Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - apos

Pages: [1]

I try to harden my zentyal webserver installation against attacks from outside.
What I like to do is: accessing the webadmin interface on a single nic internet server via the vpn network from my vpn-client-pc.

So I decided to install the vpn server.

I also added a virtual network card to the system which is part of the tun0 device, so it is only accessible via vpn.

The vpn server is working, the virtual interface is working.

If I connect to vpn and open the browser I should be able to browse

Code: [Select]
and access the admin interface.
But I can't.

Code: [Select]
vpn-client ( (can NOT connect to webadmin interface on  eth0:vpn:ADMINPORT)
vpn server (via single nic server)
eth0:vpn (virtual nic on eth0)
zentyal webadmin interface on port ADMINPORT
eth0 (localhost on server via ssh) (can connect to webadmin interface on  eth0:vpn:ADMINPORT)

Code: [Select]
eth0 (== server ip)  XXX.XXX.35.201 (WAN address for internet services)
eth0:vpn      (virtual nic, webadmin interface should listen only here)
vpn  net      
advertised net

What works: I can reach the admin interface from within the server with (e.g in a ssh session)

Code: [Select]
root@vserver:> lynx
Any ideas? I think, this is a nat or firewall issue reaching the ip / port from outside of the local network, because the vpn network is not known by the firewall.

I already tried this whith the follwoing rules, which helped me reaching ports from outside when using bridged networking on a n other server. But this DOES NOT WORK for the vpn network.

Code: [Select]
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 4444 -j DNAT --to-destination
iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 4444 -j DNAT --to-destination
iptables -t nat -A PREROUTING -j premodules
iptables -t nat-A FORWARD -d -p tcp -m state --state NEW -m tcp --dport 4444 -j ACCEPT
iptables -t nat -A FORWARD -j preforward

I also tried this:

Code: [Select]
route add -net dev tun0
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t filter -A FORWARD -p tcp -d --dport 4444 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 4444 -j DNAT --to

and this:

Code: [Select]
iptables -A ffwdrules -s -j ACCEPT

Code: [Select]
iptables -A FORWARD -i tap0 -j ACCEPT


Pages: [1]