[nos-bbs] IPTABLES for TUN device

Jim Smith lanshark at charter.net
Sat Mar 3 15:41:37 EST 2012


Jose,

  You don’t need a firewall to do what you want.

This is another way to get what you want. First, some info about my linux
install. Slackware 10, single Ethernet interface called Eth0

-- You must have IP Forwarding turned on.
/proc/sys/net/ipv4/ip_forward = 1

-- I set my Ethernet to the following IP address
eth0	Link encap:Ethernet  HWaddr 00:0F:B5:06:3C:6B
         	 inet addr:192.168.1.91  Bcast:192.168.1.255
Mask:255.255.255.0
       	UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

-- The tun0 interface is created and setup by JNOS in the autoexec.nos file
tun0	Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
         	 inet addr:192.168.1.93  P-t-P:192.168.1.92
Mask:255.255.255.255
          	UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

>From my autoexec.nos

#
# Create a network interface. This allows us to talk to the linux
# box on which JNOS is running - and in turn - to the internet.
#
##### tun0 attach & ifconfig #####
attach tun tun0 1500 0
ifconfig tun0 ipaddress 192.168.1.92
ifconfig tun0 netmask 255.255.255.0
ifconfig tun0 mtu 1500
#
# Give it a chance to come up
#
pause 2
#
# JNOS creates the TUN device, so JNOS needs to do some post configuration,
# by shelling out to the linux command line and running 'ifconfig' command.
#
shell ifconfig tun0 192.168.1.93 pointopoint 192.168.1.92 mtu 1500 up
# Create the ARP entry needed
shell arp -s 192.168.1.92 00:0F:B5:06:3C:6B pub
##### tun0 attach & ifconfig #####

route add default tun0

>From another set of routes sourced from another file in autoexec.nos

route add default tun0
route add 192.168.1/24 eth0

===============Done===============

===== START NOTES =======

Note what we have done in the autoexec.nos file.
1 We do the attach command which creates our tun0 interface.
2 We give tun0 an IP address, netmask, and MTU
3 We shell out to create the point-to-point tunnel to the world+Linux.
Please note the IP addresses used! The .91 address is the Linux Eth0, the
.92 is the JNOS interface, and the .93 address *is never used* but is
necessary for the building of a P-t-P link. All of these addresses are in
the same subnet.
4 THIS IS KEY! We shell out again and create an ARP entry for the .92
address *using the MAC address for the Linux Eth0 interface*. What we are
doing here is causing the Eth0 interface to answer for any ARP requests for
the .92 IP address.
5 We add a default route to JNOS that says to go out the tunnel.
6 I do the default route again to tun0. I don't know if this is really
necessary, in putting together this email I discovered that it is done
twice.
7 I add a specific network route to the subnet the Linus eth0 interface is
on.

===== END NOTES ======

Here is my route table from Linux
jhs at jnos:/$ netstat -rn
Kernel IP routing table
Destination    	 Gateway         	Genmask
Flags   	MSS 	Window	irtt	Iface
192.168.1.92	0.0.0.0		255.255.255.255 	UH        	0
0          		0 	tun0
192.168.1.0	0.0.0.0		255.255.255.0  		U         	0
0         		0 	eth0
127.0.0.0	0.0.0.0         	255.0.0.0       		U
0 	0          		0 	lo
0.0.0.0		192.168.1.1	0.0.0.0         		UG
0 	0          		0 	eth0
jhs at jnos:/$

Note that there is a route entry for the .92 IP address. This is what routes
the traffic for .92 up the tunnel. This is created by the first shell out
(Note 3). Since this route is P-t-P, the Genmask is 255.255.255.255. This
route is more specific than any other, so traffic for .92 will always head
to the tunnel. Since there is nothing in the tunnel except the other end, no
need for any more routing/forwarding to be done.

I have done this in Ubuntu and Slackware, not tested in Fedora. Things to
watch out for are differences in command parameters used by the different
Linux distros (especially for the ARP command). Also, some distros need
ip_forwarding turned on, others are already turned on. The ARP thing works,
sometimes a distro will require you to set something somewhere so it will
work, but it will work.

