|
|
Sponsored Content
Special Forums
Cybersecurity
Openvpn nat and iptables
Post 302985097 by end on Friday 4th of November 2016 07:21:18 PM
11-04-2016
Openvpn nat and iptables
good day good people
hi
first to tell that firewall and vpn is working as expected, but I notice something strange.
I have host system 11.11.11.11(local ip) firewall is blocking everything except port to vpn.
I have vpn on virtualized system 22.22.22.22 (CentOS both host and virtual). They are behind MikroTik router and then to my ISP router. This is a home setup I'm just experimenting.
PREROUTING 11.11.11.11:1194 to 22.22.22.22:1194 all other is blocked by iptables.
POSTROUTING 22.22.22.22 to 11.11.11.11
I noticed with Wireshark from host 11.11.11.11 that while I'm connected to vpn from another pc that 11.11.11.11 is connecting to ip addresses of websites I visit while in same time is connected to vpn. like:
11.11.11.11 XX.XX.XX public ip
11.11.11.11 tcp udp sites i visit
but 11.11.11.11 is unnecessarily making connections to website ip addresses. She cannot make the reqests because DNS and ports for that are blocked. So this is because postrouting command my best guess. Can this somehow be disabled? First this is a security issue, second its unnecessary.
Someone told me that this is because NAT setup. but I believe that this can be disabled somehow, I didn't find solution yet so maybe someone know how.
thanks
hi
first to tell that firewall and vpn is working as expected, but I notice something strange.
I have host system 11.11.11.11(local ip) firewall is blocking everything except port to vpn.
I have vpn on virtualized system 22.22.22.22 (CentOS both host and virtual). They are behind MikroTik router and then to my ISP router. This is a home setup I'm just experimenting.
PREROUTING 11.11.11.11:1194 to 22.22.22.22:1194 all other is blocked by iptables.
POSTROUTING 22.22.22.22 to 11.11.11.11
I noticed with Wireshark from host 11.11.11.11 that while I'm connected to vpn from another pc that 11.11.11.11 is connecting to ip addresses of websites I visit while in same time is connected to vpn. like:
11.11.11.11 XX.XX.XX public ip
11.11.11.11 tcp udp sites i visit
but 11.11.11.11 is unnecessarily making connections to website ip addresses. She cannot make the reqests because DNS and ports for that are blocked. So this is because postrouting command my best guess. Can this somehow be disabled? First this is a security issue, second its unnecessary.
Someone told me that this is because NAT setup. but I believe that this can be disabled somehow, I didn't find solution yet so maybe someone know how.
thanks
| Moderator's Comments: | ||
|
Last edited by Scrutinizer; 11-05-2016 at 04:48 AM.. Reason: Spelling
|
|
10 More Discussions You Might Find Interesting
1. IP Networking
Hi all!
We have a setup of three computers;
Machine A (eth0) -> Machine B (eth0, hso0, tun0) -> Machine C (eth0, tun0)
hso0 is the packet interface of a 3G modem, it behaves like a normal network interface.
Machine B and C are connected in a VPN using openVPN (TCP). Machine A is a... (2 Replies)
Discussion started by: theVOID
2 Replies
2. UNIX for Advanced & Expert Users
Hello Guys,
I have a debian machine that work as a firewall (iptables + squid 2.6) with two physical interfaces: eth0 (public interface) and eth1 (internal interface LAN). I have created an alias eth1:1 in order to have two subnets on same physical interface:
cat/etc/network/interfaces
auto... (0 Replies)
Discussion started by: sincity2006
0 Replies
3. Debian
Hello, the Nat and the forward worked on my debian server up to the reboot of machines.
The following rules*:
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth2 -d xxx.xxx.xxx.xxx --dport 29070 -j DNAT --to-destination 10.0.1.7:29070
/sbin/iptables -A FORWARD -p tcp -i eth2 -o eth0 -d... (0 Replies)
Discussion started by: titoms
0 Replies
4. IP Networking
Good morning,
I'm a newbie of iptables and as far as I've seen on tutorials on the Internet it seems that both prerouting and postrouting NAT chains are undergone both by a packet that goes from an internal LAN to the Internet and of a one that goes in the opposite direction (from the Internet to... (0 Replies)
Discussion started by: giac85
0 Replies
5. Red Hat
Hello, please can you help and explain me.
I have two servers. Both are RHEL6.
I use the first one like router and the second one for apache.
Router forwards 80 port on the second server and I can open that from the internet (mysite.com, for example). But I can not open mysite.com if i try to... (0 Replies)
Discussion started by: 6765656755
0 Replies
6. Cybersecurity
Hi, I am learning IPTables have this question.
My server is behind a firewall that does a PAT & NAT to the LAN address.
Internet IP: 68.1.1.23
Port: 10022
Server LAN IP: 10.1.1.23
port: 22
Allowed Internet IPs: 131.1.1.23, 132.1.1.23
I want to allow a set of IPs are to be able to... (1 Reply)
Discussion started by: capri_guy84
1 Replies
7. IP Networking
Hi all,
I have a following situation:
- I want certain source IPs to be natted to a different destination IP and Port. Following is how I am achieving it:
/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12
--dport 1500 -j DNAT --to-destination 192.168.10.20:2000
... (3 Replies)
Discussion started by: ahmerin
3 Replies
8. UNIX for Dummies Questions & Answers
Hey all,
I'm trying to get openvpn working on DD-WRT router.
