Debian Configuration :: OpenVPN And IPTables - No Local Hostnames Accessible
Feb 7, 2016
I managed to set up an openvpn server, ip-forwarding and a nat iptable rule for that.
Almost everything works as expected, but my problem is:
Smartphone -> VPN -> Internet ==> works (by ip and hostname)
Smartphone -> VPN -> machine in my local network by IP ==> works
Smartphone -> VPN -> machine in my local network by its hostname => DOES NOT WORK
Machine w/ VPN server -> ping to machine in local network by ip or hostname => works
So, i wonder why i cant access a local machine through the vpn by its hostname. I guess I'm missing a forwarding rule??
iptables dump:
# Generated by iptables-save v1.4.21 on Sun Feb 7 20:56:52 2016
*nat
:PREROUTING ACCEPT [786:59064]
:INPUT ACCEPT [728:53047]
:OUTPUT ACCEPT [19:1487]
:POSTROUTING ACCEPT [20:1576]
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Feb 7 20:56:52 2016
I've setup openVPN using bridging following these guides
[URL]
I'm running Ubuntu Server 10.10 My clients can connect and get their own IP within my ip range (192.168.1.x) They can ping each other and I've tested I can use the connection a lan game and a windows RDP connection. The problem is I cannot access any of the actual local network devices except the vpnServer. Is their something else that needs to be done to allow full network access?
I will see ipcam in my local network from my tablets. I'm install server/client but I can't even ping my Ipcam from my tablet.I'm ping my ipcam from my server
Code: Select allping 10.42.0.22 PING 10.42.0.22 (10.42.0.22) 56(84) bytes of data. 64 bytes from 10.42.0.22: icmp_seq=1 ttl=64 time=0.639 ms
eth1:1 Link encap:Ethernet HWaddr 00:25:22:1c:6e:05 inet addr:10.42.0.1 Bcast:10.42.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
I have a strange iptables issues. I have just built a new Debian install and starting adding some real basic rules (see below) the problem seems to be that the localhost itself can't get any returning traffic. That is, it seems to be allowed outgoing traffic but not the connected, returning traffic. Ordinarily allowing Established Connections would resolve this, see the rule below, but it hasn't. Why this doesn't work. Removing the last DROP in the INPUT chains obviously makes the traffic work!
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -j ACCEPT -p tcp --dport 22 iptables -A INPUT -j ACCEPT -s x.x.x.x iptables -A INPUT -j ACCEPT -s x.x.x.x iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 80 iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 8080 iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -j DROP
So I have a router that I've gotten from my ISP, which seems to run a hardened, custom version of OpenWRT. By that I mean it's read-only and has a lot of files mostly in RAM. So putting custom firmware on it is not an option for me right now, as it's by only router. Actually, it's not just a router, it's an Actiontek modem/router combo.
So anyway, lets say I have a machine on my LAN and I want to basically SSH into a box by hostname. Now the thing is, I prefer using OpenDNS (previously OpenNIC) as my DNS, and so I don't use my router as my nameserver, though I could do that.
So how do I connect to my machine by hostname? I would prefer a solution that does not use Avahi/Zeroconf or editing the hosts file. People have said setting up a local DNS server might be okay, but I'd have to do that for every machine I'd want added to my network. Kind of almost as bad as editing a static hosts file. I use really want to use DHCP over static IP assigning, and the one on my router is not as advanced, so I can't use my hosts file. And also,
So is Zeroconf the only solution? I'm not sure how to set up Zeroconf. Do you just install Avahi?
I want a simple, almost Arch-linux solution, lean and clean, using only the most minimal software. I don't care how much configuring I'd have to do, as long as it's going to stay reliable as well.
How do you get linux to resolve local hostnames without DNS?
I've recently migrated from a fully windows home network, to a few linux machines and im unable to ping any local machines with hostname via these linux machines. i can ping IP and internet hostnames. also, windows > anything pings ok too. however linux > anything will not ping via hostname.
