From a3fade3b3f85f2d29a25b7cf0e34675b62bbb0b4 Mon Sep 17 00:00:00 2001 From: Matthias Blankertz Date: Sun, 18 May 2014 15:49:20 +0200 Subject: [PATCH] - Enable port forwarding for DC --- overlay/etc/firewall.sh | 26 +++++++++++++++++++++ overlay/etc/openvpn/ccd/Jan Olbrich | 1 + overlay/etc/openvpn/ccd/Jan Olbrich Luna | 1 + overlay/etc/openvpn/ccd/VPN Test Client Key | 1 + overlay/etc/openvpn/ccd/ka.blankertz.org | 1 + overlay/etc/openvpn/vpn.conf | 3 +++ 6 files changed, 33 insertions(+) create mode 100644 overlay/etc/openvpn/ccd/Jan Olbrich create mode 100644 overlay/etc/openvpn/ccd/Jan Olbrich Luna create mode 100644 overlay/etc/openvpn/ccd/VPN Test Client Key create mode 100644 overlay/etc/openvpn/ccd/ka.blankertz.org diff --git a/overlay/etc/firewall.sh b/overlay/etc/firewall.sh index bf218a1..21b381e 100755 --- a/overlay/etc/firewall.sh +++ b/overlay/etc/firewall.sh @@ -106,6 +106,32 @@ iptables -A INPUT -p udp --dport 1194 -j ACCEPT -m state --state NEW iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT + +## Port Forwarding for DC +# Allow forwarded ports +iptables -A INPUT -i eth0 -p udp -m multiport --dports 6666,6668,6670,6672 -j ACCEPT -m state --state NEW +iptables -A FORWARD -i eth0 -p udp -m multiport --dports 6666,6668,6670,6672 -j ACCEPT -m state --state NEW +iptables -A INPUT -i eth0 -p tcp --dport 6666:6673 -j ACCEPT -m state --state NEW +iptables -A FORWARD -i eth0 -p tcp --dport 6666:6673 -j ACCEPT -m state --state NEW + +# Forward +iptables -t nat -A PREROUTING -p udp --dport 6666 -i eth0 -j DNAT --to 10.42.23.129:6666 +iptables -t nat -A PREROUTING -p tcp --dport 6666 -i eth0 -j DNAT --to 10.42.23.129:6666 +iptables -t nat -A PREROUTING -p tcp --dport 6667 -i eth0 -j DNAT --to 10.42.23.129:6667 + +iptables -t nat -A PREROUTING -p udp --dport 6668 -i eth0 -j DNAT --to 10.42.23.131:6668 +iptables -t nat -A PREROUTING -p tcp --dport 6668 -i eth0 -j DNAT --to 10.42.23.131:6668 +iptables -t nat -A PREROUTING -p tcp --dport 6669 -i eth0 -j DNAT --to 10.42.23.131:6669 + +iptables -t nat -A PREROUTING -p udp --dport 6670 -i eth0 -j DNAT --to 10.42.23.133:6670 +iptables -t nat -A PREROUTING -p tcp --dport 6670 -i eth0 -j DNAT --to 10.42.23.133:6670 +iptables -t nat -A PREROUTING -p tcp --dport 6671 -i eth0 -j DNAT --to 10.42.23.133:6671 + +iptables -t nat -A PREROUTING -p udp --dport 6672 -i eth0 -j DNAT --to 10.42.23.135:6672 +iptables -t nat -A PREROUTING -p tcp --dport 6672 -i eth0 -j DNAT --to 10.42.23.135:6672 +iptables -t nat -A PREROUTING -p tcp --dport 6673 -i eth0 -j DNAT --to 10.42.23.135:6673 + + # Catchall iptables -A INPUT -j LOG --log-level debug --log-prefix "CATCHALL " iptables -A FORWARD -j LOG --log-level debug --log-prefix "CATCHALL " diff --git a/overlay/etc/openvpn/ccd/Jan Olbrich b/overlay/etc/openvpn/ccd/Jan Olbrich new file mode 100644 index 0000000..3302bae --- /dev/null +++ b/overlay/etc/openvpn/ccd/Jan Olbrich @@ -0,0 +1 @@ +ifconfig-push 10.42.23.129 19.42.23.130 diff --git a/overlay/etc/openvpn/ccd/Jan Olbrich Luna b/overlay/etc/openvpn/ccd/Jan Olbrich Luna new file mode 100644 index 0000000..b89e9ce --- /dev/null +++ b/overlay/etc/openvpn/ccd/Jan Olbrich Luna @@ -0,0 +1 @@ +ifconfig-push 10.42.23.135 10.42.23.136 diff --git a/overlay/etc/openvpn/ccd/VPN Test Client Key b/overlay/etc/openvpn/ccd/VPN Test Client Key new file mode 100644 index 0000000..34d1ce0 --- /dev/null +++ b/overlay/etc/openvpn/ccd/VPN Test Client Key @@ -0,0 +1 @@ +ifconfig-push 10.42.23.131 10.42.23.132 diff --git a/overlay/etc/openvpn/ccd/ka.blankertz.org b/overlay/etc/openvpn/ccd/ka.blankertz.org new file mode 100644 index 0000000..0cba9d9 --- /dev/null +++ b/overlay/etc/openvpn/ccd/ka.blankertz.org @@ -0,0 +1 @@ +ifconfig-push 10.42.23.133 10.42.23.134 diff --git a/overlay/etc/openvpn/vpn.conf b/overlay/etc/openvpn/vpn.conf index 0e7b70d..d24743d 100644 --- a/overlay/etc/openvpn/vpn.conf +++ b/overlay/etc/openvpn/vpn.conf @@ -80,6 +80,8 @@ cert panda.crt key panda.key # This file should be kept secret crl-verify crl.pem +client-config-dir /etc/openvpn/ccd + # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 @@ -164,6 +166,7 @@ push "route 172.19.0.0 255.255.0.0" ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: + # ifconfig-push 10.9.0.1 10.9.0.2 # Suppose that you want to enable different