1

i have a dedicated openVPN server sitting behind a NAT router and i have the server's static IP set in the DMZ; the problem is that with current rule set (as seen in the screenshot below) i cannot connect to the VPN server from the internet, nor SSH for that matter; however, if i allow traffic on eth0 all is fine but that pretty much allows any kind of traffic to reach the host and that completely defeats the purpose of the iptables ruleset; in the screenshot i have set traffic to eth0 (second rule bottom to top) to nothing and the host is inaccessible with the rules i have imposed above, but if i set that rule to accept all is fine but as i said, that defeats the purpose of all the rules above

the host has only one physical ethernet adapter (eth0) with a static IP behind a NAT router

i cannot figure out what the problem is here and any help would be much appreciated; if i am on the network behind the NAT, all is fine and all policies work, even if the second rule from bottom to top is set to Nothing (inactive)

thank you!

http://imgur.com/a/YkZ0y

OpenVPN daemon instances run on ports 1194 and 1195 SSH daemon runs on port 50

here is the iptables ruleset configuration file, i trimmed all the rules and left just port 50 open to the public but i still cant access it

# Generated by iptables-save v1.3.8 on Mon Jan  2 14:46:33 2012
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jan  2 14:46:33 2012
# Generated by iptables-save v1.3.8 on Mon Jan  2 14:46:33 2012
*mangle
:PREROUTING ACCEPT [213:219554]
:INPUT ACCEPT [213:219554]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [155:35616]
:POSTROUTING ACCEPT [155:35616]
COMMIT
# Completed on Mon Jan  2 14:46:33 2012
# Generated by iptables-save v1.3.8 on Mon Jan  2 14:46:33 2012
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp -i eth0 --sport 50 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --sport 50 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT
COMMIT
# Completed on Mon Jan  2 14:46:33 2012

EDIT:

really weird though, SSH works, and so does the webserver on port 10000 but i cant seem to connect to the VPN server, and the rules ive set are the same you guys have suggested but different port, ie. 1194 and 1195 even when i allow all traffic to go through...

i switched to UDP, and now i can connect publicly but the client hangs on receiving server responses, so basically the client can send data packets to the server but the server cannot route back; the openVPN sits behind 2 NAT routers the first NAT router faces the internet, and the second NAT router has a static IP behind the first and it IS set in the DMZ of the first, internet facing, router and i have specific ports forwarded on the second NAT router however what confuses me is that i can serve web pages and i can SSH under this configuration but cannot get openVPN working properly...

mayotic
  • 197
  • 1
  • 1
  • 6

1 Answers1

0

I had posted linked question on the ubuntu forums and an user did answer my question and it is all fine but they did not seem to claim credit on here :( so i am linking back to the forums and posting the answer!

i guess i needed the destination port conditional and not source, terminology confusion :)

If I understand correctly (which is often not the case) the SSH daemon is listening on port 50. Try changing this line:

-A INPUT -p tcp -m tcp -i eth0 --sport 50 -j ACCEPT

to this:

-A INPUT -p tcp -m tcp -i eth0 --dport 50 -j ACCEPT

http://ubuntuforums.org/showthread.php?t=1903479

mayotic
  • 197
  • 1
  • 1
  • 6
  • so im sorry to say but the problem isnt the vpn server configuration, nor iptables, nor my router... IT IS MY ******* ISP http://www.dslreports.com/faq/7288 http://community.spiceworks.com/topi...-ports-blocked [best answer reply] immense frustratio – mayotic Jan 06 '12 at 01:04