-2

I have a server that I am trying to setup for OpenVPN. I have followed all the steps, but I see that when I try to connect to it in Windows, it doesn't allow me, it just hangs on connecting, so I did a nmap scan and I see that port 1194 is not open so naturally I append the rule to open 1194 with:

iptables -A INPUT -i eth0 -p tcp --dport 1194 -j ACCEPT

followed by service iptables save and service iptables restart which all executed successfully.

Then I try again, but it doesn't work and another nmap scan says that port 1194 is closed.

Here is the iptables configuration:

# Generated by iptables-save v1.4.7 on Thu Oct 31 09:47:38 2013
*nat
:PREROUTING ACCEPT [27410:3091993]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [5042:376160]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -j SNAT --to-source 41.185.26.238
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 31 09:47:38 2013
# Generated by iptables-save v1.4.7 on Thu Oct 31 09:47:38 2013
*filter
:INPUT ACCEPT [23571:2869068]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27558:3656524]
:vl - [0:0]
-A INPUT -p tcp -m tcp --dport 5252 -m comment --comment "SSH Secure" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -$
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m comment --comment "HTTP" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -m comment --comment "HTTPS" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m comment --comment "HTTP Encrypted" -j ACCEP$
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j A$
COMMIT
# Completed on Thu Oct 31 09:47:38 2013

and my nmap scan from:

  • localhost:

    nmap localhost

Starting Nmap 5.51 ( http://nmap.org ) at 2013-10-31 09:53 SAST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000011s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
443/tcp  open  https
1723/tcp open  pptp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

  • remote pc:

    nmap [server ip]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-31 09:53 SAST
Nmap scan report for rla04-nix1.wadns.net (41.185.26.238)
Host is up (0.025s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8008/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 15.70 seconds

So, I do not know what is causing this, any assistance will be appreciated!

UPDATE AFTER FIRST ANSWER:::

[root@RLA04-NIX1 ~]# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

[root@RLA04-NIX1 ~]# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT [root@RLA04-NIX1 ~]# iptables -A FORWARD -j REJECT

[root@RLA04-NIX1 ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

[root@RLA04-NIX1 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

[root@RLA04-NIX1 ~]# service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter nat [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]

[root@RLA04-NIX1 ~]# lsof -i :1194 -bash: lsof: command not found

iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5252 /* SSH Secure */ 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 state NEW,RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 /* SSH */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 /* HTTP */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 /* HTTPS */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 /* HTTP Encrypted */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1723 
ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1194 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  10.8.0.0/24          0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  10.8.0.0/24          0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 state RELATED,ESTABLISHED 

Chain vl (0 references)
target     prot opt source               destination         
[root@RLA04-NIX1 ~]# nmap localhostt

Starting Nmap 5.51 ( http://nmap.org ) at 2013-10-31 11:13 SAST

remote pc

nmap [server ip]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-31 11:11 SAST
Nmap scan report for rla04-nix1.wadns.net (41.185.26.238)
Host is up (0.020s latency).
Not shown: 858 filtered ports, 139 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8008/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 4.18 seconds

localhost

nmap localhost

Starting Nmap 5.51 ( http://nmap.org ) at 2013-10-31 11:13 SAST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000011s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
443/tcp  open  https
1723/tcp open  pptp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

UPDATE AFTER SCANNING UDP PORTS

Sorry, I am noob, I am still learning, but here is the output for:

nmap -sU [server ip]

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-31 11:33 SAST
Nmap scan report for [server address] ([server ip])
Host is up (0.021s latency).
Not shown: 997 open|filtered ports
PORT      STATE  SERVICE
53/udp    closed domain
123/udp   closed ntp
33459/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 8.57 seconds

btw, no changes have been made since post started (except for iptables changes)

user2699451
  • 7
  • 2
  • 3
  • 2
    Leaving all other considerations aside, you've opened up a single **UDP** port (according to your `iptables-save` output), then done an nmap scan (which by default checks a number of commonly-used **TCP** ports), and you're surprised you can't see the change? – MadHatter Oct 31 '13 at 08:28
  • Does your SMTP server listen on all interfaces ? It could be local-only... – mveroone Oct 31 '13 at 08:31
  • Sorry? How did an SMTP server get into this? – MadHatter Oct 31 '13 at 08:34
  • My bad. I compared the two nmap outputs thinking that was the port not "openning" – mveroone Oct 31 '13 at 09:14

2 Answers2

2

You are still checking for a UDP service by running nmap in TCP port-scanning mode. This is never going to work. If you insist on using nmap to verify the new firewall hole (and myself, I'd just start up a client and see if it connects), at least run it in UDP mode, with nmap -sU.

Edit: OK, now you're at least checking UDP, but you're also assuming that 1194 is one of the automatically-scanned ports. Try nmap -sU -p 1194 [server ip]. That's the only one you're interested in, anyway. And can you confirm the OpenVPN server daemon is running? There won't be much to talk to if it's not. And please do consider my earlier suggestion: running the OpenVPN client as a connectivity test. It's going to give you much more useful information than nmap, because it can talk to the service in a manner that will elicit a response, and it will report usefully thereon.

bonsaiviking
  • 4,420
  • 17
  • 26
MadHatter
  • 79,770
  • 20
  • 184
  • 232
0

By default VPN would use UDP port 1194 for its traffic, you can check this by running lsof -i :1194 and you'll see if VPN is using TCP or UDP for its traffic (depending on your VPN configuration).

On a basic server installation these iptables rules would be sufficient to make the VPN work:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

And lastly you would need to enable ip_forward in your sysctl:
echo 1 > /proc/sys/net/ipv4/ip_forward

Tabiko
  • 310
  • 1
  • 8
  • okay, so I appended the rules to iptables, saved and restarted, and "nmaped" from remote pc, exactly the same, port 1194 is accepting (input) but is not listed as open on nmap, via remote and localhost – user2699451 Oct 31 '13 at 09:13