I beleive it's an additional service running on windows to resolve hostnames without DNS (wins/netbios).
DNS is done via a netgear DG834 router (DNS forwarding).
I know i could either use direct IP, or add machines into the hosts file, but im wondering if theres some way around that and to have it dynamically update like it does on the windows machines. static mappings seem a bit silly inside DHCP zones
I've seen some reports of avahi causing local network issues (taking over the .local domain), but i think this only extends to having to manually enter in .local after the hostname and even after removing avahi, the problem is still present.
Just setup with Debian 8 (LXDE) a few weeks ago. Raid10 array was preexisting.
Was working well. After booting I would need to go to the save as then would need to enter the root password and everything would be good.
Can't access the array.
Used to use the command $ mount /dev/dm-o /home/myspace/folder under Debian 7.6 to mount the array (no longer works). blkd lists a /dev/md0 but instead of UUID it is PTUUID
I recently set up an Ubuntu server computer (10.04) with the hostname 'morbo', and with a static IP address. With all my other ubuntu systems i can ping and ssh using their host names, like:
[code]...
i can't reach it via 'morbo.local' nor can i reach my other ubuntu systems from morbo by their hostnames. I have seen a 'quick and dirty' solution which might help here : [URL]... , but i don't want to have to add every system to morbo's list and morbo to every systems list, and because it works without manual configuration on all my other systems, i don't see why it shouldn't be possible here. Currently everything connects to one d-link router - does this mean it is the DNS server?
I'm running OpenVPN service on both debian server and client. When start connection between client and server, I expect all the computer traffic (except ARP and DHCP requests) go through created tunnel. However, when I capture packets on wlan0 on client (the only connection going outside host) using Wireshark, I can see DNS requests visible and sometimes incoming TCP traffic as well, but most of the traffic is going through tunnel as expected. I provide both configurations of client and server and client routing table for inspection. I changed server address to avoid server exploitation in the case of some big configuration mistake.
Commands to run OpenVPN services are: Code: Select allFor client: sudo openvpn --config /etc/openvpn/client.conf & For server: sudo openvpn --config /etc/openvpn/server.conf &
**Client routing table when VPN is OFF** Code: Select allKernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.1.1 0.0.0.0 UG 1024 0 0 wlan0 192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0
[code]...
I searched through many forums and documentation and I found, that for all the traffic going via VPN is command: *push "redirect-gateway def1"* neccessary, however, I have leaks despite this command being in place. I already spent over 2 days with this and tried to configure it in many ways, now I have no clue what I'm missing.
I have recently rented a VPS server so I can run a VPN. Unfortunately, I did not get far in this [URL] ....., I have encountered this error:
Code: Select allxaver@xaver:/$ sudo modprobe tun ERROR: could not insert 'tun': Unknown symbol in module, or unknown parameter (see dmesg)
So I googled this error and found this: [URL] ....., however response of mine VPS was:
Code: Select allxaver@xaver:/$ ls /lib/modules/uname -r /kernel/drivers/net/tun.* ls: cannot access /lib/modules/uname: No such file or directory ls: cannot access /kernel/drivers/net/tun.*: No such file or directory
Code: Select allxaver@xaver:/$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 7.9 (wheezy) Release: 7.9 Codename: wheezy
xaver@xaver:/$ uname -a Linux xaver 3.2.0-4-amd64 #1 SMP Debian 3.2.57-3+deb7u1 x86_64 GNU/Linux
I use openvpn to connect otherwise isolated machines, and use samba to share filesystems across the vpn, which works just fine.But I recently discovered that copying files using rsync -e ssh is so much faster than copying from a mounted filesystem - like about 5 times faster.I've got comp-lzo enabled in both server and the client, at least I think I have, the directive is there in both the server.conf and the client.conf files, but how do I check that it's active?Does anyone know if I can make openvpn behave more like rsync, because copying is easier than rsyncing?
