Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Howto open specific port on local net? #29

Open
notDavid opened this issue Jul 20, 2017 · 3 comments
Open

Howto open specific port on local net? #29

notDavid opened this issue Jul 20, 2017 · 3 comments

Comments

@notDavid
Copy link

Hi there,

i followed this guide and installed the vpn-firewall on a raspberry pi 3 running debian jessie. I'm using a single network interface (eth0) and the LOCAL_NET variable in 50_user.conf is set to my local network and all works fine.
However, i cannot access the device over SSH in the local net (i assume obviously all ports are closed by the firewall.)

What would be the best way to open port 22 on eth0 so i can access the device from my local network?

Should i manually edit '/usr/share/netfilter-persistent/plugins.d/30_vpn-firewall' to add some rule to it?

Thank you.
@notDavid
Copy link
Author

Nevermind, i think I've figured it out...

$iptables_cmd -A INPUT -i eth0 -p tcp -s 192.168.0.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables_cmd -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Another question though, i was wondering why to allow all incoming traffic on the VPN interface?

Doesn't this make the system vulnerable, for example a vpn-server config where clients can access each others ips internally in the vpn network, would expose all open ports?
Would it not be better to disable that rule by default, so that only established incoming connections are allowed?

@adrelanos adrelanos mentioned this issue Nov 6, 2017
Open
@adrelanos
Copy link
Owner

Another question though, i was wondering why to allow all incoming traffic on the VPN interface?

Doesn't this make the system vulnerable, for example a vpn-server config where clients can access each others ips internally in the vpn network, would expose all open ports?
Would it not be better to disable that rule by default, so that only established incoming connections are allowed?

Created #34 for it.

@adrelanos
Copy link
Owner

Should i manually edit '/usr/share/netfilter-persistent/plugins.d/30_vpn-firewall' to add some rule to it?

That's not a great solution since that change does not persist on vpn-firewall upgrades. Since vpn-firewall is based on netfilter-persistent, the iptables rules should be stackable. However, vpn-firewall's unconditional flush_rules_chains breaks it. There are currently no other packages using /usr/share/netfilter-persistent/plugins.d/ to my knowledge and no guidance from upstream either, so a well thought through convention for extensible / stackable iptables rules using netfilter-persistent does not exist yet.

Maybe function flush_rules_chains should not be part of VPN-Firewall but some other package. Perhaps part of netfilter-persistent?

  • /usr/share/netfilter-persistent/plugins.d/10_policy_drop (something like this) owned by which package? Hard, since while VPN-Firewall depends on it, it may not be what every sysadmin wants.

  • /usr/share/netfilter-persistent/plugins.d/20_flush_rules_chains (something like this) owned by netfilter-persistent

  • /usr/share/netfilter-persistent/plugins.d/25_allow_ssh not owned by any package, created by user (something like this)

  • /usr/share/netfilter-persistent/plugins.d/30_vpn-firewall owned by vpn-firewall

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@notDavid @adrelanos