Difference between revisions of "Firewall VPN"

Line 35: Line 35:
 
echo -e "-------------------------------------- "
 
echo -e "-------------------------------------- "
  
# Allow devices communication $ETH0 <--> tun0
+
# VPN
$IPTABLES -t nat -A POSTROUTING -s $LAN_ADDRESS_VPN -o $INT_ETH -j MASQUERADE
 
$IPTABLES -A FORWARD -s $LAN_ADDRESS_VPN -j ACCEPT
 
 
 
 
echo -e " ... Allow VPN connections"
 
echo -e " ... Allow VPN connections"
 
$IPTABLES -A INPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
 
$IPTABLES -A INPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
 
$IPTABLES -A OUTPUT -p tcp --dport $VPN_PORT -j ACCEPT
 
$IPTABLES -A OUTPUT -p tcp --dport $VPN_PORT -j ACCEPT
 
+
echo -e " ... Allow everything to go through VPN - all INPUT,OUTPUT,FORWARD"
+
echo -e " ... Allow$GREEN VPN$BLACK - all packets type INPUT,OUTPUT,FORWARD"
 
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
 
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
 
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
 
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
 
$IPTABLES -A FORWARD -o $INT_VPN -m state ! --state INVALID -j ACCEPT
 
$IPTABLES -A FORWARD -o $INT_VPN -m state ! --state INVALID -j ACCEPT
  
echo -e " ... Allow VPN network communication (required for client <> client comm.)"
+
# Allow forwarding
$IPTABLES -A INPUT -s $LAN_ADDRESS_VPN -d $LAN_ADDRESS_VPN -j ACCEPT
+
echo -e " ... Enable VPN forwarding"
$IPTABLES -A OUTPUT -s $LAN_ADDRESS_VPN -d $LAN_ADDRESS_VPN -j ACCEPT
+
$IPTABLES -A FORWARD -s $IP_LAN_VPN -j ACCEPT
 +
$IPTABLES -A FORWARD -i $INT_VPN -o $INT_ETH -j ACCEPT
 +
$IPTABLES -A FORWARD -i $INT_ETH -o $INT_VPN -j ACCEPT
 +
 
 +
# Allow devices communication $ETH0 <--> tun0
 +
$IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN -o $INT_ETH -j MASQUERADE
 +
 
 +
# Allow VPN clients data exchange
 +
echo -e " ... Allow$GREEN VPN clients communication$BLACK"
 +
$IPTABLES -A INPUT -s $IP_LAN_VPN -d $IP_LAN_VPN -m state ! --state INVALID -j ACCEPT
 +
$IPTABLES -A OUTPUT -s $IP_LAN_VPN -d $IP_LAN_VPN -m state ! --state INVALID -j ACCEPT
 +
 
 +
####### Add route(s) to remote network(s)
 +
# You must add a new route for each network you'd like to access through the VPN server!
 +
# The VPN server must be able to reach the remote network! (otherwise it cannot acts as a GW !)
 +
# route add -net <network>/<mask> gw <VPN_SERVER_ETH_IP>
 +
#######
 +
echo " "
 +
echo " ... adding VPN route(s) between VPN server and remote LAN(s)"
 +
route add -net 192.168.12.0/24 gw 192.168.1.45
 +
 
 
</syntaxhighlight>
 
</syntaxhighlight>

Revision as of 10:17, 26 November 2014


What is a VPN?

See What is a VPN?


VPN firewall

Adjust the following to your own port, network ID and protocol:

IPTABLES=`which iptables`

INT_ETH=eth0
IP_LAN_ETH=`/sbin/ifconfig $INT_ETH | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`

INT_VPN=tun0
VPN_PORT="8080"
VPN_PROTOCOL="udp"
LAN_ADDRESS_VPN="172.16.60.0/24"

echo -e " "		
echo -e "------------------------"
echo -e " VPN configuration"
echo -e "------------------------"

echo " " 
echo -e "# VPN interface  : $INT_VPN"
echo -e "# VPN IP @       : $LAN_ADDRESS_VPN"
echo -e "# VPN port       : $VPN_PORT"
echo -e "# VPN protocol   : $VPN_PROTOCOL"
echo -e "-------------------------------------- "

# VPN
echo -e " ... Allow VPN connections"
$IPTABLES -A INPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport $VPN_PORT -j ACCEPT
		
echo -e " ... Allow$GREEN VPN$BLACK - all packets type INPUT,OUTPUT,FORWARD"
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A FORWARD -o $INT_VPN -m state ! --state INVALID -j ACCEPT

# Allow forwarding
echo -e " ... Enable VPN forwarding"
$IPTABLES -A FORWARD -s $IP_LAN_VPN -j ACCEPT
$IPTABLES -A FORWARD -i $INT_VPN -o $INT_ETH -j ACCEPT
$IPTABLES -A FORWARD -i $INT_ETH -o $INT_VPN -j ACCEPT

# Allow devices communication $ETH0 <--> tun0
$IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN -o $INT_ETH -j MASQUERADE

# Allow VPN clients data exchange
echo -e " ... Allow$GREEN VPN clients communication$BLACK"
$IPTABLES -A INPUT -s $IP_LAN_VPN -d $IP_LAN_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $IP_LAN_VPN -d $IP_LAN_VPN -m state ! --state INVALID -j ACCEPT

####### Add route(s) to remote network(s)
# You must add a new route for each network you'd like to access through the VPN server!
# The VPN server must be able to reach the remote network! (otherwise it cannot acts as a GW !)
# route add -net <network>/<mask> gw <VPN_SERVER_ETH_IP>
#######
echo " "
echo " ... adding VPN route(s) between VPN server and remote LAN(s)"
route add -net 192.168.12.0/24 gw 192.168.1.45