I can make a connection inside my lan, but outside the connection is yellow. I think yellow means it is close to making a connection, but it never completes the connection. So I believe there is a problem with my iptables since it... (0 Replies)
Discussion started by: sdnix
0 Replies
9. IP Networking
Hi guys
I'm running on debian on a small embedded system. I have a ppp interface that is connected to the internet (and works). My unit also has wifi access point (which works and I can connect to it).
I want to allow connections to the wifi to be able to use the internet from ppp0... (1 Reply)
Discussion started by: alirezan1
1 Replies
10. Solaris
Hi.
I am attempting to set up an OpenVPN server on my Solaris 11 box by following all the Linux guides. Thus far I have a working VPN that I can connect to and ssh onto my VPN server over which is great but not what I require long term.
I would like to route all VPN client requests for addresses... (0 Replies)
Discussion started by: nickb1976
0 Replies
LEARN ABOUT DEBIAN
shorewall-hosts
SHOREWALL-HOSTS(5) [FIXME: manual] SHOREWALL-HOSTS(5) NAME
hosts - Shorewall file SYNOPSIS
/etc/shorewall/hosts DESCRIPTION
This file is used to define zones in terms of subnets and/or individual IP addresses. Most simple setups don't need to (should not) place anything in this file. The order of entries in this file is not significant in determining zone composition. Rather, the order that the zones are declared in shorewall-zones[1](5) determines the order in which the records in this file are interpreted. Warning The only time that you need this file is when you have more than one zone connected through a single interface. Warning If you have an entry for a zone and interface in shorewall-interfaces[2](5) then do not include any entries in this file for that same (zone, interface) pair. The columns in the file are as follows. ZONE - zone-name The name of a zone declared in shorewall-zones[1](5). You may not list the firewall zone in this column. HOST(S) - interface:{[{address-or-range[,address-or-range]...|+ipset|dynamic}[exclusion] The name of an interface defined in the shorewall-interfaces[2](5) file followed by a colon (":") and a comma-separated list whose elements are either: 1. The IP address of a host. 2. A network in CIDR format. 3. An IP address range of the form low.address-high.address. Your kernel and iptables must have iprange match support. 4. The name of an ipset. 5. The word dynamic which makes the zone dynamic in that you can use the shorewall add and shorewall delete commands to change to composition of the zone. You may also exclude certain hosts through use of an exclusion (see shorewall-exclusion[3](5). OPTIONS (Optional) - [option[,option]...] A comma-separated list of options from the following list. The order in which you list the options is not significant but the list must have no embedded white space. blacklist Check packets arriving on this port against the shorewall-blacklist[4](5) file. broadcast Used when you want to include limited broadcasts (destination IP address 255.255.255.255) from the firewall to this zone. Only necessary when: 1. The network specified in the HOST(S) column does not include 255.255.255.255. 2. The zone does not have an entry for this interface in shorewall-interfaces[2](5). destonly Normally used with the Multi-cast IP address range (224.0.0.0/4). Specifies that traffic will be sent to the specified net(s) but that no traffic will be received from the net(s). ipsec The zone is accessed via a kernel 2.6 ipsec SA. Note that if the zone named in the ZONE column is specified as an IPSEC zone in the shorewall-zones[1](5) file then you do NOT need to specify the 'ipsec' option here. maclist Connection requests from these hosts are compared against the contents of shorewall-maclist[5](5). If this option is specified, the interface must be an ethernet NIC or equivalent and must be up before Shorewall is started. mss=mss Added in Shorewall 4.5.2. When present, causes the TCP mss for new connections to/from the hosts given in the HOST(S) column to be clamped at the specified mss. nosmurfs This option only makes sense for ports on a bridge. Filter packets for smurfs (packets with a broadcast address as the source). Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in shorewall.conf[6](5). After logging, the packets are dropped. routeback Shorewall should set up the infrastructure to pass packets from this/these address(es) back to themselves. This is necessary if hosts in this group use the services of a transparent proxy that is a member of the group or if DNAT is used to send requests originating from this group to a server in the group. tcpflags Packets arriving from these hosts are checked for certain illegal combinations of TCP flags. Packets found to have such a combination of flags are handled according to the setting of TCP_FLAGS_DISPOSITION after having been logged according to the setting of TCP_FLAGS_LOG_LEVEL. EXAMPLES
Example 1 The firewall runs a PPTP server which creates a ppp interface for each remote client. The clients are assigned IP addresses in the network 192.168.3.0/24 and in a zone named 'vpn'. #ZONE HOST(S) OPTIONS vpn ppp+:192.168.3.0/24 FILES
/etc/shorewall/hosts SEE ALSO
http://shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) NOTES
1. shorewall-zones http://www.shorewall.net/manpages/shorewall-zones.html 2. shorewall-interfaces http://www.shorewall.net/manpages/shorewall-interfaces.html 3. shorewall-exclusion http://www.shorewall.net/manpages/shorewall-exclusion.html 4. shorewall-blacklist http://www.shorewall.net/manpages/shorewall-blacklist.html 5. shorewall-maclist http://www.shorewall.net/manpages/shorewall-maclist.html 6. shorewall.conf http://www.shorewall.net/manpages/shorewall.conf.html [FIXME: source] 06/28/2012 SHOREWALL-HOSTS(5)