I currently run openVPN on my Debian box that provides secure ipv4 routing from my laptop to my VPS in a different country (and from there the internet via this box). This works fine. However, id like to sort out ipv6 through this VPN as well as IPV4 and not overly sure how to do it. The remote server itself has native ipv6 configured on device eth0 and it works (ping6, traceroutes all fine,incoming to web servers etc) nicely on dual stack.
How would i go about modifying the config (both client and server if needed) to enable openVPN to act as a tunnel broker to enable the laptop to use the ipv6 through the server as well as the old v4? (the internet connection laptop end will not/does not have native ipv6 from the ISP. Currently im using he-net tunnel broker but id like to run myself through my existing openVPN). VPN config details: Its using UDP, port 1194, creates a TUN interface, redirect-gateway etc and the rest is normal config. Edit:- if it matters the clients are all running windows so i cant use sh scripts to set up stuff client end.
I am working on a Debian 2.6.26-19 Distribution with exim4 as MTA. After a system restart a problem occurred with delivering emails to local addresses. These local addresses use a 1and1 mailserver for email. The MX records for the local domain are set correctly but exim does not use a DNS lookup for these addresses because it identifies them as local addresses. I figured this out by executing the exim4 -d -bt command. The dns lookup part of the result looks like this (I replaced the actual address with placeholders):
[Code]....
The eventual result of the exim4 -d -bt command is: [user]@[domain.ext] is undeliverable: Unrouteable address How can I make sure, that exim4 makes a DNS lookup for the local addresses instead of skipping it? I know that I have to edit a exim4 configuration file, but I could not figure out which and how.
Have previously moved my ssh server from 22 to 4455 just by moving the port in sshd_config. This is done to minimize the log entries resulting from brute force attacks.However, it seems like Zimbra and other local services expect to find the ssh service locally available on port 22, so I figured it's better to move the port in the firewall so that it remains configured on port 22 in sshd_config, and instead use iptables with a nat/port rewrite to move 4455 incoming to 22 locally.
Isolated this works as long as I also keep allowing port 22, but the moment I close port 22, port 4455 is also dead, which sort of defies the purpose
I have set up OpenVPN for my connection. I'm using this to connect to the internet from different locations using tunnelling.
Right now I have a few IP's : on eth0 I have IP from my ISP, on eth0:1 I have my own IP.I set up MASQUERADE to eth0 - but in this case when I try to access my restricted resources IP address from ISP is visible. What I want is to use my own IP address from eth0:1 - could somebody help me to build good working redirect entry for that? I want to redirect all connections to that IP assigned on eth0:1... - just to access Internet using my IP.
I follow this instructions but after iptables-restore < /etc/iptables.test.rules I see this error # iptables-restore < /etc/iptables.test.rules Bad argument `#' Error occurred at line: 3 Try `iptables-restore -h' or 'iptables-restore --help' for more information. The line 3 is the same as the link - # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
I have a subdomain called www3 and I cant see it outside of our network. It's added in vhosts.conf in /etc/httpd/conf.d, and I can access it through [URL], but only when on vpn.
We have another www2 that is both local AND outside the vpn. I am testing the site live and need access to it. Is there another file besides vhosts.conf that I need to add the ssubdomain in? Here's what I added in my vhosts.conf
I'd like to configure IPtables to make sure I can only access the internet through an openvpn connection (so when the connection is down I have no way to access the internet but to connect to the vpn again).
I know how to do this with Firestarter (restrictive outgoing policy and I only allow the vpn server IPs) but Firestarter seems to be stupid : for some reason eth0 was changed to eth1 and Firestarter can't work properly anymore, even though that probably can be fixed with Firestarter I'm no more interested in this program and I'd better like to know how to apply the same policy using IPtables.
I've tried a few things already but it failed each time ... how can I effectively allow my computer to connect to the VPN while everything else is blocked ?
