Commit 3a89d3d9 authored by Arnaud Fontaine's avatar Arnaud Fontaine

doc: clarify firewall section in the manpage.

Also, add iptables/ip6tables example configuration.
parent ced915a1
......@@ -179,21 +179,38 @@ some time to bootstrap. However, if you really think something goes wrong,
you should first enable OpenVPN logs and increase verbosity:
see commented directives in configuration generated by `re6st-conf`.
A common failure is caused by a misconfigured firewall:
Besides of firewall configuration described below, other security components
may also break re6st. For example, default SELinux configuration on Fedora
prevents execution of OpenVPN server processes.
- re6st launches several OpenVPN processes. Those in client mode may connect to
any TCP/UDP port in IPv4. Server processes only listen to ports specified
Misconfigured firewall
----------------------
A common failure is caused by a misconfigured firewall. The following ports
need to be opened:
- **TCP/UDP ports 1194** (Specified by ``--pp`` option and default on `1194`):
re6st launches several OpenVPN processes. Those in client mode may connect
to any TCP/UDP port in IPv4. Server processes only listen to ports specified
by ``--pp`` option.
- re6st nodes use UDP port 326 to communicate.
It must be open on all re6st IPv6.
- **UDP port 326**: used by re6st nodes to communicate. It must be open on all
re6st IPv6.
- **UDP port 6696 on link-local IPv6 (fe80::/10)** on all interfaces managed
by Babel: OpenVPN always aborts due to inactivity timeout when Babel paquets
are filtered.
- **ICMPv6 neighbor-solicitation/neighbor-advertisement**. Moreover, the
following ICMPv6 packets should also generally be allowed in an IPv6
network: `destination-unreachable`, `packet-too-big`, `time-exceeded`,
`parameter-problem`.
- OpenVPN always aborts due to inactivity timeout when Babel paquets are
filtered. UDP port 6696 must be open on link-local IPv6 of all interfaces
managed by Babel.
- **UDP source port 1900**: required for UPnP server (see `Setting up a UPnP
server`_ for further explanations).
Other security components may also break re6st. For example, default SELinux
configuration on Fedora prevents execution of OpenVPN server processes.
You can refer to `examples/iptables-rules.sh` for an example of iptables and
ip6tables rules.
SEE ALSO
========
......
#!/bin/sh
#
# Example iptables/ip6tables rules for re6st on a desktop computer: REJECT
# everything by default:
#
# - Incoming traffic (INPUT): only open ports needed for re6st and also allow
# packets associated with an existing connection (ESTABLISHED, RELATED).
#
# - Forwarding traffic (FORWARD): do nothing as a re6st node is a router and
# it is crucial that it never drops any packet between two other nodes.
#
# - Outgoing traffic (OUTPUT): allow new/existing connections (NEW,
# ESTABLISHED, RELATED).
#
# WARNING: THIS SCRIPT *MUST NOT* JUST BE COPY-PASTED WITHOUT A BASIC
# UNDERSTANDING OF IPTABLES/IP6TABLES (see iptables(8) and
# iptables-extensions(8) manpages).
GATEWAY_IP=192.168.0.1
## IPv4
iptables -P INPUT REJECT
iptables -P OUTPUT REJECT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 900/min -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 900/min -j ACCEPT
# re6st
iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
# UPnP
iptables -A INPUT -p udp -m udp --sport 1900 -s $GATEWAY_IP -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
## IPv6
ip6tables -P INPUT REJECT
ip6tables -P OUTPUT REJECT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m udp --dport babel --src fe80::/10 -j ACCEPT
# Babel
ip6tables -A INPUT -i re6stnet+ -p udp -m udp --dport 326 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 900/min -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -m limit --limit 900/min -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment