-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/01/16 08:50, Gert Doering wrote:
> Hi,
>
> On Mon, Jan 11, 2016 at 01:06:18PM -0800, Jeff Boyce wrote:
>> Now, I don't want to leave my firewall with a default Accept All
>> setting on the forwarding chain, so I need to identify a rule
>> specific to the packet type / traffic that I want to allow. I am
>> little less knowledgeable on firewall rules than routing so if
>> someone could provide a suggestion here I would appreciate it. I
>> tried making a rule that allowed all UDP TUN traffic, but that
>> blocked my ping again. I think then I tried adding a port
>> specific rule, but that didn't help either. At that point I ran
>> out of time to conduct any additional tests.
>
> You need to allow UDP (for OpenVPN) in the INPUT chain, because
> that is consumed by the VPN server (-> INPUT), not forwarded
> elsewhere.
>
> In the FORWARD chain, the easiest approach - and reasonably secure,
> unless you distrust your VPN clients - is to permit everything
> coming in via tun0
>
> iptables -I INPUT -i tun0 -j FORWARD
>
> (or similar to this, typing from memory)
I presume Gert meant:
iptables -I FORWARD -i tun0 -j ACCEPT
This will allow traffic coming in on tun0 to be forwarded anywhere.
It will not enable access to the this particular host. For that you
need to modify the INPUT chain.
To allow hosts on this box's network to access hosts on the tun0
"net", you must add:
iptables -I FORWARD -o tun0 -j ACCEPT
This allows forwarded packets to exit on the tun0 device.
- --
kind regards,
David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlaU9GQACgkQDC186MBRfrqpzACgqp3BwlXiYwoxGAodLH/IHyU7
YesAmwSEXMl/SWPl1i6LMe79AiGJrgUP
=oSyC
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
