Danke newbiefan für Deinen Hinweis, ich schaue mir Olegs Webseite demnächst nochmal genauer an.
Dann habe ich meine Firewallregeln um "/usr/sbin/" und "iptables [Optionen] > /tmp/post-firewall.log 2>&1" ergänzt. /usr/local/sbin/post-firewall sieht jetzt so aus:
Code:
#!/bin/sh
echo "post-firewall started:" >> /tmp/start
date >> /tmp/start
# Deleting this rule temporarily and add it again in the end
/usr/sbin/iptables -D INPUT -j DROP >> /tmp/post-firewall.log 2>&1
# OpenVPN access from WAN
/usr/sbin/iptables -A INPUT -p udp --dport 1234 -j ACCEPT >> /tmp/post-firewall.log 2>&1
/usr/sbin/iptables -t nat -A PREROUTING -i vlan1 -p udp --dport 1234 -j DNAT --to-destination $4:1234 >> /tmp/post-firewall.log 2>&1
# Allow direct connections between VPN-Clients and Router
/usr/sbin/iptables -A INPUT -i tun+ -j ACCEPT >> /tmp/post-firewall.log 2>&1
/usr/sbin/iptables -A OUTPUT -o tun+ -j ACCEPT >> /tmp/post-firewall.log 2>&1
# Allow connections from VPN-Clients to LAN-Clients
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE >> /tmp/post-firewall.log 2>&1
# Allow connections from LAN-Clients to VPN-Clients
/usr/sbin/iptables -I FORWARD -i tun+ -o br0 -s 10.8.0.0/24 -j ACCEPT >> /tmp/post-firewall.log 2>&1
/usr/sbin/iptables -I FORWARD -i br0 -o tun+ -s 192.168.1.0/24 -j ACCEPT >> /tmp/post-firewall.log 2>&1
# Allow forwarding to/from VPN-Clients (needed at least for ping)
/usr/sbin/iptables -A FORWARD -i tun+ -j ACCEPT >> /tmp/post-firewall.log 2>&1
/usr/sbin/iptables -A FORWARD -o tun+ -j ACCEPT >> /tmp/post-firewall.log 2>&1
# Allow VPN-clients to tunnel internet traffic through VPN-Server
/usr/sbin/iptables -I FORWARD -i tun+ -o vlan1 -s 10.8.0.0/24 -j ACCEPT >> /tmp/post-firewall.log 2>&1
# Drop all other input
/usr/sbin/iptables -A INPUT -j DROP >> /tmp/post-firewall.log 2>&1
echo "post-firewall executed:" >> /tmp/start
date >> /tmp/start
Die /tmp/post-firewall.log ist nach einem Neustart dann zwar angelegt aber leer. Sollte das so sein?
Dann nochmal zu Euren Fragen, Copter und Robert: Der Asus-Router hängt an einem Kabelmodem. Am Asus sind drei Rechner angeschlossen, die USB-Festplatte und noch ein USB-Drucker, mehr ist da nicht dran. Dann habe ich noch Samba laufen und vsftp und natürlich openvpn. Nun möchte ich von unterwegs auf dieses Heimnetz durch einen vpn zugreifen. Dazu werfe ich an meinem Laptop die UMTS-Karte an.
Wenn ich nun am Laptop den vpn-client starte und mit meinem Router, auf dem die obige /usr/local/sbin/post-firewall installiert ist, verbinde, dann klappt es nicht. /opt/var/log/openvpn/openvpn.log zeigt das an:
Code:
Tue Mar 16 00:09:11 2010 MULTI: multi_create_instance called
Tue Mar 16 00:09:11 2010 109.84.131.113:1194 Re-using SSL/TLS context
Tue Mar 16 00:09:11 2010 109.84.131.113:1194 LZO compression initialized
Tue Mar 16 00:09:11 2010 109.84.131.113:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 16 00:09:11 2010 109.84.131.113:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 16 00:09:11 2010 109.84.131.113:1194 Local Options hash (VER=V4): '530fdded'
Tue Mar 16 00:09:11 2010 109.84.131.113:1194 Expected Remote Options hash (VER=V4): '41690919'
Tue Mar 16 00:09:11 2010 109.84.131.113:1194 TLS: Initial packet from 109.84.131.113:1194, sid=fb3d3a2c 2e2e43b8
Tue Mar 16 00:10:11 2010 109.84.131.113:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 16 00:10:11 2010 109.84.131.113:1194 TLS Error: TLS handshake failed
Tue Mar 16 00:10:11 2010 109.84.131.113:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
Wenn ich nun aber meine /usr/local/sbin/post-firewall leer lasse, den Router also ohne iptables starte und nach dem Hochfahren das post-firewall-Script (das ich vorher an eine andere Stelle kopiert habe) per Hand starte, dann klappt der Verbindungsaufbau:
Code:
Tue Mar 16 00:22:57 2010 OpenVPN 2.1.1 mipsel-linux [SSL] [LZO1] [EPOLL] built on Dec 23 2009
Tue Mar 16 00:22:57 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 16 00:22:58 2010 Diffie-Hellman initialized with 1024 bit key
Tue Mar 16 00:22:58 2010 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 16 00:22:58 2010 TCP/UDP: Socket bind failed on local address [undef]:1234: Address already in use
Tue Mar 16 00:22:58 2010 Exiting
Tue Mar 16 00:23:11 2010 event_wait : Interrupted system call (code=4)
Tue Mar 16 00:23:11 2010 TCP/UDP: Closing socket
Tue Mar 16 00:23:11 2010 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
