clientes nao acessam rede interna

carlosmagno_rj
(usa Debian)

Enviado em 16/06/2012 - 11:49h

caros colegas bom dia.

estou coma seguinte dificuldade, tenho servidor openvpn funcionado e os clientes estao se conectando perfeitamente no servidor, pingo da rede interna para o ip da maquina externa e funciona perfeitamente , quando tento pingar de fora para a rede interna nao pinga e nem acessa as maquinas .

segue a as configurações.

rede interna

eth1 = 10.42.43.0/24 rede interna
eth0 = dhcp rede externa
tuh = 10.0.0.1 10.0.0.2 vpn


confguracao do servidor
############################################################

##Protocolo de conexãtcp / udp
proto udp

# Porta do servico
port 1194

# Drive da interface de rede
dev tun

# Atribui enderecos dinamicos a varios clientes, ips para o
#túVPN entre servidor e clientes
server 10.0.0.0 255.255.255.0

# Acrescenta rotas aos clientes, informaçs da rede local
push "route 10.42.43.0 255.255.255.0"
push "dhcp-option DNS 10.42.43.1"
push "dhcp-option WINS 10.42.43.1"
push "route-delay 2 600"

#rotas do servidor
client-config-dir ccd


# configurar comunicacao entre clientes
client-to-client

# Configuracoes adicionais no cliente , verificacao de status
push "ping 10"
push "ping-restart 60"

# Compactacao lib LZO
comp-lzo
keepalive 10 120

# Ativa a opcao de se conectar, caso o cliente nao esteja na internet, ou
#o mesmo tenha perdido a conexao.
resolv-retry infinite


# ips da rede conectados
ifconfig-pool-persist /etc/openvpn/erros/ipp.txt

# quantidade de conexoes no servidor
max-clients 10

# solicita o uso de chaves para acesso
persist-key

# indica qual interface deve ser ultilizada
persist-tun

# verificacao de los para possiveis erros futuros
log-append /etc/openvpn/erros/servidor.log

# como sera verificado os logs
verb 6

# como sera a identificacao do servidor TLS
tls-server

#Chaves necessarias para o funcionamento do servidor vpn e acesso externo de clientes
dh /etc/openvpn/chaves/dh1024.pem
ca /etc/openvpn/chaves/ca.crt
cert /etc/openvpn/chaves/servidor.crt
key /etc/openvpn/chaves/servidor.key

# Chave secreta do servidor
tls-auth /etc/openvpn/chaves/servidor.key
status /etc/openvpn/erros/servidor.status

# desabilita mensagens repetitivas, ou seja, erros ou conexoes em sequencia
# acima de 20, ele dropa.
mute 20


###########################################################


conf firewall



############################################################

#!/bin/bash

iniciar(){


#Modulos
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo "Modulos carregados!"

# Limpando as tabelas

iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -A FORWARD -j LOG

echo "Tabelas Limpas"

# Politica de Acesso
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
echo "Politicas Aplicadas"



# compartilha a internet
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


############### VPN ##############################################
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT



#Garante que o firewall permitiráacotes de conexõjániciadas:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp -s 10.42.43.0/24 -d 208.67.222.222 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 208.67.222.222 --sport 53 -d 10.42.43.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.42.43.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.42.43.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

# servico vpn
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
echo "Porta 1194 vpn liberada"

#servico pop3
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
echo "Porta 110 pop3 liberada"

#servico IMAP
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
echo "Porta 993 imap liberada"

#servico smtp
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
echo "Porta 25 smtp liberada"

#servico ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
echo "porta 22 ssh liberada"

#servico dns
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --source-port 53 -j ACCEPT
echo "Porta 53 dns liberada"

# Redireciona a faixa de portas para o Servidor local:
echo 1 > /proc/sys/net/ipv4/ip_forward

# liberando o loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# liberando o que vier da rede local
iptables -A INPUT -s 10.42.43.0/255.255.255.0 -i eth1 -j ACCEPT

# Abre portas usadas
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT


# Proxy transparente:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "Proxy transparente ativado"

# Bloqueia as portas UDP e TCP de 0 a 999999999 (com exceç das abertas acima):
#iptables -A INPUT -p udp --dport 0:9999 -j DROP
#iptables -A INPUT -p tcp --dport 0:9999 -j DROP



}

parar(){
iptables -F
iptables -t nat -F
echo "Regras de firewall e
compartilhamento desativados"
}

case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parâtros start ou stop"
esac
#####################################################################