Salut a tous,
Je remercie d'avance ceux qui me lirons.
Je suis en train de mettre en place un openvpn sur un de mes serveur et j'utilise un bridge avec openwrt en tant que client.
Mon problème est (surement) que je n'ai pas encore tout compris a iptables.
Voici ma config d'openvpn
Code :
- #serveur.conf
- daemon
- local 192.168.22.12
- proto udp
- port 1194
- dev tap0
- tun-mtu 1500
- keepalive 10 120
- max-clients 10
- persist-tun
- persist-key
- user openvpn
- group openvpn
- chroot /etc/openvpn/jail
- log /var/log/openvpn/openvpn.log
- verb 6
- comp-lzo
- cipher DES-EDE3-CBC
- mode server
- tls-server
- ca ca.crt
- dh dh1024.pem
- cert server.crt
- key server.key
- tls-cipher DES-CBC3-SHA
- tls-auth ta.key 0
- push "dhcp-option DHCP 192.168.22.11"
- push "redirect-gateway"
- ifconfig-pool-persist ipp.txt
- server-bridge 192.168.22.11 255.255.255.0 192.168.22.100 192.168.22.110
- mute 10
- script-security 2
|
Je fait des testes en local pour l'instant mon ip publique n'est donc pas marquer.
Code :
- #client1.conf
- client
- remote 192.168.22.12 1194
- dev tap0
- proto udp
- pull
- tls-client
- ca ca.crt
- cert client1.crt
- key client1.key
- tls-auth ta.key 1
- user openvpn
- group openvpn
- resolv-retry infinite
- nobind
- persist-key
- persist-tun
- ns-cert-type server
- cipher DES-EDE3-CBC
- comp-lzo
- verb 2
- mute 2
|
L'authentification ce passe bien, je ping correctement mes serveurs en passant par l'interface tap0. bref nickel jusque là.
La ou ça ce corse c'est le moment ou sur mon client (Bridge openwrt) je passe mon interface tap0 en bridger avec l'interface le br-lan.
et la plus possible de pinguer quoi que ce soit.
je précise que du coté de mon serveur l'interface étant déjà bridger au lancement il n'y as pas de problème.
Suite a cela j'ai fait un tcpdump -i tap0 coté serveur et contrôler mes tables arp.
a première vue les mon serveur reçoit bien les requête icmp mais ne peux pas les renvoyer ce qui m'as orienter sur iptables.
Je me suis mis dessus il y as un petit moment mais j'ai encore du mal car il y as beaucoup de chaines sur Owrt.
voici la table
Code :
- iptables -L -v
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 8365 5011K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
- 202 12456 ACCEPT all -- lo any anywhere anywhere
- 3 152 syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
- 939 79789 input_rule all -- any any anywhere anywhere
- 938 79581 input all -- any any anywhere anywhere
- Chain FORWARD (policy DROP 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 12381 2217K zone_wan_MSSFIX all -- any any anywhere anywhere
- 11987 2163K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
- 394 53781 forwarding_rule all -- any any anywhere anywhere
- 394 53781 forward all -- any any anywhere anywhere
- 0 0 reject all -- any any anywhere anywhere
- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 3112 352K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
- 202 12456 ACCEPT all -- any lo anywhere anywhere
- 229 20982 output_rule all -- any any anywhere anywhere
- 228 20921 output all -- any any anywhere anywhere
- Chain forward (1 references)
- pkts bytes target prot opt in out source destination
- 316 39286 zone_lan_forward all -- br-lan any anywhere anywhere
- 0 0 zone_wan_forward all -- eth0.2 any anywhere anywhere
- Chain forwarding_lan (1 references)
- pkts bytes target prot opt in out source destination
- Chain forwarding_rule (1 references)
- pkts bytes target prot opt in out source destination
- 394 53781 nat_reflection_fwd all -- any any anywhere anywhere
- Chain forwarding_wan (1 references)
- pkts bytes target prot opt in out source destination
- Chain input (1 references)
- pkts bytes target prot opt in out source destination
