[nos-bbs] IPTABLES for TUN device

Michael Fox - N6MEF n6mef at mefox.org
Sat Mar 3 00:45:47 EST 2012 

o.k.

 

The rules in the iptables configuration file are read in order and the first
match wins.  So you need something like this in your forward table, but
location will be dependent on the other rules you have configured there.
(Note the double dashes for "dport" and the second "state")

 

# allow forwarding of TCP port 23 (telnet) from eth0 to tun0

# if you don't care about the source interface for traffic to JNOS, remove
the -i option

iptables -A FORWARD -p TCP --dport 23 -i eth0 -o tun0 -j ACCEPT

 

# allow forwarding of TCP port 23 (telnet) from tun0 to eth0

# if you don't care about the destination port for traffic from JNOS, remove
the -o option.

iptables -A FORWARD -p TCP --dport 23 -i tun0 -o eth0 -j ACCEPT

 

# allow forwarding of "reply" traffic (any traffic that is allowed to start
will be allowed to by replied to)

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

 

The first two rules allow traffic to be initiated in the defined direction.
The third rule allows replies.

 

The -A means append.  So it will place these rules after your other rules.
If you have a "drop everything else" rule at the end of your chain, you want
to put this before the drop.

 

If you're using a different port for telnet, change dport above.

 

The above should get you in the ballpark.  Adjust to suite your specific
needs.

 

You will also want to protect against SYN, DOS, and other types of attacks.
You'll also want to establish logging so you can see what's wrong when
traffic doesn't go through.  This is covered in the iptables tutorial I
mentioned before.

 

Michael

N6MEF

 

 

From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
Of Jose Ng Lee
Sent: Friday, March 02, 2012 8:59 PM
To: TAPR xNOS Mailing List
Subject: Re: [nos-bbs] IPTABLES for TUN device

 

Hi Michael,

 

Thanks for the reply, good explanation of Iptables and the references.  Your
right Iptables subject is too broad.

 

My goal for now is to have Linux talk to the Jnos through the tun device and
viceversa.  I was using before Firestarter graphic interface to setup the
firewall.  With the Firestarter disable was able to communicate linux to
Jnos.  Firestarter on was not able to and just couldn't set it up the rules.

 

So, I unistalled Firestarter.  The default Iptables firewall is on now but
couldn't get it to communicate Linux to Jnos.  For an easier way to setup
Iptables, I use Webmin through the web browser to modify the rules.  It got
me confuse how to setup the rules and tried declaring the IP but doesn't
work.  Later, I tried declaring in the Incoming and Outgoing packets to
Accept the packets from the tun0 interface and now is working.  The tun0
interface is only on when jnos is execute so have to declare other interface
and write the name tun0.

 

My next step is to setup the iptables to allow telnet from internet to the
Jnos.  I tried and couldn't telnet to my Jnos from the internet.

 

Thanks,

Jose / HP2AT

----- Original Message ----- 

From: Michael Fox - N6MEF <mailto:n6mef at mefox.org>  

To: 'TAPR xNOS Mailing List' <mailto:nos-bbs at tapr.org>  

Sent: Friday, March 02, 2012 10:57 PM

Subject: Re: [nos-bbs] IPTABLES for TUN device

 

Jose,

 

It looks like no one has responded to you yet.  That may be because you
asked a rather broad question.  You'll need to be much more specific about
iptables.

 

IPtables is for filtering (among other things).  For the best security, you
want to set a default policy of drop and then specify the specific traffic
that you want to allow.  So you need to define those traffic types first,
then translate to iptables rules.  If you define what you want, and take a
stab at writing the rules, there are probably several of us here who would
be happy to help you refine them.

 

If you're new to iptables, here's some background info to get you started:

 

Iptables has 3 principle filtering tables:  input, forward, output.  Input
is what traffic you want linux to accept coming in on that interface.  In
other words, this is traffic destined for linux that comes in on the tun0
interface.  Forward is for traffic you want linux to allow to pass through
from one interface to another.  This can be two way on the tun0 device.  For
example, you may want to allow certain ICMP traffic to go out from JNOS,
through Linux, to the internet, but not allow incoming traffic of that type
from the internet to reach JNOS.  So you need to define what traffic do you
want to allow linux to forward from other interfaces TO tun0  and what
traffic do you want linux to forward FROM tun0 to other interfaces.  Output
is for what traffic you want linux to be able to originate on that
interface.  

 

To specify the traffic types, you'll need to define if they're IP, TCP,
ICMP, etc., which ports (line TCP port 23 for default telnet, etc.), and
possibily which source and/or destination addresses to allow to send that
traffic.  For example, you may want to allow linux to forward telnet to JNOS
as long as it is from a 44.x address, but not from other addresses.

 

Once you have figured out what traffic you want to allow, here are three
good references to help write the rules:

 

https://help.ubuntu.com/community/IptablesHowTo

http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html  (this is
how I learned - it has some good templates)

O'Reilly iptables pocket reference:
http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695/r
ef=sr_1_sc_1?ie=UTF8
<http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695/
ref=sr_1_sc_1?ie=UTF8&qid=1330745373&sr=8-1-spell>
&qid=1330745373&sr=8-1-spell  

 

Michael

N6MEF

 

 

From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
Of Jose Ng Lee
Sent: Friday, March 02, 2012 11:20 AM
To: TAPR xNOS Mailing List
Subject: [nos-bbs] IPTABLES for TUN device

 

Hi,

 

Anyone can help me with a sample IPTABLES configuration that works with TUN
device.

 

Thanks,

Jose / HP2AT


  _____  


_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org
https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20120302/97b4ea42/attachment.html>

More information about the nos-bbs mailing list