There are times when you might like to use the Lighthouse VPN (lhvpn) tunnel as a path for services like TACACS+ authentication, SYSLOG destination, etc. This is especially useful when the LTE interface of your Opengear node has no route to your internal servers.
The example below will forward syslog messages to a syslog server.
1. Login to the Lighthouse CLI as root, or as a Lighthouse Administrator user, run:
sudo -i
2. Create a firewall-post script directory:
mkdir -p /etc/config/scripts
3. Create a firewall script:
vim /etc/config/scripts/firewall-post
4. Add the following- changing addresses, services, protocol and port numbers - to suit your environment:
#!/bin/bash
SYSLOG_SERVER=192.168.1.113
LHIP=192.168.1.186
iptables -A PREROUTING -t nat -i tun+ -p udp --dport 514 -j DNAT --to ${SYSLOG_SERVER}:514
iptables -I FORWARD 1 -i tun+ -o net1 -p udp --dport 514 -d ${SYSLOG_SERVER} -j ACCEPT
iptables -A POSTROUTING -t nat -o net1 -j SNAT --to ${LHIP}
5. Save the file and then run:
chmod +x /etc/config/scripts/firewall-post
6. Force a rerun of the firewall by running:
configurator_firewall --force
7. Verify that the firewall rules are inserted by running:
iptables -t nat -vnL
You should see something like what's listed below
Chain PREROUTING (policy ACCEPT 820 packets, 147K bytes)
pkts bytes target prot opt in out source destination
11 1607 DNAT udp -- tun+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 to:192.168.1.113:514
Chain INPUT (policy ACCEPT 44 packets, 2310 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 144 packets, 8238 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 136 packets, 7072 bytes)
pkts bytes target prot opt in out source destination
19 2773 SNAT all -- * net1 0.0.0.0/0 0.0.0.0/0 to:192.168.1.186
8. Configure the Opengear node to use Lighthouse as it's syslog server. From the CLI of the Opengear node run:
config -s config.syslog.loglevel=debug
config -s config.syslog.repeat=on
config -s config.syslog.servers.server1.address=192.168.128.1
config -s config.syslog.servers.server1.loglevel=debug
config -s config.syslog.servers.server1.port=514
config -s config.syslog.servers.server1.protocol=udp
config -s config.syslog.servers.total=1
config -r systemlog
Comments
0 comments
Article is closed for comments.