[Olsr-users] OLSRd2 and iptables

Nemesis (spam-protected)
Tue May 10 19:12:53 CEST 2016


EHEH, you are very right!

I guess the rules must be the same just using ipv6.

Federico


On 05/10/2016 07:10 PM, Henning Rogge wrote:
> Hi,
> 
> do not forget ip6tables... ;)
> 
> Henning
> 
> On Tue, May 10, 2016 at 6:37 PM, Nemesis <(spam-protected)> wrote:
>> Thank you Henning.
>>
>> For the record, I share some of our rules: I omitted few non common
>> services for security reasons, but left the most common ones, it may be
>> helpful to other people as well.
>>
>> -------------------------------------------------------------------
>>
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD ACCEPT
>>
>> # Accept local and established, related
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> # SSH
>> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>> # HTTP
>> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>> # HTTPS
>> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>> # VPN
>> iptables -A INPUT -p udp --dport 1194 -j ACCEPT
>>
>> # OLSRd2
>> iptables -A INPUT -i vpn -p udp --dport 269 -j ACCEPT
>>
>> # allow ICMP on VPN
>> iptables -A INPUT -p icmp -i vpn -j ACCEPT
>> iptables -A OUTPUT -p icmp -o vpn -j ACCEPT
>>
>> # disable FORWARD on eth0
>> iptables -A FORWARD -o eth0 -j DROP
>>
>> -------------------------------------------------------------------
>>
>> Federico
>>
>>
>> On 05/09/2016 08:44 PM, Henning Rogge wrote:
>>> Hi,
>>>
>>> dropping all packets in the forward chain means you cannot route
>>> traffic... anything (non-locally) routed goes through the forward
>>> chain.
>>>
>>> Henning
>>>
>>> On Mon, May 9, 2016 at 8:37 PM, Nemesis <(spam-protected)> wrote:
>>>> Hi everyone,
>>>>
>>>> we have an olsrd2 node running only vpn links and exposed to the
>>>> internet. We need to protect it a bit more with iptables rules.
>>>>
>>>> What ports do we need to keep open on what chains in order to keep
>>>> olsrd2 running? The current configuration we have causes OLSRd2 to stop
>>>> working.
>>>>
>>>> Current rules:
>>>>
>>>> ---------------------------------------------
>>>>
>>>> iptables --flush
>>>> iptables --delete-chain
>>>> iptables -P INPUT DROP
>>>> iptables -P FORWARD DROP
>>>> iptables -P OUTPUT DROP
>>>>
>>>> iptables -A INPUT -i lo -j ACCEPT
>>>> iptables -A OUTPUT -o lo -j ACCEPT
>>>>
>>>> iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
>>>>
>>>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>>
>>>> # other omitted accepted ports like 80, 443, ecc
>>>>
>>>> # OLSRd2
>>>> iptables -A INPUT -p udp --dport 269 -j ACCEPT
>>>>
>>>> iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>>
>>>> ---------------------------------------------
>>>>
>>>> Maybe missing something on the forward chain? Or another port?
>>>>
>>>> Federico
>>>>
>>>> --
>>>> Olsr-users mailing list
>>>> (spam-protected)
>>>> https://lists.olsr.org/mailman/listinfo/olsr-users
>>




More information about the Olsr-users mailing list