[Olsr-users] OLSRd2 and iptables

Henning Rogge (spam-protected)
Tue May 10 19:10:50 CEST 2016 

Hi,

do not forget ip6tables... ;)

Henning

On Tue, May 10, 2016 at 6:37 PM, Nemesis <(spam-protected)> wrote:
> Thank you Henning.
>
> For the record, I share some of our rules: I omitted few non common
> services for security reasons, but left the most common ones, it may be
> helpful to other people as well.
>
> -------------------------------------------------------------------
>
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD ACCEPT
>
> # Accept local and established, related
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> # SSH
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> # HTTP
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> # HTTPS
> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> # VPN
> iptables -A INPUT -p udp --dport 1194 -j ACCEPT
>
> # OLSRd2
> iptables -A INPUT -i vpn -p udp --dport 269 -j ACCEPT
>
> # allow ICMP on VPN
> iptables -A INPUT -p icmp -i vpn -j ACCEPT
> iptables -A OUTPUT -p icmp -o vpn -j ACCEPT
>
> # disable FORWARD on eth0
> iptables -A FORWARD -o eth0 -j DROP
>
> -------------------------------------------------------------------
>
> Federico
>
>
> On 05/09/2016 08:44 PM, Henning Rogge wrote:
>> Hi,
>>
>> dropping all packets in the forward chain means you cannot route
>> traffic... anything (non-locally) routed goes through the forward
>> chain.
>>
>> Henning
>>
>> On Mon, May 9, 2016 at 8:37 PM, Nemesis <(spam-protected)> wrote:
>>> Hi everyone,
>>>
>>> we have an olsrd2 node running only vpn links and exposed to the
>>> internet. We need to protect it a bit more with iptables rules.
>>>
>>> What ports do we need to keep open on what chains in order to keep
>>> olsrd2 running? The current configuration we have causes OLSRd2 to stop
>>> working.
>>>
>>> Current rules:
>>>
>>> ---------------------------------------------
>>>
>>> iptables --flush
>>> iptables --delete-chain
>>> iptables -P INPUT DROP
>>> iptables -P FORWARD DROP
>>> iptables -P OUTPUT DROP
>>>
>>> iptables -A INPUT -i lo -j ACCEPT
>>> iptables -A OUTPUT -o lo -j ACCEPT
>>>
>>> iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
>>>
>>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>
>>> # other omitted accepted ports like 80, 443, ecc
>>>
>>> # OLSRd2
>>> iptables -A INPUT -p udp --dport 269 -j ACCEPT
>>>
>>> iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>> ---------------------------------------------
>>>
>>> Maybe missing something on the forward chain? Or another port?
>>>
>>> Federico
>>>
>>> --
>>> Olsr-users mailing list
>>> (spam-protected)
>>> https://lists.olsr.org/mailman/listinfo/olsr-users
>

More information about the Olsr-users mailing list