewall and vpn is working as expected, but I notice something strange.

I have host system 11.11.11.11(local ip) firewall is blocking everything except port to vpn.
I have vpn on virtualized system 22.22.22.22 (CentOS both host and virtual). They are behind MikroTik router and then to my ISP router. This is a home setup I'm just experimenting.

PREROUTING 11.11.11.11:1194 to 22.22.22.22:1194 all other is blocked by iptables.
POSTROUTING 22.22.22.22 to 11.11.11.11

I noticed with Wireshark from host 11.11.11.11 that while I'm connected to vpn from another pc that 11.11.11.11 is connecting to ip addresses of websites I visit while in same time is connected to vpn. like:

11.11.11.11 XX.XX.XX public ip
11.11.11.11 tcp udp sites i visit

but 11.11.11.11 is unnecessarily making connections to website ip addresses. She cannot make the reqests because DNS and ports for that are blocked. So this is because postrouting command my best guess. Can this somehow be disabled? First this is a security issue, second its unnecessary.

Someone told me that this is because NAT setup. but I believe that this can be disabled somehow, I didn't find solution yet so maybe someone know how.

thanks


Moderator's Comments:
Mod Comment We had to correct a lot of spelling errors. Please put more effort into using proper english
Last edited by Scrutinizer; 11-05-2016 at 04:48 AM.. Reason: Spelling
 

10 More Discussions You Might Find Interesting

1. IP Networking

Iptables/TC: how to make masqueraded traffic go through an openVPN tun0?

Hi all! We have a setup of three computers; Machine A (eth0) -> Machine B (eth0, hso0, tun0) -> Machine C (eth0, tun0) hso0 is the packet interface of a 3G modem, it behaves like a normal network interface. Machine B and C are connected in a VPN using openVPN (TCP). Machine A is a... (2 Replies)
Discussion started by: theVOID
2 Replies

2. UNIX for Advanced & Expert Users

iptables internal NAT with two public IP

Hello Guys, I have a debian machine that work as a firewall (iptables + squid 2.6) with two physical interfaces: eth0 (public interface) and eth1 (internal interface LAN). I have created an alias eth1:1 in order to have two subnets on same physical interface: cat/etc/network/interfaces auto... (0 Replies)
Discussion started by: sincity2006
0 Replies

3. Debian

Iptables Nat forward port 29070

Hello, the Nat and the forward worked on my debian server up to the reboot of machines. The following rules*: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth2 -d xxx.xxx.xxx.xxx --dport 29070 -j DNAT --to-destination 10.0.1.7:29070 /sbin/iptables -A FORWARD -p tcp -i eth2 -o eth0 -d... (0 Replies)
Discussion started by: titoms
0 Replies

4. IP Networking

iptables NAT prerouting & postrouting

Good morning, I'm a newbie of iptables and as far as I've seen on tutorials on the Internet it seems that both prerouting and postrouting NAT chains are undergone both by a packet that goes from an internal LAN to the Internet and of a one that goes in the opposite direction (from the Internet to... (0 Replies)
Discussion started by: giac85
0 Replies

5. Red Hat

NAT Loopback and iptables

Hello, please can you help and explain me. I have two servers. Both are RHEL6. I use the first one like router and the second one for apache. Router forwards 80 port on the second server and I can open that from the internet (mysite.com, for example). But I can not open mysite.com if i try to... (0 Replies)
Discussion started by: 6765656755
0 Replies

6. Cybersecurity

iptables in a NAT scenario

Hi, I am learning IPTables have this question. My server is behind a firewall that does a PAT & NAT to the LAN address. Internet IP: 68.1.1.23 Port: 10022 Server LAN IP: 10.1.1.23 port: 22 Allowed Internet IPs: 131.1.1.23, 132.1.1.23 I want to allow a set of IPs are to be able to... (1 Reply)
Discussion started by: capri_guy84
1 Replies

7. IP Networking

Nat and packet limits with iptables

Hi all, I have a following situation: - I want certain source IPs to be natted to a different destination IP and Port. Following is how I am achieving it: /usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12 --dport 1500 -j DNAT --to-destination 192.168.10.20:2000 ... (3 Replies)
Discussion started by: ahmerin
3 Replies

8. UNIX for Dummies Questions & Answers

iptables for openvpn

Hey all, I'm trying to get openvpn working on DD-WRT router. I can make a connection inside my lan, but outside the connection is yellow. I think yellow means it is close to making a connection, but it never completes the connection. So I believe there is a problem with my iptables since it... (0 Replies)
Discussion started by: sdnix
0 Replies

9. IP Networking

NAT via iptables - Won't work!!

