HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Port foreword + openVPN + iptables ? (http://www.howtoforge.com/forums/showthread.php?t=52678)

flan 15th May 2011 23:31

Port foreword + openVPN + iptables ?
 
Hello all,

I do have an office with Several PC's and we share the internet connection using iptables and our DNS server we also have Mail and FTP Server. Our ISP keep changing there rules and they start blocking some port like 25, 21 and 143. so the best solution i could think of is to use vpn service with a static ip address to use instead of my ISP ip address.

After I got my vpn service with a static ip address, it seem i am unable to port forward and cannot access my server from the internet.



my network infrastructure is like this:

Main DNS server with 2 NIC's: /etc/network/interfaces
Code:

auto lo eth0 eth1
iface lo inet loopback

#internet
iface eth0 inet static
    address 10.0.0.2
    netmask 255.255.255.192
    gateway 10.0.0.1       
#local
iface eth1 inet static
    address 10.0.1.1
    netmask 255.255.255.240

/etc/resolv.conf
Code:

nameserver 127.0.0.1
/etc/bind/options.conf
Code:

options {
    directory "/var/cache/bind";
    forwarders {208.67.222.222; 208.67.220.220;};
    auth-nxdomain no;
    allow-query { any; };
    recursion no;   
    version "0";       
    listen-on-v6 { any; };
};

Mail server /etc/network/interfaces
Code:

auto lo
iface lo inet loopback

# The primary network interface
auto eth0
    iface eth0 inet static
        address 10.0.1.3
        netmask 255.255.255.240
        gateway 10.0.1.1

/etc/resolv.conf
Code:

nameserver 10.0.1.1
-----------------------------------------------------------------

Other clients on local network
Code:

address 10.0.1.x 
netmask 255.255.255.240
gateway 10.0.1.1
nameserver    10.0.1.1

-----------------------------------------------------------------



and here what i did so far



iptables script:
-----------------------------------------------------------------
Code:

{ # Define networks
                iWAN=eth0
                iWANIP=10.0.0.2
                iVPN=tun0 
                iLAN=eth1
                lNet=10.0.1.0/24
                lIP="10.0.1.1"
                PubIP="68.168.223.46"
                VPNIP="10.8.0.6"
               
                UNIVERSE="0.0.0.0/0"
}
{ # Disable Firewall
                iptables -F
                iptables -X
                iptables -t nat -F
                iptables -t nat -X
                iptables -t mangle -F
                iptables -t mangle -X
                iptables -P INPUT ACCEPT
                iptables -P FORWARD ACCEPT
                iptables -P OUTPUT ACCEPT
}
{ # LoadModules
    /sbin/depmod -a
    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_conntrack_irc
    /sbin/modprobe iptable_nat
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_nat_irc
}
{ # Enabling IP forwarding
                echo "1" > /proc/sys/net/ipv4/ip_forward
                echo "1" > /proc/sys/net/ipv4/ip_dynaddr
   
#Enable packet forwarding to function as a router"
                iptables --append FORWARD --in-interface $iLAN -j ACCEPT 

#Enable MASQUERADE to function as a NAT router"
                iptables --table nat --append POSTROUTING --out-interface $iWAN -j MASQUERADE 
                iptables --table nat --append POSTROUTING --out-interface $iVPN -j MASQUERADE 
}
{ # Creating a DROP chain
                iptables -N drop-and-log-it
                iptables -A drop-and-log-it -j LOG --log-level info
                iptables -A drop-and-log-it -j REJECT
}
{ # Port Forwarding
        #Add a rule to allow related packets to the forward: "
                iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

        #Add a rule for each port:"
                iptables --append FORWARD --in-interface $iVPN  -p tcp -m tcp --dport 53 -j ACCEPT
                iptables --append FORWARD --in-interface $iVPN  -p udp -m udp --dport 53 -j ACCEPT
                iptables --append FORWARD --in-interface $iVPN  -p tcp -m tcp --dport 80 -j ACCEPT
                iptables --append FORWARD --in-interface $iVPN  -p tcp -m tcp --dport 110 -j ACCEPT
                iptables --append FORWARD --in-interface $iVPN  -p tcp -m tcp --dport 143 -j ACCEPT
                iptables --append FORWARD --in-interface $iVPN  -p tcp -m tcp --dport 25 -j ACCEPT

