[Solved] iptables rules for machine running as openvpn server

emacsomancer · 2014-12-28 19:41:04

I set up an older laptop as an OpenVPN server for my home network (and a dwarffortress server, but that's beside the point). This is the first time I've set something like this up - I wanted a secure way of being able to ssh into my home network from outside.

In any case, I got it working (finally figured out I needed to port forward 1194 on my router), but I wanted to make sure that my iptables-rules look reasonable:

# Generated by iptables-save v1.4.21 on Sun Dec 28 02:16:10 2014
*nat
:PREROUTING ACCEPT [3:517]
:INPUT ACCEPT [3:517]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.88.0/24 -o wlp3s0 -j MASQUERADE
COMMIT
# Completed on Sun Dec 28 02:16:10 2014
# Generated by iptables-save v1.4.21 on Sun Dec 28 02:16:10 2014
*filter
:INPUT ACCEPT [323:24107]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [152:13348]
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -s 192.168.88.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Dec 28 02:16:10 2014

Last edited by emacsomancer (2014-12-29 21:32:25)

brebs · 2014-12-29 09:47:50

You're always just accepting, so a completely empty rules file would do the same filtering.

Edit: Apart from the masquerade, of course.

Last edited by brebs (2014-12-29 09:48:31)

emacsomancer · 2014-12-29 15:46:32

brebs wrote:

You're always just accepting, so a completely empty rules file would do the same filtering.
Edit: Apart from the masquerade, of course.

So I should change something to not accepting somewhere I suppose?

bleach · 2014-12-29 16:29:16

look at your filters you accept everything

:INPUT ACCEPT [323:24107]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [152:13348]

a better way would be to block everything but outgoing and then open ports and such.

:INPUT DROP
:FORWORWOD DROP
:OUTPUT ACCEPT

then your current(92.168.88.0/24 -j ACCEPT) forwarding will go through but not other things.

some good articles on iptables; iptables,simple stateful firewall

Last edited by bleach (2014-12-29 16:49:56)

emacsomancer · 2014-12-29 17:47:22

bleach wrote:

look at your filters you accept everything
:INPUT ACCEPT [323:24107]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [152:13348]
a better way would be to block everything but outgoing and then open ports and such.
:INPUT DROP
:FORWORWOD DROP
:OUTPUT ACCEPT
then your current(92.168.88.0/24 -j ACCEPT) forwarding will go through but not other things.
some good articles on iptables; iptables,simple stateful firewall

Ok, this is my modified setup:

# Generated by iptables-save v1.4.21 on Mon Dec 29 03:36:02 2014
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i wlp3s0 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i wlp3s0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -s 192.168.88.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o wlp3s0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Dec 29 03:36:02 2014
# Generated by iptables-save v1.4.21 on Mon Dec 29 03:36:02 2014
*nat
:PREROUTING ACCEPT [389:94808]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [1:72]
:POSTROUTING ACCEPT [1:72]
-A POSTROUTING -s 192.168.88.0/24 -o wlp3s0 -j MASQUERADE
COMMIT
# Completed on Mon Dec 29 03:36:02 2014

I added in lines to allow for SSH within my internal network. But now I am unable to make a OpenVPN connection from outside...what could be wrong?

emacsomancer · 2014-12-29 17:53:47

Nevermind, I got it:

# Generated by iptables-save v1.4.21 on Mon Dec 29 04:03:36 2014
*nat
:PREROUTING ACCEPT [183:19193]
:INPUT ACCEPT [4:280]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.88.0/24 -o wlp3s0 -j MASQUERADE
COMMIT
# Completed on Mon Dec 29 04:03:36 2014
# Generated by iptables-save v1.4.21 on Mon Dec 29 04:03:36 2014
*filter
:INPUT DROP [11:1853]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1140:879278]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i wlp3s0 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i wlp3s0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i wlp3s0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -s 192.168.88.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o wlp3s0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Dec 29 04:03:36 2014

seems to work

brebs · 2014-12-29 18:23:07

That 2nd "dport 22" line can be removed, since it only does what the previous line already did.

Your "OUTPUT" line can also be removed, since OUTPUT will always be accepted anyway.

Arch Linux

#1 2014-12-28 19:41:04

[Solved] iptables rules for machine running as openvpn server

#2 2014-12-29 09:47:50

Re: [Solved] iptables rules for machine running as openvpn server

#3 2014-12-29 15:46:32

Re: [Solved] iptables rules for machine running as openvpn server

#4 2014-12-29 16:29:16

Re: [Solved] iptables rules for machine running as openvpn server

#5 2014-12-29 17:47:22

Re: [Solved] iptables rules for machine running as openvpn server

#6 2014-12-29 17:53:47

Re: [Solved] iptables rules for machine running as openvpn server

#7 2014-12-29 18:23:07

Re: [Solved] iptables rules for machine running as openvpn server

Board footer