[Olsr-users] OLSRd2 and iptables

Nemesis (spam-protected)
Tue May 10 18:37:50 CEST 2016


Thank you Henning.

For the record, I share some of our rules: I omitted few non common
services for security reasons, but left the most common ones, it may be
helpful to other people as well.

-------------------------------------------------------------------

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT

# Accept local and established, related
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# HTTPS
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# VPN
iptables -A INPUT -p udp --dport 1194 -j ACCEPT

# OLSRd2
iptables -A INPUT -i vpn -p udp --dport 269 -j ACCEPT

# allow ICMP on VPN
iptables -A INPUT -p icmp -i vpn -j ACCEPT
iptables -A OUTPUT -p icmp -o vpn -j ACCEPT

# disable FORWARD on eth0
iptables -A FORWARD -o eth0 -j DROP

-------------------------------------------------------------------

Federico


On 05/09/2016 08:44 PM, Henning Rogge wrote:
> Hi,
> 
> dropping all packets in the forward chain means you cannot route
> traffic... anything (non-locally) routed goes through the forward
> chain.
> 
> Henning
> 
> On Mon, May 9, 2016 at 8:37 PM, Nemesis <(spam-protected)> wrote:
>> Hi everyone,
>>
>> we have an olsrd2 node running only vpn links and exposed to the
>> internet. We need to protect it a bit more with iptables rules.
>>
>> What ports do we need to keep open on what chains in order to keep
>> olsrd2 running? The current configuration we have causes OLSRd2 to stop
>> working.
>>
>> Current rules:
>>
>> ---------------------------------------------
>>
>> iptables --flush
>> iptables --delete-chain
>> iptables -P INPUT DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT DROP
>>
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>>
>> iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
>>
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> # other omitted accepted ports like 80, 443, ecc
>>
>> # OLSRd2
>> iptables -A INPUT -p udp --dport 269 -j ACCEPT
>>
>> iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>> ---------------------------------------------
>>
>> Maybe missing something on the forward chain? Or another port?
>>
>> Federico
>>
>> --
>> Olsr-users mailing list
>> (spam-protected)
>> https://lists.olsr.org/mailman/listinfo/olsr-users




More information about the Olsr-users mailing list