        #actual port forwarding:"
                iptables  -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.1.1
                iptables  -t nat -A PREROUTING -i $iVPN -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.1.1
                iptables  -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.1.2
                iptables  -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.1.3
                iptables -t nat  -A PREROUTING -i $iVPN -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.1.3
                iptables  -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 143 -j DNAT --to-destination 10.0.1.3
}



iptables -t nat -L -n -v
----------------------------------------
Code:

Chain PREROUTING (policy ACCEPT 9474 packets, 684K bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 DNAT      tcp  --  tun0  *      0.0.0.0/0            0.0.0.0/0          tcp dpt:53 to:10.0.1.1
    0    0 DNAT      udp  --  tun0  *      0.0.0.0/0            0.0.0.0/0          udp dpt:53 to:10.0.1.1
    0    0 DNAT      tcp  --  tun0  *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80 to:10.0.1.2
    0    0 DNAT      tcp  --  tun0  *      0.0.0.0/0            0.0.0.0/0          tcp dpt:110 to:10.0.1.3
    0    0 DNAT      tcp  --  tun0  *      0.0.0.0/0            0.0.0.0/0          tcp dpt:25 to:10.0.1.3
    0    0 DNAT      tcp  --  tun0  *      0.0.0.0/0            0.0.0.0/0          tcp dpt:143 to:10.0.1.3

Chain POSTROUTING (policy ACCEPT 551 packets, 39296 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0         
    0    0 MASQUERADE  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0         

Chain OUTPUT (policy ACCEPT 8288 packets, 650K bytes)
 pkts bytes target    prot opt in    out    source              destination


route -n
----------------------------------------
Code:

Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
10.8.0.6        0.0.0.0        255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.6        255.255.255.255 UGH  0      0        0 tun0
68.168.223.45  10.0.0.1        255.255.255.255 UGH  0      0        0 eth0
10.0.1.0        0.0.0.0        255.255.255.240 U    0      0        0 eth1
10.0.0.0        0.0.0.0        255.255.255.192 U    0      0        0 eth0
0.0.0.0        10.8.0.6        128.0.0.0      UG    0      0        0 tun0
128.0.0.0      10.8.0.6        128.0.0.0      UG    0      0        0 tun0
0.0.0.0        10.0.0.1        0.0.0.0        UG    100    0        0 eth0


ifconfig
----------------------------------------
Code:

eth0      Link encap:Ethernet  HWaddr 00:30:4f:1c:49:f8 
          inet addr:10.0.0.2  Bcast:10.0.0.63  Mask:255.255.255.192
          inet6 addr: fe80::230:4fff:fe1c:49f8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:237225 errors:0 dropped:0 overruns:0 frame:0
          TX packets:240397 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:162233252 (162.2 MB)  TX bytes:46279818 (46.2 MB)
          Interrupt:11 Base address:0xc000

eth1      Link encap:Ethernet  HWaddr 00:08:54:41:42:88 
          inet addr:10.0.1.1  Bcast:10.0.1.15  Mask:255.255.255.240
          inet6 addr: fe80::208:54ff:fe41:4288/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:481444 errors:0 dropped:0 overruns:0 frame:0
          TX packets:461148 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:138833837 (138.8 MB)  TX bytes:194547673 (194.5 MB)
          Interrupt:10 Base address:0xc400

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5770 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5770 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:622634 (622.6 KB)  TX bytes:622634 (622.6 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.8.0.5  P-t-P:10.8.0.6  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:127546 errors:0 dropped:0 overruns:0 frame:0
          TX packets:148752 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:66371419 (66.3 MB)  TX bytes:19781324 (19.7 MB)

Any help would be much much much much appreciated.


All times are GMT +2. The time now is 10:07.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.