OpenVPN, IPFW a NAT

Ciernik Tomas tomas at ciernik.sk
Sat Sep 5 16:49:50 CEST 2009

Previous message: Problem s OpenVPN
Next message: OpenVPN, IPFW a NAT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zdravim,

ked sa tu uz prejednava openvpn, prihodim aj ja svoju otazku :)

Mam uspesne rozbehnutu komunikaciu z openvpn klienta na siet za openvpn 
serverom. Teraz potrebujem spristupnit tuto komunikaciu aj pre siet, 
ktora je za vpn klientom. natd bezi na prislusnom interface a funguje, 
problem je s konfiguraciou firewallu.

Prikladam konfiguraciu ipfw, pri ktorej NAT uspesne funguje. Zial, tato 
nie je postacujuca.

00001 divert natd ip from any to any via tun3
00003 allow all from any to me ssh keep-state
00004 allow all from any to any out keep-state
00100 allow all from any to any via em2 keep-state
00101 allow all from any to any via em1 keep-state
45900 allow icmp from any to any icmptypes 0,3,4,8,11 in keep-state

tun3 je openvpn interface, em1 a em2 lokalne siete

Ako som uz pisal, tento firewall nie je to prave orechove a skusal som 
ho len kvoli otestovaniu nat demona. Preto sa pokusam ipfw rozbehnut s 
touto konfiguraciou:

01000 allow ip from any to any via lo0
01001 deny log ip from any to 127.0.0.0/8
01002 deny log ip from 127.0.0.0/8 to any
01060 divert 8668 ip from any to any in via tun3
01100 check-state
02010 skipto 65010 tcp from any to any out via tun3 setup keep-state
02011 skipto 65010 ip from any to any out via tun3 keep-state
02100 allow tcp from any to any out via em1 setup keep-state
02101 allow ip from any to any out via em1 keep-state
02102 allow tcp from any to any out via tun1 setup keep-state
02103 allow ip from any to any out via tun1 keep-state
02104 allow tcp from any to any out via tun2 setup keep-state
02105 allow ip from any to any out via tun2 keep-state
02106 allow tcp from any to any out via em2 setup keep-state
02107 allow ip from any to any out via em2 keep-state
19900 skipto 20000 ip from any to any in via em1
19901 skipto 25000 ip from any to any in via tun1
19902 skipto 30000 ip from any to any in via tun2
19903 skipto 35000 ip from any to any in via em2
19904 skipto 45000 ip from any to any in via tun0

...

55000 reset log tcp from any to any
55001 deny log ip from any to any
65010 divert 8668 ip from any to any out via tun3
65011 allow ip from any to any
65535 deny ip from any to any


tcpdump ukazal, ze k prekladu odchadzajucich spojeni neprichadza (podla 
mna by sa o toto mali postarat riadky 2010, 2011 a 65010) a nedokazem si 
vysvetlit preco. V jadre mam zapnute options IPDIVERT, verzia freebsd je 
7.2-STABLE.

Dakujem za akukolvek pomoc,

Tomas.

Previous message: Problem s OpenVPN
Next message: OpenVPN, IPFW a NAT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list