<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>o.k.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The rules in the iptables configuration file are read in order and the first match wins. So you need something like this in your forward table, but location will be dependent on the other rules you have configured there. (Note the double dashes for “dport” and the second “state”)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'># allow forwarding of TCP port 23 (telnet) from eth0 to tun0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'># if you don’t care about the source interface for traffic to JNOS, remove the –i option<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>iptables –A FORWARD –p TCP --dport 23 –i eth0 -o tun0 –j ACCEPT<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'># allow forwarding of TCP port 23 (telnet) from tun0 to eth0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'># if you don’t care about the destination port for traffic from JNOS, remove the –o option.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>iptables –A FORWARD –p TCP --dport 23 –i tun0 -o eth0 –j ACCEPT<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'># allow forwarding of “reply” traffic (any traffic that is allowed to start will be allowed to by replied to)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>iptables –A FORWARD –m state --state ESTABLISHED,RELATED –j ACCEPT<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The first two rules allow traffic to be initiated in the defined direction. The third rule allows replies.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The –A means append. So it will place these rules after your other rules. If you have a “drop everything else” rule at the end of your chain, you want to put this before the drop.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you’re using a different port for telnet, change dport above.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The above should get you in the ballpark. Adjust to suite your specific needs.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You will also want to protect against SYN, DOS, and other types of attacks. You’ll also want to establish logging so you can see what’s wrong when traffic doesn’t go through. This is covered in the iptables tutorial I mentioned before.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Michael<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>N6MEF<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> nos-bbs-bounces@tapr.org [mailto:nos-bbs-bounces@tapr.org] <b>On Behalf Of </b>Jose Ng Lee<br><b>Sent:</b> Friday, March 02, 2012 8:59 PM<br><b>To:</b> TAPR xNOS Mailing List<br><b>Subject:</b> Re: [nos-bbs] IPTABLES for TUN device<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif";color:windowtext'>Hi Michael,</span><span style='color:windowtext'><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='color:windowtext'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif";color:windowtext'>Thanks for the reply, good explanation of Iptables and the references. Your right Iptables subject is too broad.</span><span style='color:windowtext'><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='color:windowtext'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif";color:windowtext'>My goal for now is to have Linux talk to the Jnos through the tun device and viceversa. I was using before Firestarter graphic interface to setup the firewall. With the Firestarter disable was able to communicate linux to Jnos. Firestarter on was not able to and just couldn't set it up the rules.</span><span style='color:windowtext'><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='color:windowtext'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif";color:windowtext'>So, I unistalled Firestarter. The default Iptables firewall is on now but couldn't get it to communicate Linux to Jnos. For an easier way to setup Iptables, I use Webmin through the web browser to modify the rules. It got me confuse how to setup the rules and tried declaring the IP but doesn't work. Later, I tried declaring in the Incoming and Outgoing packets to Accept the packets from the tun0 interface and now is working. The tun0 interface is only on when jnos is execute so have to declare other interface and write the name tun0.</span><span style='color:windowtext'><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='color:windowtext'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif";color:windowtext'>My next step is to setup the iptables to allow telnet from internet to the Jnos. I tried and couldn't telnet to my Jnos from the internet.</span><span style='color:windowtext'><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='color:windowtext'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif";color:windowtext'>Thanks,</span><span style='color:windowtext'><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial","sans-serif";color:windowtext'>Jose / HP2AT</span><span style='color:windowtext'><o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid black 1.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:.5in'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:windowtext'>----- Original Message ----- <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in;background:#E4E4E4'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:windowtext'> <a href="mailto:n6mef@mefox.org" title="n6mef@mefox.org">Michael Fox - N6MEF</a> <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:windowtext'>To:</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:windowtext'> <a href="mailto:nos-bbs@tapr.org" title="nos-bbs@tapr.org">'TAPR xNOS Mailing List'</a> <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:windowtext'>Sent:</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:windowtext'> Friday, March 02, 2012 10:57 PM<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:windowtext'>Subject:</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:windowtext'> Re: [nos-bbs] IPTABLES for TUN device<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='color:windowtext'><o:p> </o:p></span></p></div><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Jose,<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It looks like no one has responded to you yet. That may be because you asked a rather broad question. You’ll need to be much more specific about iptables.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>IPtables is for filtering (among other things). For the best security, you want to set a default policy of drop and then specify the specific traffic that you want to allow. So you need to define those traffic types first, then translate to iptables rules. If you define what you want, and take a stab at writing the rules, there are probably several of us here who would be happy to help you refine them.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you’re new to iptables, here’s some background info to get you started:<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Iptables has 3 principle filtering tables: input, forward, output. Input is what traffic you want linux to accept coming in on that interface. In other words, this is traffic destined for linux that comes in on the tun0 interface. Forward is for traffic you want linux to allow to pass through from one interface to another. This can be two way on the tun0 device. For example, you may want to allow certain ICMP traffic to go out from JNOS, through Linux, to the internet, but not allow incoming traffic of that type from the internet to reach JNOS. So you need to define what traffic do you want to allow linux to forward from other interfaces TO tun0 and what traffic do you want linux to forward FROM tun0 to other interfaces. Output is for what traffic you want linux to be able to originate on that interface. <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>To specify the traffic types, you’ll need to define if they’re IP, TCP, ICMP, etc., which ports (line TCP port 23 for default telnet, etc.), and possibily which source and/or destination addresses to allow to send that traffic. For example, you may want to allow linux to forward telnet to JNOS as long as it is from a 44.x address, but not from other addresses.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Once you have figured out what traffic you want to allow, here are three good references to help write the rules:<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="https://help.ubuntu.com/community/IptablesHowTo">https://help.ubuntu.com/community/IptablesHowTo</a><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html">http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html</a> (this is how I learned – it has some good templates)<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>O’Reilly iptables pocket reference: <a href="http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695/ref=sr_1_sc_1?ie=UTF8&qid=1330745373&sr=8-1-spell">http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695/ref=sr_1_sc_1?ie=UTF8&qid=1330745373&sr=8-1-spell</a> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Michael<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>N6MEF<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:1.0in'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:nos-bbs-bounces@tapr.org">nos-bbs-bounces@tapr.org</a> <a href="mailto:[mailto:nos-bbs-bounces@tapr.org]">[mailto:nos-bbs-bounces@tapr.org]</a> <b>On Behalf Of </b>Jose Ng Lee<br><b>Sent:</b> Friday, March 02, 2012 11:20 AM<br><b>To:</b> TAPR xNOS Mailing List<br><b>Subject:</b> [nos-bbs] IPTABLES for TUN device<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:1.0in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:1.0in'><span style='font-family:"Arial","sans-serif"'>Hi,</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.0in'> <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.0in'><span style='font-family:"Arial","sans-serif"'>Anyone can help me with a sample IPTABLES configuration that works with TUN device.</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.0in'> <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.0in'><span style='font-family:"Arial","sans-serif"'>Thanks,</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.0in'><span style='font-family:"Arial","sans-serif"'>Jose / HP2AT</span><o:p></o:p></p></div><div class=MsoNormal align=center style='margin-left:.5in;text-align:center'><span style='color:windowtext'><hr size=2 width="100%" align=center></span></div><p class=MsoNormal style='margin-left:.5in'><span style='color:windowtext'>_______________________________________________<br>nos-bbs mailing list<br><a href="mailto:nos-bbs@tapr.org">nos-bbs@tapr.org</a><br><a href="https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs">https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs</a><o:p></o:p></span></p></blockquote></div></body></html>