[OpenWireless Tech] No probl/ which VPN

[Andy Green]

Hi -

Super... you've turned my scribble into the real deal.  Thanks!

The reasoning for the private space bits is we shouldn't want an untrusted client to even be able to fire anything at 1176 on the local network, in case there's a vpn server there.  The clients are just not invited or able to touch the local side full stop.

-Andy



michi1 at michaelblizek.twilightparadox.com wrote:

>Hi!
>
>On 18:27 Wed 07 Nov , "Andy Green (林安廸)" wrote:
>...
>> We need something like
>> 
>> iptables -A INPUT -i wlan0 -j DROP
>> iptables -A INPUT -i wlan0 -p udp --dport 1194 -j ACCEPT
>> iptables -A INPUT -i wlan0 -d 10.0.0.0/8 -p udp -j DROP
>> iptables -A INPUT -i wlan0 -d 192.168.0.0/16 -p udp -j DROP
>> iptables -A INPUT -i wlan0 -d 172.16.0.0/12 -p udp -j DROP
>
>No, this is wrong:
>1) The first rule will drop everything and all other rules will not
>apply.
>2) INPUT == to a local program, we need forward
>3) Why special caseing the pritate ip spaces?
>4) openvpn needs tcp-1194 too
>
>It should look like this:
>#wlan0 == public wlan
>#eth0 == internet
>iptables -A FORWARD -i wlan0 -o eth0 -p udp --dport 1194 -j ACCEPT
>iptables -A FORWARD -i wlan0 -o eth0 -p tcp --dport 1194 -j ACCEPT
>iptables -A FORWARD -i eth0 -o wlan0 -p udp --sport 1194 -j ACCEPT
>iptables -A FORWARD -i eth0 -o wlan0 -p tcp --sport 1194 -j ACCEPT
>iptables -A FORWARD -i wlan0 -j DROP
>iptables -A FORWARD -o wlan0 -j DROP
>iptables -A INPUT -i wlan0 -j DROP
>iptables -A OUTPUT -o wlan0 -j DROP
>
>	-Michi
>-- 
>programing a layer 3+4 network protocol for mesh networks
>see http://michaelblizek.twilightparadox.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/tech/attachments/20121108/938f7968/attachment.html>