Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 15th May 2011, 23:31
flan flan is offline
Junior Member
 
Join Date: May 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Port foreword + openVPN + iptables ?

Hello all,

I do have an office with Several PC's and we share the internet connection using iptables and our DNS server we also have Mail and FTP Server. Our ISP keep changing there rules and they start blocking some port like 25, 21 and 143. so the best solution i could think of is to use vpn service with a static ip address to use instead of my ISP ip address.

After I got my vpn service with a static ip address, it seem i am unable to port forward and cannot access my server from the internet.



my network infrastructure is like this:

Main DNS server with 2 NIC's: /etc/network/interfaces
Code:
auto lo eth0 eth1
iface lo inet loopback

#internet 
iface eth0 inet static
    address 10.0.0.2
    netmask 255.255.255.192
    gateway 10.0.0.1        
#local
iface eth1 inet static
    address 10.0.1.1
    netmask 255.255.255.240
/etc/resolv.conf
Code:
nameserver 127.0.0.1
/etc/bind/options.conf
Code:
options {
    directory "/var/cache/bind";
    forwarders {208.67.222.222; 208.67.220.220;};
    auth-nxdomain no;
    allow-query { any; };
    recursion no;    
    version "0";        
    listen-on-v6 { any; };
};
Mail server /etc/network/interfaces
Code:
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
    iface eth0 inet static
        address 10.0.1.3
        netmask 255.255.255.240
        gateway 10.0.1.1
/etc/resolv.conf
Code:
nameserver 10.0.1.1
-----------------------------------------------------------------

Other clients on local network
Code:
address 10.0.1.x  
netmask 255.255.255.240
gateway 10.0.1.1
nameserver     10.0.1.1
-----------------------------------------------------------------



and here what i did so far



iptables script:
-----------------------------------------------------------------
Code:
{ # Define networks
		iWAN=eth0 
		iWANIP=10.0.0.2
		iVPN=tun0  
		iLAN=eth1
		lNet=10.0.1.0/24
		lIP="10.0.1.1"
		PubIP="68.168.223.46"
		VPNIP="10.8.0.6"
		 
		UNIVERSE="0.0.0.0/0"
}
{ # Disable Firewall
		iptables -F
		iptables -X
		iptables -t nat -F
		iptables -t nat -X
		iptables -t mangle -F
		iptables -t mangle -X
		iptables -P INPUT ACCEPT
		iptables -P FORWARD ACCEPT
		iptables -P OUTPUT ACCEPT
}
{ # LoadModules
    /sbin/depmod -a
    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_conntrack_irc
    /sbin/modprobe iptable_nat
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_nat_irc
}
{ # Enabling IP forwarding
		echo "1" > /proc/sys/net/ipv4/ip_forward
		echo "1" > /proc/sys/net/ipv4/ip_dynaddr
    
#Enable packet forwarding to function as a router"
		 iptables --append FORWARD --in-interface $iLAN -j ACCEPT  

#Enable MASQUERADE to function as a NAT router"
		iptables --table nat --append POSTROUTING --out-interface $iWAN -j MASQUERADE  
		iptables --table nat --append POSTROUTING --out-interface $iVPN -j MASQUERADE  
}
{ # Creating a DROP chain
		iptables -N drop-and-log-it
		iptables -A drop-and-log-it -j LOG --log-level info 
		iptables -A drop-and-log-it -j REJECT
}
{ # Port Forwarding
	#Add a rule to allow related packets to the forward: "
		iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

	#Add a rule for each port:"
		iptables --append FORWARD --in-interface $iVPN  -p tcp -m tcp --dport 53 -j ACCEPT
		iptables --append FORWARD --in-interface $iVPN  -p udp -m udp --dport 53 -j ACCEPT
		iptables --append FORWARD --in-interface $iVPN  -p tcp -m tcp --dport 80 -j ACCEPT
		iptables --append FORWARD --in-interface $iVPN  -p tcp -m tcp --dport 110 -j ACCEPT
		iptables --append FORWARD --in-interface $iVPN  -p tcp -m tcp --dport 143 -j ACCEPT
		iptables --append FORWARD --in-interface $iVPN  -p tcp -m tcp --dport 25 -j ACCEPT

	#actual port forwarding:"
		iptables  -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.1.1
		iptables  -t nat -A PREROUTING -i $iVPN -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.1.1
		iptables  -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.1.2
		iptables  -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.1.3
		iptables -t nat  -A PREROUTING -i $iVPN -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.1.3
		iptables  -t nat -A PREROUTING -i $iVPN -p tcp -m tcp --dport 143 -j DNAT --to-destination 10.0.1.3
}


iptables -t nat -L -n -v
----------------------------------------
Code:
Chain PREROUTING (policy ACCEPT 9474 packets, 684K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 to:10.0.1.1 
    0     0 DNAT       udp  --  tun0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 to:10.0.1.1 
    0     0 DNAT       tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:10.0.1.2 
    0     0 DNAT       tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110 to:10.0.1.3 
    0     0 DNAT       tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 to:10.0.1.3 
    0     0 DNAT       tcp  --  tun0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143 to:10.0.1.3 

Chain POSTROUTING (policy ACCEPT 551 packets, 39296 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 8288 packets, 650K bytes)
 pkts bytes target     prot opt in     out     source               destination

route -n
----------------------------------------
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.6        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.6        255.255.255.255 UGH   0      0        0 tun0
68.168.223.45   10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
10.0.1.0        0.0.0.0         255.255.255.240 U     0      0        0 eth1
10.0.0.0        0.0.0.0         255.255.255.192 U     0      0        0 eth0
0.0.0.0         10.8.0.6        128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.0.6        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 eth0

ifconfig
----------------------------------------
Code:
eth0      Link encap:Ethernet  HWaddr 00:30:4f:1c:49:f8  
          inet addr:10.0.0.2  Bcast:10.0.0.63  Mask:255.255.255.192
          inet6 addr: fe80::230:4fff:fe1c:49f8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:237225 errors:0 dropped:0 overruns:0 frame:0
          TX packets:240397 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:162233252 (162.2 MB)  TX bytes:46279818 (46.2 MB)
          Interrupt:11 Base address:0xc000 

eth1      Link encap:Ethernet  HWaddr 00:08:54:41:42:88  
          inet addr:10.0.1.1  Bcast:10.0.1.15  Mask:255.255.255.240
          inet6 addr: fe80::208:54ff:fe41:4288/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:481444 errors:0 dropped:0 overruns:0 frame:0
          TX packets:461148 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:138833837 (138.8 MB)  TX bytes:194547673 (194.5 MB)
          Interrupt:10 Base address:0xc400 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5770 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5770 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:622634 (622.6 KB)  TX bytes:622634 (622.6 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.5  P-t-P:10.8.0.6  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:127546 errors:0 dropped:0 overruns:0 frame:0
          TX packets:148752 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:66371419 (66.3 MB)  TX bytes:19781324 (19.7 MB)
Any help would be much much much much appreciated.
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig 3 problems with mail Help me !!!!!!! albertox26 Installation/Configuration 8 27th December 2010 19:57
ISPC 3.0.3 - Help me optimize Apache+MySQL itsnedkeren Installation/Configuration 7 23rd November 2010 12:43
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 22:40


All times are GMT +2. The time now is 10:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.