I've been trying to forward some ports using iptables for some time now, but still haven't figured out how to get it to work..What i'm trying to accomplish is to forward all traffic from port 80 to port 8080, and all traffic from port 443 to port 8443, this because i would like to run tomcat as a non-root user, and the original ports can only be used as root.. I've currently setup my iptables like this:
# Generated by iptables-save v1.4.2 on Wed Nov 10 16:44:45 2010 *nat :PREROUTING ACCEPT [39350:6120333]
I am trying to set up a DMZ host - that is, one multifunctional PC between the WAN and the LAN. I've started with a basic router, and expanding upon that as the need arises. I am currently trying to gain access (from the WAN) to a website hosted on one of the servers in the LAN, but I am having trouble accessing the host from the WAN; I think my iptables configuration may be too restrictive. On the DMZ host, I'm using Debian (Etch). I have setup dhcp3-server, a script to configure iptables and pound (reverse-proxy). The (virtual) machine has 4 network cards: eth0, eth1, eth2, eth3; eth0 is the WAN, eth1 through eth3 serve 3 different virtual LANs.
All machines in the LAN (except one windows 2008 server - I might want to address that problem later) get their IP adresses correctly via dhcp from the DMZ host. All machines on the LAN can access the internet (including the 2008 server if I configure it manually) as they should. If I access http://localhost on the DMZ host, pound reports "The service is not available. Please try again later." - as it should.
I can ping the DMZ host from the WAN on 10.0.0.79 However, if I try to access the DMZ host from the WAN (http://10.0.0.79) I get "Unable to connect" from firefox. I'm sure this is not a pound problem, so I think it's in the iptables, or maybe I should be installing some extra software that I'm unaware of.
I just setup a ubuntu 10.10 box learn linux and to play around with, and want it to host my website. I can see the web site on my local network no problem but the outside world gets a time out message. I check to make sure everything is forwarded correctly on my router and the dns so i has to be something in ubuntu blocking out-of-network traffic how do i turn port 80 on to the outside world
On computer, I have apache server, configured at port 80, running. In local network, web page is accessible by my local IP (192...). Although, when I want to get to the page from the internet, I don't know right ip address, since router's one should be local, and also, router has it's own web page running at port 80. So I guessed that my server IP would be modem's one, which I don't know. Sometime in past, I figured out address of modem too, but it has it's own application running. Also, router supports port forwarding (which I guess, is needed), but I don't know how to get using to it. what address from internet should I have? How should I determine it?
I'm running Ubuntu 10.04 LTS as a VM in Hyper-V, and accessing it via VNC with a machine in the same broadcast domain. I'm using OpenVPN to connect to XeroBank. I have instructions for configuring iptables to permit establishing and using the XeroBank connection, while blocking all other traffic on eth0. I've followed them successfully. I need to also permit the VNC connection, and haven't managed that. FWIW, the VM is at 192.168.111.12::5900 and the workstation is 192.168.111.2.
The attachment to this post lists the recommended contents for each Shorewall file. Which files need changed, and what do I add to each?
my problem is following: I'm running a bridged OpenVPN on my Debian. If the service is running, everything works fine: local and Internet, ftp, mailing from in and outside etc. But, when stopping OpenVPN, sending mails from inside (LAN) fails: I cannot reach smtp (postfix) listening on port 465. And even reaching mailboxes using IMAP gets horribly slow eg. in Thunderbird. Here is my firewall.sh script.
Quote:
#!/bin/sh echo " IPTABLES FIREWALL inicializalasa - szures" # Enter the designation for the Internal Interface's INTIF="eth0"
I'm having some trouble with the configuration of the iptables. I want to setup a network server to serve as Fail Over (for my 2 ISPs), DHCP and DNS. I have 3 network cards, 2 connected to ISP's routers and 1 that serves as UPLINK for my switch.
I want to add some Iptables rules so I can achieve what I want to do. The problem is that the rules I try to use, they have to effect.... they don't load, here are the rules I am trying to add:
