<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Jose,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It looks like no one has responded to you yet. That may be because you asked a rather broad question. You’ll need to be much more specific about iptables.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>IPtables is for filtering (among other things). For the best security, you want to set a default policy of drop and then specify the specific traffic that you want to allow. So you need to define those traffic types first, then translate to iptables rules. If you define what you want, and take a stab at writing the rules, there are probably several of us here who would be happy to help you refine them.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you’re new to iptables, here’s some background info to get you started:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Iptables has 3 principle filtering tables: input, forward, output. Input is what traffic you want linux to accept coming in on that interface. In other words, this is traffic destined for linux that comes in on the tun0 interface. Forward is for traffic you want linux to allow to pass through from one interface to another. This can be two way on the tun0 device. For example, you may want to allow certain ICMP traffic to go out from JNOS, through Linux, to the internet, but not allow incoming traffic of that type from the internet to reach JNOS. So you need to define what traffic do you want to allow linux to forward from other interfaces TO tun0 and what traffic do you want linux to forward FROM tun0 to other interfaces. Output is for what traffic you want linux to be able to originate on that interface. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>To specify the traffic types, you’ll need to define if they’re IP, TCP, ICMP, etc., which ports (line TCP port 23 for default telnet, etc.), and possibily which source and/or destination addresses to allow to send that traffic. For example, you may want to allow linux to forward telnet to JNOS as long as it is from a 44.x address, but not from other addresses.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Once you have figured out what traffic you want to allow, here are three good references to help write the rules:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="https://help.ubuntu.com/community/IptablesHowTo">https://help.ubuntu.com/community/IptablesHowTo</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html">http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html</a> (this is how I learned – it has some good templates)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>O’Reilly iptables pocket reference: <a href="http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695/ref=sr_1_sc_1?ie=UTF8&qid=1330745373&sr=8-1-spell">http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695/ref=sr_1_sc_1?ie=UTF8&qid=1330745373&sr=8-1-spell</a> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Michael<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>N6MEF<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> nos-bbs-bounces@tapr.org [mailto:nos-bbs-bounces@tapr.org] <b>On Behalf Of </b>Jose Ng Lee<br><b>Sent:</b> Friday, March 02, 2012 11:20 AM<br><b>To:</b> TAPR xNOS Mailing List<br><b>Subject:</b> [nos-bbs] IPTABLES for TUN device<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif"'>Hi,</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif"'>Anyone can help me with a sample IPTABLES configuration that works with TUN device.</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif"'>Thanks,</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif"'>Jose / HP2AT</span><o:p></o:p></p></div></div></body></html>