|
|
Sponsored Content
Special Forums
Cybersecurity
Openvpn nat and iptables
Post 302985097 by end on Friday 4th of November 2016 07:21:18 PM
11-04-2016
Openvpn nat and iptables
good day good people
hi
first to tell that firewall and vpn is working as expected, but I notice something strange.
I have host system 11.11.11.11(local ip) firewall is blocking everything except port to vpn.
I have vpn on virtualized system 22.22.22.22 (CentOS both host and virtual). They are behind MikroTik router and then to my ISP router. This is a home setup I'm just experimenting.
PREROUTING 11.11.11.11:1194 to 22.22.22.22:1194 all other is blocked by iptables.
POSTROUTING 22.22.22.22 to 11.11.11.11
I noticed with Wireshark from host 11.11.11.11 that while I'm connected to vpn from another pc that 11.11.11.11 is connecting to ip addresses of websites I visit while in same time is connected to vpn. like:
11.11.11.11 XX.XX.XX public ip
11.11.11.11 tcp udp sites i visit
but 11.11.11.11 is unnecessarily making connections to website ip addresses. She cannot make the reqests because DNS and ports for that are blocked. So this is because postrouting command my best guess. Can this somehow be disabled? First this is a security issue, second its unnecessary.
Someone told me that this is because NAT setup. but I believe that this can be disabled somehow, I didn't find solution yet so maybe someone know how.
thanks
hi
first to tell that firewall and vpn is working as expected, but I notice something strange.
I have host system 11.11.11.11(local ip) firewall is blocking everything except port to vpn.
I have vpn on virtualized system 22.22.22.22 (CentOS both host and virtual). They are behind MikroTik router and then to my ISP router. This is a home setup I'm just experimenting.
PREROUTING 11.11.11.11:1194 to 22.22.22.22:1194 all other is blocked by iptables.
POSTROUTING 22.22.22.22 to 11.11.11.11
I noticed with Wireshark from host 11.11.11.11 that while I'm connected to vpn from another pc that 11.11.11.11 is connecting to ip addresses of websites I visit while in same time is connected to vpn. like:
11.11.11.11 XX.XX.XX public ip
11.11.11.11 tcp udp sites i visit
but 11.11.11.11 is unnecessarily making connections to website ip addresses. She cannot make the reqests because DNS and ports for that are blocked. So this is because postrouting command my best guess. Can this somehow be disabled? First this is a security issue, second its unnecessary.
Someone told me that this is because NAT setup. but I believe that this can be disabled somehow, I didn't find solution yet so maybe someone know how.
thanks
| Moderator's Comments: | ||
|
Last edited by Scrutinizer; 11-05-2016 at 04:48 AM.. Reason: Spelling
|
|
10 More Discussions You Might Find Interesting
1. IP Networking
Hi all!
We have a setup of three computers;
Machine A (eth0) -> Machine B (eth0, hso0, tun0) -> Machine C (eth0, tun0)
hso0 is the packet interface of a 3G modem, it behaves like a normal network interface.
Machine B and C are connected in a VPN using openVPN (TCP). Machine A is a... (2 Replies)
Discussion started by: theVOID
2 Replies
2. UNIX for Advanced & Expert Users
Hello Guys,
I have a debian machine that work as a firewall (iptables + squid 2.6) with two physical interfaces: eth0 (public interface) and eth1 (internal interface LAN). I have created an alias eth1:1 in order to have two subnets on same physical interface:
cat/etc/network/interfaces
auto... (0 Replies)
Discussion started by: sincity2006
0 Replies
3. Debian
Hello, the Nat and the forward worked on my debian server up to the reboot of machines.
The following rules*:
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth2 -d xxx.xxx.xxx.xxx --dport 29070 -j DNAT --to-destination 10.0.1.7:29070
/sbin/iptables -A FORWARD -p tcp -i eth2 -o eth0 -d... (0 Replies)
Discussion started by: titoms
0 Replies
4. IP Networking
Good morning,
I'm a newbie of iptables and as far as I've seen on tutorials on the Internet it seems that both prerouting and postrouting NAT chains are undergone both by a packet that goes from an internal LAN to the Internet and of a one that goes in the opposite direction (from the Internet to... (0 Replies)
Discussion started by: giac85
0 Replies
5. Red Hat
Hello, please can you help and explain me.
I have two servers. Both are RHEL6.
I use the first one like router and the second one for apache.
Router forwards 80 port on the second server and I can open that from the internet (mysite.com, for example). But I can not open mysite.com if i try to... (0 Replies)
Discussion started by: 6765656755
0 Replies
6. Cybersecurity
Hi, I am learning IPTables have this question.
My server is behind a firewall that does a PAT & NAT to the LAN address.
