From: Bob Proulx <b...@proulx.com>
Date: Mon, 10 Jan 2011 21:55:10 -0700
> x: echo foo | nc -u y 1149
>
> You should see that show up in your tcpdump traces.
You've tried this on your system? Or least can detect the datagram
leaving the orginating system?
From: Mike Bird <mgb-deb...@yosemite.net>
Date: Tue, 11 Jan 2011 14:39:13 -0800
> Anything interesting in the /etc/openvpn/*, or in the output
> of "iptables-save" or of "route -n" or of "ifconfig"?
Incidentally, telnet and daytime haven't worked in dalton since last Spring.
r...@dalton:/etc/openvpn# cat /etc/openvpn/myvpn.conf
# dalton:/etc/openvpn/myvpn.conf
#
# Default protocol is udp.
# Default port is 1194.
# Joule has a dynamic address.
mode server
dev tun
ifconfig 10.4.0.2 10.4.0.1
verb 5
secret /root/key 1
# Machines in the local home zone reached _via_ the tunnel.
# Curie
route 172.23.4.2
# Heaviside
route 172.23.5.2
# Shaw mail servers _via_ the tunnel.
# route shawmail.gv.shawcable.net
route 64.59.128.135
route 24.71.223.43
# Shaw ftp server _via_ the tunnel.
# route ftp.shaw.ca
route 64.59.128.134
I haven't touched /etc/openvpn/update-resolv-conf. It remains
exactly as installed.
r...@dalton:/etc/openvpn# ip route show
142.103.107.128/25 dev eth0 proto kernel scope link src 142.103.107.137
172.24.1.0/24 dev LocLCS106703196 proto kernel scope link src 172.24.1.1
default via 142.103.107.254 dev eth0
r...@dalton:/etc/openvpn# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 00:02:55:d9:a7:ef brd ff:ff:ff:ff:ff:ff
inet 142.103.107.137/25 brd 142.103.107.255 scope global eth0
inet6 fe80::202:55ff:fed9:a7ef/64 scope link
valid_lft forever preferred_lft forever
3: LocLCS106703196: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:16:b6:ef:1d:6c brd ff:ff:ff:ff:ff:ff
inet 172.24.1.1/24 brd 172.24.1.255 scope global LocLCS106703196
inet6 fe80::216:b6ff:feef:1d6c/64 scope link
valid_lft forever preferred_lft forever
r...@dalton:/etc/openvpn# iptables-save
# Generated by iptables-save v1.4.8 on Tue Jan 11 17:46:23 2011
*raw
:PREROUTING ACCEPT [64233:10270729]
:OUTPUT ACCEPT [54270:6788049]
COMMIT
# Completed on Tue Jan 11 17:46:23 2011
# Generated by iptables-save v1.4.8 on Tue Jan 11 17:46:23 2011
*nat
:PREROUTING ACCEPT [9450:1202948]
:POSTROUTING ACCEPT [18164:1299072]
:OUTPUT ACCEPT [18164:1299072]
:eth0_masq - [0:0]
-A POSTROUTING -o eth0 -j eth0_masq
-A eth0_masq -s 172.24.0.0/16 -j MASQUERADE
COMMIT
# Completed on Tue Jan 11 17:46:23 2011
# Generated by iptables-save v1.4.8 on Tue Jan 11 17:46:23 2011
*mangle
:PREROUTING ACCEPT [64234:10270769]
:INPUT ACCEPT [62019:9683981]
:FORWARD ACCEPT [1905:577508]
:OUTPUT ACCEPT [54271:6788557]
:POSTROUTING ACCEPT [56176:7366065]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Tue Jan 11 17:46:23 2011
# Generated by iptables-save v1.4.8 on Tue Jan 11 17:46:23 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Loc+_fwd - [0:0]
:Loc+_in - [0:0]
:Reject - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:fw2vpn - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:loc2vpn - [0:0]
:loc_frwd - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:net2vpn - [0:0]
:net_frwd - [0:0]
:ppp+_fwd - [0:0]
:ppp+_in - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurflog - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:vpn2fw - [0:0]
:vpn2loc - [0:0]
:vpn2net - [0:0]
:vpn_frwd - [0:0]
-A INPUT -m conntrack --ctstate INVALID,NEW -j dynamic
-A INPUT -i eth0 -j net2fw
-A INPUT -i Loc+ -j Loc+_in
-A INPUT -i ppp+ -j ppp+_in
-A INPUT -i tun0 -j vpn2fw
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -g reject
-A FORWARD -m conntrack --ctstate INVALID,NEW -j dynamic
-A FORWARD -i eth0 -j net_frwd
-A FORWARD -i Loc+ -j Loc+_fwd
-A FORWARD -i ppp+ -j ppp+_fwd
-A FORWARD -i tun0 -j vpn_frwd
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o eth0 -j fw2net
-A OUTPUT -o Loc+ -j fw2loc
-A OUTPUT -o ppp+ -j fw2loc
-A OUTPUT -o tun0 -j fw2vpn
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
-A Drop