route: SIOCDELRT: Operation not permitted
Tue Mar 16 00:23:11 2010 ERROR: Linux route delete command failed: external program exited with error status: 1
Tue Mar 16 00:23:11 2010 Closing TUN/TAP interface
Tue Mar 16 00:23:11 2010 /sbin/ifconfig tun0 0.0.0.0
ifconfig: SIOCSIFADDR: Permission denied
Tue Mar 16 00:23:11 2010 Linux ip addr del failed: external program exited with error status: 1
Tue Mar 16 00:23:11 2010 SIGTERM[hard,] received, process exiting
Tue Mar 16 00:23:45 2010 OpenVPN 2.1.1 mipsel-linux [SSL] [LZO1] [EPOLL] built on Dec 23 2009
Tue Mar 16 00:23:45 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 16 00:23:45 2010 Diffie-Hellman initialized with 1024 bit key
Tue Mar 16 00:23:45 2010 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 16 00:23:45 2010 ROUTE default_gateway=81.---.---.1
Tue Mar 16 00:23:45 2010 TUN/TAP device tun0 opened
Tue Mar 16 00:23:45 2010 TUN/TAP TX queue length set to 100
Tue Mar 16 00:23:45 2010 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Tue Mar 16 00:23:46 2010 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Tue Mar 16 00:23:46 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 16 00:23:46 2010 GID set to nobody
Tue Mar 16 00:23:46 2010 UID set to nobody
Tue Mar 16 00:23:46 2010 Socket Buffers: R=[108544->131072] S=[108544->131072]
Tue Mar 16 00:23:46 2010 UDPv4 link local (bound): [undef]:1234
Tue Mar 16 00:23:46 2010 UDPv4 link remote: [undef]
Tue Mar 16 00:23:46 2010 MULTI: multi_init called, r=256 v=256
Tue Mar 16 00:23:46 2010 IFCONFIG POOL: base=10.8.0.4 size=62
Tue Mar 16 00:23:46 2010 IFCONFIG POOL LIST
Tue Mar 16 00:23:46 2010 max,10.8.0.4
Tue Mar 16 00:23:46 2010 client1,10.8.0.8
Tue Mar 16 00:23:46 2010 client2,10.8.0.12
Tue Mar 16 00:23:46 2010 Initialization Sequence Completed
Tue Mar 16 00:24:16 2010 MULTI: multi_create_instance called
Tue Mar 16 00:24:16 2010 109.84.131.113:1194 Re-using SSL/TLS context
Tue Mar 16 00:24:16 2010 109.84.131.113:1194 LZO compression initialized
Tue Mar 16 00:24:16 2010 109.84.131.113:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 16 00:24:16 2010 109.84.131.113:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 16 00:24:16 2010 109.84.131.113:1194 Local Options hash (VER=V4): '530fdded'
Tue Mar 16 00:24:16 2010 109.84.131.113:1194 Expected Remote Options hash (VER=V4): '41690919'
Tue Mar 16 00:24:16 2010 109.84.131.113:1194 TLS: Initial packet from 109.84.131.113:1194, sid=209ce0ca 6f710e82
Tue Mar 16 00:24:18 2010 109.84.131.113:1194 VERIFY OK: depth=1, /C=DE/ST=HE/L=Frankfurt/O=Eppsteiner34/OU=OG4/CN=Weichensteller/emailAddress=mail@birgitundmax.dyndns.org
Tue Mar 16 00:24:18 2010 109.84.131.113:1194 VERIFY OK: depth=0, /C=DE/ST=HE/O=Eppsteiner34/OU=OG4/CN=client2/emailAddress=mail@birgitundmax.dyndns.org
Tue Mar 16 00:24:18 2010 109.84.131.113:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 16 00:24:18 2010 109.84.131.113:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 16 00:24:18 2010 109.84.131.113:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Mar 16 00:24:18 2010 109.84.131.113:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 16 00:24:18 2010 109.84.131.113:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Mar 16 00:24:18 2010 109.84.131.113:1194 [client2] Peer Connection Initiated with 109.84.131.113:1194
Tue Mar 16 00:24:18 2010 client2/109.84.131.113:1194 MULTI: Learn: 10.8.0.14 -> client2/109.84.131.113:1194
Tue Mar 16 00:24:18 2010 client2/109.84.131.113:1194 MULTI: primary virtual IP for client2/109.84.131.113:1194: 10.8.0.14
Tue Mar 16 00:24:19 2010 client2/109.84.131.113:1194 PUSH: Received control message: 'PUSH_REQUEST'
Tue Mar 16 00:24:19 2010 client2/109.84.131.113:1194 SENT CONTROL [client2]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.14 10.8.0.13' (status=1)
Mal laienhaft gefragt: da dürfte doch bei mir eingentlich kein Unterschied sein, ob ich meine iptables während oder nach den Startvorgang des Routers ausführe, oder? Außer vielleicht, dass die $4-Variable nicht belegt ist...
Kann mir jemand sagen, ob meine iptables denn überhaupt für meinen Anwendungsfall stimmen?
Oder habe ich mir da die "Scheunentore" aufgemacht?
Ich kenne mich mit iptables eigentlich überhaupt nicht aus; war lange auf der Suche nach einer Beispielkonfig für den WL500gPv2 und bin in diesem Beitrag fündig geworden: http://wl500g.info/showpost.php?p=134362&postcount=4
Vielen Dank schonmal vorab für Eure Hilfe
hornau