ISPConfig3, Bastille Firewall and OpenVPN: The solution of this mystery.

Hello,

I was trying to setup OpenVPN on my Debian Wheezy server for the last 4 days. After a lot of mess ups and after some runs at the office to re-enable the firewall rulles since I managed to lock myself out from the remote desktop several times, I now managed to fix this.

For some reason Bastille wouldn't accept the following rules manually:

Code:

 iptables -A INPUT -i tun+ -j ACCEPT
 iptables -A FORWARD -i tun+ -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Although these commands would work without Bastille enabled, they wouldn't if it was enabled. No error was received and the rules were getting inserted in the iptables but Bastille would just ignore them.

The solution was simple afterall:

Open /etc/Bastille/bastille-firewall.cfg
Search for:
TRUSTED_IFACES="lo"
Change to:
TRUSTED_IFACES="lo tun+"
Search for:
IP_MASQ_NETWORK=""
Change to:
IP_MASQ_NETWORK="10.8.0.0/24"
Save and exit the file.
Restart the firewall:
/etc/init.d/bastille-firewall restart

Done.


Is that suppose to happen? Aren't we supposed to be able to insert rules ourselves even when Bastille is enabled? I know that we can add ports through the web interface but how do we add a NAT rule properly?