Internet IP: 68.1.1.23
Port: 10022
Server LAN IP: 10.1.1.23
port: 22
Allowed Internet IPs: 131.1.1.23, 132.1.1.23
I want to allow a set of IPs are to be able to... (1 Reply)
Discussion started by: capri_guy84
1 Replies
7. IP Networking
Hi all,
I have a following situation:
- I want certain source IPs to be natted to a different destination IP and Port. Following is how I am achieving it:
/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12
--dport 1500 -j DNAT --to-destination 192.168.10.20:2000
... (3 Replies)
Discussion started by: ahmerin
3 Replies
8. UNIX for Dummies Questions & Answers
Hey all,
I'm trying to get openvpn working on DD-WRT router.
I can make a connection inside my lan, but outside the connection is yellow. I think yellow means it is close to making a connection, but it never completes the connection. So I believe there is a problem with my iptables since it... (0 Replies)
Discussion started by: sdnix
0 Replies
9. IP Networking
Hi guys
I'm running on debian on a small embedded system. I have a ppp interface that is connected to the internet (and works). My unit also has wifi access point (which works and I can connect to it).
I want to allow connections to the wifi to be able to use the internet from ppp0... (1 Reply)
Discussion started by: alirezan1
1 Replies
10. Solaris
Hi.
I am attempting to set up an OpenVPN server on my Solaris 11 box by following all the Linux guides. Thus far I have a working VPN that I can connect to and ssh onto my VPN server over which is great but not what I require long term.
I would like to route all VPN client requests for addresses... (0 Replies)
Discussion started by: nickb1976
0 Replies
LEARN ABOUT DEBIAN
pyroman
PYROMAN(8) System Manager's Manual PYROMAN(8) NAME
pyroman - a firewall configuration utility SYNOPSIS
pyroman [ -hvnspP ] [ -r RULESDIR ] [ -t SECONDS ] [ --help ] [ --version ] [ --safe ] [ --no-act ] [ --print ] [ --print-verbose ] [ --rules=RULESDIR ] [ --timeout=SECONDS ] [ safe ] DESCRIPTION
pyroman is a firewall configuration utility. It will compile a set of configuration files to iptables statements to setup IP packet filtering for you. While it is not necessary for operating and using Pyroman, you should have understood how IP, TCP, UDP, ICMP and the other commonly used Internet protocols work and interact. You should also have understood the basics of iptables in order to make use of the full functionality. pyroman does not try to hide all the iptables complexity from you, but tries to provide you with a convenient way of managing a complex networks firewall. For this it offers a compact syntax to add new firewall rules, while still exposing access to add arbitrary iptables rules. OPTIONS
-r RULESDIR,--rules=RULES Load the rules from directory RULESDIR instead of the default directory (usually /etc/pyroman ) -t SECONDS,--timeout=SECONDS Wait SECONDS seconds after applying the changes for the user to type OK to confirm he can still access the firewall. This implies --safe but allows you to use a different timeout. -h, --help Print a summary of the command line options and exit. -V, --version Print the version number of pyroman and exit. -s, --safe, safe When the firewall was committed, wait 30 seconds for the user to type OK to confirm, that he can still access the firewall (i.e. the network connection wasn't blocked by the firewall). Otherwise, the firewall changes will be undone, and the firewall will be restored to the previous state. Use the --timeout=SECONDS option to change the timeout. -n, --no-act Don't actually run iptables. This can be used to check if pyroman accepts the configuration files. -p, --print Instead of running iptables, output the generated rules. -P, --print-verbose Instead of running iptables, output the generated rules. Each statement will have one comment line explaining how this rules was generated. This will usually include the filename and line number, and is useful for debugging. CONFIGURATION
Configuration of pyroman consists of a number of files in the directory /etc/pyroman. These files are in python syntax, although you do not need to be a python programmer to use these rules. There is only a small number of statements you need to know: add_host Define a new host or network add_interface Define a new interface (group) add_service Add a new service alias (note that you can always use e.g. www/tcp to reference the www tcp service as defined in /etc/services) add_nat Define a new NAT (Network Address Translation) rule allow Allow a service, client, server combination reject Reject access for this service, client, server combination drop Drop packets for this service, client, server combination add_rule Add a rule for this service, client, server and target combination iptables Add an arbitrary iptables statement to be executed at beginning iptables_end Add an arbitrary iptables statement to be executed at the end Detailed parameters for these functions can be looked up by caling cd /usr/share/pyroman pydoc ./commands.py BUGS
None known as of pyroman-0.4 release AUTHOR
pyroman was written by Erich Schubert <erich@debian.org> SEE ALSO
iptables(8), iptables-restore(8) iptables-load(8) PYROMAN(8)