iptables Question
I have a CentOS 5.7 VM I use for secure communications. It has an interface to my private LAN (eth0) and a secure VPN interface using OpenVPN (tun0). I use the following iptables script to lock this box down so it can only talk through the VPN tunnel except for a couple of local services I need. Everything works great with one exception. I'm trying to mount an nfs filesystem on a NAS that resides at 172.16.1.14 (my private LAN). It doesn't work with my current rules. If I disable the firewall the mount works perfectly. I'm not an iptables guru and can't figure out what I'm doing wrong. Any help is appreciated. Thanks. My firewall setup script ... #!/bin/bash # # iptables example configuration script # # Flush all current rules from iptables # iptables -F # # Allow SSH connections on tcp port 22 # iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT # # Set default policies for INPUT, FORWARD and OUTPUT chains # iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # # Allow DNS non-VPN traffic just to get the VPN established # iptables -A OUTPUT -p tcp --dport domain -j ACCEPT iptables -A OUTPUT -p udp --dport domain -j ACCEPT # # Allow all traffic for localhost # iptables -A INPUT -i lo -j ACCEPT # # Allow all traffic through the vpn interface # iptables -A INPUT -i tun0 -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT # # Allow port 1194 through all interfaces # iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT # # Allow traffic to specific hosts on LAN # iptables -A INPUT -i eth0 -s 172.16.1.14 -j ACCEPT iptables -A OUTPUT -o eth0 -s 172.16.1.14 -j ACCEPT # # Accept packets belonging to established and related connections # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # Save settings # /sbin/service iptables save # # List rules # iptables -L -v |
No comments:
Post a Comment