[SlugBug] Simple Firewall question
Alan Dawson
aland at burngreave.net
Sun Oct 8 12:34:13 BST 2006
AARRGGHH..
help .. whats broken here ..
I'm trying to only allow outgoing packets from VPN clients.
Here is my iptables script
<!-- Start -->
echo "1" > /proc/sys/net/ipv4/ip_forward
IPTABLES=/usr/sbin/iptables
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
# Local LAN
$IPTABLES -A FORWARD -i vlan0 -j ACCEPT
$IPTABLES -A FORWARD -o vlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o vlan0 -j DROP
# Local VPN clients
$IPTABLES -A FORWARD -i openvpn0 -o vlan1 -j ACCEPT
#NAT everything outgoing
$IPTABLES -t nat -A POSTROUTING -o vlan1 -j MASQUERADE
echo 'Starting Firewall'
<!-- Finish -->
But it doesn't work :-(
If i change the default FORWARD policy to ACCEPT .. of course outgoing from
openvpn0 is allowed.
Can anybody show me the mistake ?
Cheers,
AED
--
"If you make decisions about software -- or anything -- based solely on
short-term cost and benefit, someone with a longer view can easily
manoeuver you into a trap from which it is hard to escape."
More information about the SlugBug
mailing list