OpenVPN atrás de firewall

To: Debian User Portuguese <debian-user-portuguese@lists.debian.org>
Subject: OpenVPN atrás de firewall
From: Flavio Alberto Lopes Soares <flavio@maqplas.com.br>
Date: Mon, 8 Sep 2003 12:29:51 -0300
Message-id: <[🔎] 20030908122951.04c96ffd.flavio@maqplas.com.br>

Olá a todos,

Estou implementando uma VPN para realizar os backups dos nossos
arquivos via internet, vou tentar explicar o que tenciono fazer :

aqui na empresa vamos ligar uma máquina com WindowsXP com o 
OpenVPN instalado (tudo bem eu queria que fosse Linux mas está é
a máquina de um dos donos da empresa e ele não pode ficar 
sem o Outlook), esta máquina fica conectada a internet (Speedy 
Business) através de nosso roteador (um Kurumin), por sua vez
colocarei uma máquina rodando Debian em outro local (não conheço
o local ainda, só sei que é conectado com Speedy Business também e
provavelmente deve ter um firewall) com o OpenVPN também, então
nesta máquina eu colocarei o Samba e farei que ela apareça na nossa rede
e nela serão copiados os arquivos de importância do nosso sistema, no 
nosso roteador (o Kurumin) eu coloquei o firewall de exemplo que segue abaixo
 (não manjo muito, na verdade quase nada de iptables) do OpenVPN HOWTO, 
agora a minha dúvida :

Se eu colocar as máquinas atrás de seus respectivos firewalls (digamos iguais
a este abaixo) as máquinas que vão estabelecer comunicação (aqui e lá) vão se
 enxergar automaticamente ou eu preciso redirecionar as portas 5000 (UDP)
das respectivas máquinas aos IPs "quentes" da internet ?

PS : Já fiz o teste na rede local entre minha máquina Debian local e esta máquina
WinXP e funcionou perfeito. 


Agradeço por qualquer ajuda



#!/bin/bash

# A Sample OpenVPN-aware firewall.

# eth0 is connected to the internet.
# eth1 is connected to a private subnet.

# Change this subnet to correspond to your private
# ethernet subnet.  Home will use 10.0.1.0/24 and
# Office will use 10.0.0.0/24.
PRIVATE=192.168.1.0/24

# Loopback address
LOOP=127.0.0.1

# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F

# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Prevent external packets from using loopback addr
iptables -A INPUT -i eth0 -s $LOOP -j DROP
iptables -A FORWARD -i eth0 -s $LOOP -j DROP
iptables -A INPUT -i eth0 -d $LOOP -j DROP
iptables -A FORWARD -i eth0 -d $LOOP -j DROP

# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP

# Block outgoing NetBios (if you have windows machines running
# on the private subnet).  This will not affect any NetBios
# traffic that flows over the VPN tunnel, but it will stop
# local windows machines from broadcasting themselves to
# the internet.
iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP

# Check source address validity on packets going out to internet
iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP

# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT

# Allow incoming pings (can be disabled)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow services such as www and ssh (can be disabled)
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# Allow incoming OpenVPN packets
# Duplicate the line below for each
# OpenVPN tunnel, changing --dport n
# to match the OpenVPN UDP port.
#
# In OpenVPN, the port number is
# controlled by the --port n option.
# If you put this option in the config
# file, you can remove the leading '--'
#
# If you taking the stateful firewall
# approach (see the OpenVPN HOWTO),
# then comment out the line below.

iptables -A INPUT -p udp --dport 5000 -j ACCEPT

# Allow packets from TUN/TAP devices.
# When OpenVPN is run in a secure mode,
# it will authenticate packets prior
# to their arriving on a tun or tap
# interface.  Therefore, it is not
# necessary to add any filters here,
# unless you want to restrict the
# type of packets which can flow over
# the tunnel.

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT

# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Masquerade local subnet
iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE

Reply to:

Follow-Ups:
- RES: OpenVPN atrás de firewall
  - From: Anderson da Silva Araújo <anderson@mfplan.com.br>

Prev by Date: Sendmail / POP3
Next by Date: Re:
Previous by thread: Sendmail / POP3
Next by thread: RES: OpenVPN atrás de firewall
Index(es):
- Date
- Thread