Ich habe zwischen meinen beiden Rechnern via OpenVPN einen Tunnel aufgebaut.
Der Client kann sowohl Server als auch Server-Tunnelende pingen, mit nem Route-Eintrag bekommt er auch DNS Anfragen richtig aufgelöst (PING heise.de (193.99.144.80) 56(84) bytes of data.).
Jedoch geht weder der ping noch telnet noch ssh noch sonnst irgendetwas ins Internet.
Das Netzwerk ist wie folgt aufgebaut:
Server
eth0 = LAN, 192.168.0.1
eth1 = DSL
tun0 = 10.0.0.1
iptables server:
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j DROP
/proc/sys/net/ipv4/ip_forward 1
Client:
eth0 = LAN, 192.168.0.3
tun0 = 10.0.0.2
OpenVPN Configs:
Server:
dev tun0
port 5000
remote 192.168.0.3
ifconfig 10.0.0.1 10.0.0.2
secret /etc/openvpn/openvpn.sec
tun-mtu 1500
fragment 1500
mssfix
Client:
dev tun0
port 5000
remote 192.168.0.1
ifconfig 10.0.0.2 10.0.0.1
secret /etc/openvpn/openvpn.sec
tun-mtu 1500
fragment 1500
mssfix
route-gateway 10.0.0.1
route 0.0.0.0 0.0.0.0
Weiss jemand woran das liegen könnte?
OpenVPN und Routing
OpenVPN und Routing
Desktop: Debian SID / Kernel 2.6.11-ck3 / Xorg 6.8.2
Laptop: Debian SID / Kernel 2.6.7 / Xorg 6.8.2 @ HP NX7010 WSXGA+
Laptop: Debian SID / Kernel 2.6.7 / Xorg 6.8.2 @ HP NX7010 WSXGA+
route war korrekt, scheinbar wars wirklich n reines iptables Problem am server
[code]
# Generated by iptables-save v1.2.11 on Fri Apr 29 19:05:57 2005
*mangle
:PREROUTING ACCEPT [1462646:1234281354]
:INPUT ACCEPT [960092:797529010]
:FORWARD ACCEPT [502525:436750952]
:OUTPUT ACCEPT [970341:557630178]
:POSTROUTING ACCEPT [1772942:1000574012]
COMMIT
# Completed on Fri Apr 29 19:05:57 2005
# Generated by iptables-save v1.2.11 on Fri Apr 29 19:05:57 2005
*filter
:INPUT ACCEPT [89886:119787659]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1048588:564425226]
:block - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 153 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j block
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j ACCEPT
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -i ! ppp0 -m state --state NEW -j ACCEPT
-A block -j DROP
COMMIT
# Completed on Fri Apr 29 19:05:57 2005
# Generated by iptables-save v1.2.11 on Fri Apr 29 19:05:57 2005
*nat
:PREROUTING ACCEPT [12665:789616]
:POSTROUTING ACCEPT [38788:2437733]
:OUTPUT ACCEPT [44806:3209430]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 29 19:05:57 2005
[/code]
[code]
# Generated by iptables-save v1.2.11 on Fri Apr 29 19:05:57 2005
*mangle
:PREROUTING ACCEPT [1462646:1234281354]
:INPUT ACCEPT [960092:797529010]
:FORWARD ACCEPT [502525:436750952]
:OUTPUT ACCEPT [970341:557630178]
:POSTROUTING ACCEPT [1772942:1000574012]
COMMIT
# Completed on Fri Apr 29 19:05:57 2005
# Generated by iptables-save v1.2.11 on Fri Apr 29 19:05:57 2005
*filter
:INPUT ACCEPT [89886:119787659]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1048588:564425226]
:block - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 153 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j block
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j ACCEPT
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -i ! ppp0 -m state --state NEW -j ACCEPT
-A block -j DROP
COMMIT
# Completed on Fri Apr 29 19:05:57 2005
# Generated by iptables-save v1.2.11 on Fri Apr 29 19:05:57 2005
*nat
:PREROUTING ACCEPT [12665:789616]
:POSTROUTING ACCEPT [38788:2437733]
:OUTPUT ACCEPT [44806:3209430]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 29 19:05:57 2005
[/code]
Desktop: Debian SID / Kernel 2.6.11-ck3 / Xorg 6.8.2
Laptop: Debian SID / Kernel 2.6.7 / Xorg 6.8.2 @ HP NX7010 WSXGA+
Laptop: Debian SID / Kernel 2.6.7 / Xorg 6.8.2 @ HP NX7010 WSXGA+