-A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
-A Drop -j dropBcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP
types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types"
-j ACCEPT
-A Drop -j dropInvalid
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB"
-j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j
DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
-A Drop -p tcp -j dropNotSyn
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j
DROP
-A Loc+_fwd -m conntrack --ctstate INVALID,NEW -j smurfs
-A Loc+_fwd -p tcp -j tcpflags
-A Loc+_fwd -j loc_frwd
-A Loc+_in -m conntrack --ctstate INVALID,NEW -j smurfs
-A Loc+_in -p tcp -j tcpflags
-A Loc+_in -j loc2fw
-A Reject
-A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
-A Reject -j dropBcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP
types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP
types" -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j
reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment
"SMB" -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB"
-j reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
-A Reject -p tcp -j dropNotSyn
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j
DROP
-A dropBcast -m addrtype --dst-type BROADCAST -j DROP
-A dropBcast -d 224.0.0.0/4 -j DROP
-A dropInvalid -m conntrack --ctstate INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw2loc -j ACCEPT
-A fw2net -p udp -m udp --dport 67:68 -j ACCEPT
-A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw2net -p udp -m udp --dport 1194 -j ACCEPT
-A fw2net -j ACCEPT
-A fw2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw2vpn -j ACCEPT
-A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -j ACCEPT
-A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc2net -j ACCEPT
-A loc2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A loc2vpn -j ACCEPT
-A loc_frwd -o eth0 -j loc2net
-A loc_frwd -o Loc+ -j ACCEPT
-A loc_frwd -o ppp+ -j ACCEPT
-A loc_frwd -o tun0 -j loc2vpn
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6
--log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net2fw -m conntrack --ctstate INVALID,NEW -j smurfs
-A net2fw -p udp -m udp --dport 67:68 -j ACCEPT
-A net2fw -p tcp -j tcpflags
-A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p udp -m udp --dport 1194 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
-A net2fw -p icmp -m icmp --icmp-type 8 -m comment --comment "Ping" -j DROP
-A net2fw -p icmp -j ACCEPT
-A net2fw -j Drop
-A net2fw -j DROP
-A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net2loc -p icmp -j ACCEPT
-A net2loc -j Drop
-A net2loc -j DROP
-A net2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net2vpn -j Drop
-A net2vpn -j DROP
-A net_frwd -m conntrack --ctstate INVALID,NEW -j smurfs
-A net_frwd -p tcp -j tcpflags
-A net_frwd -o Loc+ -j net2loc
-A net_frwd -o ppp+ -j net2loc
-A net_frwd -o tun0 -j net2vpn
-A ppp+_fwd -m conntrack --ctstate INVALID,NEW -j smurfs
-A ppp+_fwd -p tcp -j tcpflags
-A ppp+_fwd -j loc_frwd
-A ppp+_in -m conntrack --ctstate INVALID,NEW -j smurfs
-A ppp+_in -p tcp -j tcpflags
-A ppp+_in -j loc2fw
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurflog -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurflog -j DROP
-A smurfs -s 0.0.0.0/32 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -g smurflog
-A smurfs -s 224.0.0.0/4 -g smurflog
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g
logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
-A vpn2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpn2fw -j ACCEPT
-A vpn2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpn2loc -j ACCEPT
-A vpn2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpn2net -j ACCEPT
-A vpn_frwd -o eth0 -j vpn2net
-A vpn_frwd -o Loc+ -j vpn2loc
-A vpn_frwd -o ppp+ -j vpn2loc
COMMIT
# Completed on Tue Jan 11 17:46:23 2011
--
http://members.shaw.ca/peasthope/
http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/cdb2dabda7bb9.4d2ca...@shaw.ca