- 119 9354 zone_lan all -- br-lan any anywhere anywhere
- 109 5657 zone_wan all -- eth0.2 any anywhere anywhere
- Chain input_lan (1 references)
- pkts bytes target prot opt in out source destination
- Chain input_rule (1 references)
- pkts bytes target prot opt in out source destination
- Chain input_wan (1 references)
- pkts bytes target prot opt in out source destination
- Chain nat_reflection_fwd (1 references)
- pkts bytes target prot opt in out source destination
- Chain output (1 references)
- pkts bytes target prot opt in out source destination
- 228 20921 zone_lan_ACCEPT all -- any any anywhere anywhere
- 204 16233 zone_wan_ACCEPT all -- any any anywhere anywhere
- Chain output_rule (1 references)
- pkts bytes target prot opt in out source destination
- Chain reject (5 references)
- pkts bytes target prot opt in out source destination
- 32 1480 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
- 251 15342 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
- Chain syn_flood (1 references)
- pkts bytes target prot opt in out source destination
- 3 152 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
- 0 0 DROP all -- any any anywhere anywhere
- Chain zone_lan (1 references)
- pkts bytes target prot opt in out source destination
- 472 45425 input_lan all -- any any anywhere anywhere
- 472 45425 zone_lan_ACCEPT all -- any any anywhere anywhere
- Chain zone_lan_ACCEPT (2 references)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- any br-lan anywhere anywhere
- 119 9354 ACCEPT all -- br-lan any anywhere anywhere
- Chain zone_lan_DROP (0 references)
- pkts bytes target prot opt in out source destination
- 0 0 DROP all -- any br-lan anywhere anywhere
- 0 0 DROP all -- br-lan any anywhere anywhere
- Chain zone_lan_MSSFIX (0 references)
- pkts bytes target prot opt in out source destination
- 0 0 TCPMSS tcp -- any br-lan anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
- Chain zone_lan_REJECT (1 references)
- pkts bytes target prot opt in out source destination
- 0 0 reject all -- any br-lan anywhere anywhere
- 0 0 reject all -- br-lan any anywhere anywhere
- Chain zone_lan_forward (1 references)
- pkts bytes target prot opt in out source destination
- 394 53781 zone_wan_ACCEPT all -- any any anywhere anywhere
- 10 964 forwarding_lan all -- any any anywhere anywhere
- 10 964 zone_lan_REJECT all -- any any anywhere anywhere
- Chain zone_wan (1 references)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootpc
- 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
- 273 15858 input_wan all -- any any anywhere anywhere
- 273 15858 zone_wan_REJECT all -- any any anywhere anywhere
- Chain zone_wan_ACCEPT (2 references)
- pkts bytes target prot opt in out source destination
- 379 43358 ACCEPT all -- any eth0.2 anywhere anywhere
- 0 0 ACCEPT all -- eth0.2 any anywhere anywhere
- Chain zone_wan_DROP (0 references)
- pkts bytes target prot opt in out source destination
- 0 0 DROP all -- any eth0.2 anywhere anywhere
- 0 0 DROP all -- eth0.2 any anywhere anywhere
- Chain zone_wan_MSSFIX (1 references)
- pkts bytes target prot opt in out source destination
- 101 5252 TCPMSS tcp -- any eth0.2 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
- Chain zone_wan_REJECT (2 references)
- pkts bytes target prot opt in out source destination
- 0 0 reject all -- any eth0.2 anywhere anywhere
- 109 5657 reject all -- eth0.2 any anywhere anywhere
- Chain zone_wan_forward (1 references)
- pkts bytes target prot opt in out source destination
- 0 0 forwarding_wan all -- any any anywhere anywhere
- 0 0 zone_wan_REJECT all -- any any anywhere anywhere
|
Quelqu'un pourrais il m'indiquer ou du moins m'orienter pour résoudre ce problème.
Je vous remercie d'avance pour vos idées et vos conclusions.