It has been noted that you should be root when you start JNOS. I have a file
that is run during boot that starts JNOS on an unused tty. If JNOS dies, it
respawns it automatically. In this manner, JNOS always get started as root.

Cheers!

Jim N8AVX

From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
Of Jose Ng Lee
Sent: Friday, March 02, 2012 11:59 PM
To: TAPR xNOS Mailing List
Subject: Re: [nos-bbs] IPTABLES for TUN device

Hi Michael,
 
Thanks for the reply, good explanation of Iptables and the references.  Your
right Iptables subject is too broad.
 
My goal for now is to have Linux talk to the Jnos through the tun device and
viceversa.  I was using before Firestarter graphic interface to setup the
firewall.  With the Firestarter disable was able to communicate linux to
Jnos.  Firestarter on was not able to and just couldn't set it up the rules.
 
So, I unistalled Firestarter.  The default Iptables firewall is on now but
couldn't get it to communicate Linux to Jnos.  For an easier way to setup
Iptables, I use Webmin through the web browser to modify the rules.  It got
me confuse how to setup the rules and tried declaring the IP but doesn't
work.  Later, I tried declaring in the Incoming and Outgoing packets to
Accept the packets from the tun0 interface and now is working.  The tun0
interface is only on when jnos is execute so have to declare other interface
and write the name tun0.
 
My next step is to setup the iptables to allow telnet from internet to the
Jnos.  I tried and couldn't telnet to my Jnos from the internet.
 
Thanks,
Jose / HP2AT
----- Original Message ----- 
From: Michael Fox - N6MEF 
To: 'TAPR xNOS Mailing List' 
Sent: Friday, March 02, 2012 10:57 PM
Subject: Re: [nos-bbs] IPTABLES for TUN device

Jose,

It looks like no one has responded to you yet.  That may be because you
asked a rather broad question.  You’ll need to be much more specific about
iptables.

IPtables is for filtering (among other things).  For the best security, you
want to set a default policy of drop and then specify the specific traffic
that you want to allow.  So you need to define those traffic types first,
then translate to iptables rules.  If you define what you want, and take a
stab at writing the rules, there are probably several of us here who would
be happy to help you refine them.

If you’re new to iptables, here’s some background info to get you started:

Iptables has 3 principle filtering tables:  input, forward, output.  Input
is what traffic you want linux to accept coming in on that interface.  In
other words, this is traffic destined for linux that comes in on the tun0
interface.  Forward is for traffic you want linux to allow to pass through
from one interface to another.  This can be two way on the tun0 device.  For
example, you may want to allow certain ICMP traffic to go out from JNOS,
through Linux, to the internet, but not allow incoming traffic of that type
from the internet to reach JNOS.  So you need to define what traffic do you
want to allow linux to forward from other interfaces TO tun0  and what
traffic do you want linux to forward FROM tun0 to other interfaces.  Output
is for what traffic you want linux to be able to originate on that
interface.  

To specify the traffic types, you’ll need to define if they’re IP, TCP,
ICMP, etc., which ports (line TCP port 23 for default telnet, etc.), and
possibily which source and/or destination addresses to allow to send that
traffic.  For example, you may want to allow linux to forward telnet to JNOS
as long as it is from a 44.x address, but not from other addresses.

Once you have figured out what traffic you want to allow, here are three
good references to help write the rules:

https://help.ubuntu.com/community/IptablesHowTo
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html  (this is
how I learned – it has some good templates)
O’Reilly iptables pocket reference: 
http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695/r
ef=sr_1_sc_1?ie=UTF8&qid=1330745373&sr=8-1-spell  

Michael
N6MEF


From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf
Of Jose Ng Lee
Sent: Friday, March 02, 2012 11:20 AM
To: TAPR xNOS Mailing List
Subject: [nos-bbs] IPTABLES for TUN device

Hi,
 
Anyone can help me with a sample IPTABLES configuration that works with TUN
device.
 
Thanks,
Jose / HP2AT
________________________________________
_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org
https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs






More information about the nos-bbs mailing list