Hi guys I'm running on debian on a small embedded system. I have a ppp interface that is connected to the internet (and works). My unit also has wifi access point (which works and I can connect to it). I want to allow connections to the wifi to be able to use the internet from ppp0... (1 Reply)
Discussion started by: alirezan1
1 Replies

10. Solaris

OpenVPN and NAT

Hi. I am attempting to set up an OpenVPN server on my Solaris 11 box by following all the Linux guides. Thus far I have a working VPN that I can connect to and ssh onto my VPN server over which is great but not what I require long term. I would like to route all VPN client requests for addresses... (0 Replies)
Discussion started by: nickb1976
0 Replies

LEARN ABOUT DEBIAN

secvpn

SECVPN(1)						      General Commands Manual							 SECVPN(1)

NAME

       secvpn - Control the Secure Virtual Private Network

SYNOPSIS

       secvpn [-v][-n][-s][-r] start|stop|routedel|routeadd|test|status [Host]

DESCRIPTION

       Secvpn builds a virtual private network (vpn) as defined in /etc/network/secvpn.conf. The vpn uses encryption based on ssh security.

       Before secvpn can be used you have to create some prerequisites.  See PREREQUISITES below.

       The following subcommands may be used with secvpn:

       start  is  used	to start the vpn. Secvpn will add new ppp interfaces necessary to make the vpn work, but will not automatically add routes
	      (see the routeadd option below). If the recursive option is set, secvpn will log into the passive hosts and run "secvpn -r start" on
	      them too.

       stop   is used to stop the vpn.

       routeadd
	      is  used	to  setup new routing entries based on secvpn.conf. Secvpn will first add the route active->passive, then tell the passive
	      host to add the route back.  The route in the passive host will be added according to the configuration file there (in  the  passive
	      host), so if the configuration files differ, things will not work.

       routedel
	      will delete the routing entries built with routeadd.

       test   checks whether the ppp interface is used to reach O_CRYPT_IP.

       status same as test, but checks all vpns if no host is named (instead of only active vpns as 'test' does).

OPTIONS

       -v     verbose output

       -n     do nothing

       -s     be silent

       -r     work recursive

PREREQUISITES

       Before  secvpn  can  be used you have to enable passwordless ssh access for user "secvpn" from the initiator secvpn pc to the target secvpn
       pc. Use authorized_ keys or RhostsRSAAuthentication with the .shosts file. Have a look to the ssh - manpages for more information.

       Before secvpn can be used you have to give root rights for specific commands to the user "secvpn". This can be done with the followin  com-
       mand:

	       echo "secvpn  ALL=NOPASSWD: /usr/sbin/secvpn, /usr/sbin/pppd" >>/etc/sudoers

       Before secvpn can be used you have to edit /etc/secvon.conf. See secvpn.conf(4).

EXAMPLES

       There are 3 examples in /usr/share/doc/secvpn/examples:

       Example1: secvpn acts as router connection 2 subnets

       Example2: secvpn having one lan-card and connect 2 subnets

       Example3: secvpn having one lan-card and connect 11 subnets in a tree structure

OTHER

       To  have  real  security  it  is  necessary to secure each secvpn host and to have firewalls on each secvpn host allowing only selected IP-
       Adresses and Ports to pass through the VPN.

AUTHOR

       Bernd Schumacher, HP Consulting, HEWLETT-PACKARD GmbH, Bad Homburg, 2000-2005

COPYRIGHT

       Copyright: Most recent version of the GPL.

       On Debian GNU/Linux systems, the complete text of the GNU General Public License can be found in "/usr/share/common-licenses/GPL".

SEE ALSO

       secvpn(1) secvpnmon(1) ssh(1) timeout(1) secvpn.conf(4)

secvpn								    August 2000 							 SECVPN(1)
All times are GMT -4. The time now is 01:57 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy