# FireHOL & Bridging, iptables & VPN

## Crimson Rider

Hey guys,

I have this nice firewall setup that I am giving FireHOL a go with.

It's has 

eth0, my internet thing

eth1 & tap0 bridged in br0, for my VPN thing

And there is the trouble. As long as FireHOL is turned of, I can log in to my VPN with a client and ping the network, ie I can log in via VPN and ping host 192.168.40.52.

Then, I turn on FireHOL and get this:

Ping myself, the VPN client, on 192.168.40.224, works both ways

Ping the server, 192.168.40.10, works both ways

But, ping 192.168.40.52, a host somewhere on the LAN, I get this

Jan 17 17:12:31 [kernel] 'PASS-unknown:'IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth1 SRC=192.168.40.224 DST=192.168.40.52 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42464 DF PROTO=TCP SPT=2545 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0

Anyone got a clue what to do here? This is my conf if it helps

```

version 5

# My cool  SSH thing

server_SSHSafe_ports="tcp/6036"

client_SSHSafe_ports="default"

server_SSH443_ports="tcp/443"

client_SSH443_ports="default"

# VPN Server

server_openvpn_ports="tcp/1194"

client_openvpn_ports="default"

# My Internet Host

interface eth0 Internet

        server  SSHSafe         accept

        server  SSH443          accept

        server  http            accept

        server  smtp            accept

        server  dns             accept

        server  openvpn         accept

        client  all             accept

# My local physical LAN card

#interface eth1 LAN

        server  all             accept

        client  all             accept

# My local tap interface, Ruby VPN

interface tap0 Ruby-VPN

        server  all             accept

        client  all             accept

# My Bridge, for 192.168.40.0/24

interface br0 Bridge

        server  all             accept

        client  all             accept

        server  icmp            accept

        client  icmp            accept

router tap2lan inface tap0 outface eth1

        route   all             accept

```

----------

## Strowi

hi,

were you able to resolve this?

I have kinda the same problem here.. 1*ppp, (2*LAN+1*WLAN)-Bridged.

I thought i'd give firehol a try wen i was reinstalling, except for connections within the bridge it works as expected.

At least my previous iptables-script works, maybe someone can figure out the difference...

```

#

#   Firewall-Script fr Yggdrasill (WG-Server)

#   by Strowi@HasNoName.de

#

#!/bin/bash

LAN="br0"

DSL="ppp0"

IP="iptables"

#Flush Rules

$IP -F

$IP -t nat -F 

$IP -X

# IP-forwarding is Ok

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

# Lock Services to LAN

$IP -P INPUT DROP

$IP -P OUTPUT ACCEPT

$IP -P FORWARD DROP

$IP -I INPUT 1 -i $LAN -j ACCEPT

$IP -I INPUT 1 -i lo -j ACCEPT

# Accept already established connections

$IP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

# Allow NEW LAN -> Server Connection

$IP -A INPUT -i ! $DSL -m state --state NEW -j ACCEPT 

# Different ICMP-Types

$IP -A INPUT -i $DSL -p icmp -m icmp --icmp-type 0 -j ACCEPT 

$IP -A INPUT -i $DSL -p icmp -m icmp --icmp-type 3 -j ACCEPT 

$IP -A INPUT -i $DSL -p icmp -m icmp --icmp-type 11 -j ACCEPT 

.

.

.

# Forwarding

#$IP -I FORWARD -i $LAN -d 192.168.2.0/255.255.255.0 -j DROP

$IP -A FORWARD -i $LAN -s 192.168.2.0/255.255.255.0 -j ACCEPT

$IP -A FORWARD -i $DSL -d 192.168.2.0/255.255.255.0 -j ACCEPT

#$IP -A FORWARD -i $LAN -d 192.168.2.0/255.255.255.0 -j DROP

$IP -t nat -A POSTROUTING -o $DSL -j MASQUERADE

#Forward SSH from DSL -> specific LAN-PC

$IP -t nat -A PREROUTING -p tcp -m tcp --dport 220 -j DNAT --to-destination $STROWI:22 

$IP -t nat -A PREROUTING -p tcp -m tcp --dport 221 -j DNAT --to-destination $MATHIAS:22 

#$IP -t nat -A PREROUTING -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.2.1:22 

```

----------

## Crimson Rider

Yeah, I did resolve it.

Here is the crux how

version 5

```
FIREHOL_LOG_LEVEL="5"

FIREHOL_LOG_MODE="LOG"

FIREHOL_LOAD_KERNEL_MODULES=0

# My cool  SSH thing

server_SSHSafe_ports="tcp/6036"

client_SSHSafe_ports="default"

server_SSH443_ports="tcp/443"

client_SSH443_ports="default"

# VPN Server

server_openvpn_ports="tcp/1194"

client_openvpn_ports="default"

# IMAP SSL

server_imapssl_ports="tcp/993"

client_imapssl_ports="default"

# MySQL

server_mysql_ports="tcp/3306"

client_mysql_ports="default"

# Teampspeak

server_teamspeak_ports="udp/8767"

client_teamspeak_ports="default"

# torrent

server_torrent_ports="tcp/59010 tcp/59011 tcp/59012 tcp/59013 udp/59010 udp/59010 udp/59011 udp/59012 udp/59013"

client_torrent_ports="default"

# torrent tracker

server_tracker_ports="tcp/8082 udp/8082"

client_tracker_ports="default"

# block

server_blocker_ports="  tcp/135         udp/135

                        tcp/137         udp/137

                        tcp/138         udp/138

                        tcp/139         udp/139

                        tcp/445         udp/445

                        tcp/1433        udp/1433

                        tcp/1434        udp/1434

                        tcp/2967        udp/2967

                        tcp/5900        udp/5900

                        tcp/6881        udp/6881

                        tcp/8080        udp/8080

                        tcp/3128        udp/3128

                        tcp/59001       udp/59001"

client_blocker_ports="default"

#The Lans

# lan="192.168.0.0/16"

# My Internet Host

interface eth0 Internet

        protection strong 500/sec 500

        policy reject

        server ident reject with tcp-reset

        client  multicast reject with proto-unreach

        server  SSHSafe         accept

        server  SSH443          accept

        server  http            accept

        server  smtp            accept

        server  dns             accept

        server  openvpn         accept

        server  imapssl         accept

        server  pop3            accept

        server  teamspeak       accept

        server  torrent         accept

        server  tracker         accept

        server  mysql           accept

        server  icmp            accept

        server  blocker         reject

        client  samba           reject

        client  all             accept

# My Bridge, for 192.168.40.0/24

interface br0 Bridge

        server  all             accept

        client  all             accept

# My local tap interface, Diamond VPN

interface tap1 Diamond-VPN

        server  all             accept

        client  all             accept

# Allow routing for the lan

router lan2internet inface br0 outface eth0

        masquerade

        route   all             accept

# Allow routing over the lan bridge to tap1 - Diamond VPN

router bridge2vpn inface br0 outface tap1

        masquerade

        route   all             accept

router vpn2bridge inface tap1 outface br0

        route   all             accept[/b]

# Allow routing over the bridge for tap0 - Ruby VPN

router tap2lan inface br0 outface br0 physin eth1 physout tap0

        route   all             accept

router lan2tap inface br0 outface br0 physin tap0 physout eth1

        route   all             accept

```

The last 4 entries are the key here. If it doesn;t work for you, gimme a post.

----------

## Strowi

thx, with your input i was able to add the following 4 lines and now the query goes through...

```

router br02lan inface br0 outface br0

route all accept

router lan2br0 iface br0 outface br0

route all accept

```

on a sidenote: do you know how i can forward lan2internet port 80 to 8080 (squid)? I would like to force everyone on the net to use the proxy....

----------

## Crimson Rider

yes I do  :Smile: 

You can do it the hard way, by intercepting all traffic to port 80 and redirecting that.

Or the easy way, by using the functions provided in Firehol

From the documentation at http://firehol.sourceforge.net/

```
transparent_squid <port> <user> [optional rule parameters]

The transparent_squid helper sets up trasparent caching for HTTP traffic. It is equivalent to:

transparent_proxy 80 <port> <user> [optional rule parameters]

Example 1: transparent_squid 3128 squid inface eth0 src 10.0.0.0/8

Example 2: transparent_squid 8080 "squid privoxy root bin" inface not "ppp+ ipsec+" dst not "a.not.proxied.server" 
```

----------

## Strowi

and thx again... i must have missed that part of the documentation.

All i saw was a statement like this in the provided example file for lan-gateways. 

```

SQUID_PORT="8080"                   # Leave empty to disable SQUID

SQUID_USERS="squid"             # Users to be excluded from the cache

SQUID_EXCLUDE="192.168.2.1"             # Web Server IPs to be excluded from the cache

```

But that gave me only some errors from squid (without it an manually selecting the proxy everything worked).

Thx again for your help i will do some testing over the weekend.

----------

## Strowi

ok, solved the above, but now i cannot access the internet from the gateway running the firewall/proxy:

```

IN= OUT=ppp0 SRC=87.78.76.100 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49319 DF PROTO=TCP SPT=49638 DPT=3128 WINDOW=5808 RES=0x00 SYN URGP=0

```

----------

