Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Perfect iptables for OpenVPN
2 views
Skip to first unread message
linux_forum1
Dec 25, 2021, 6:20:03 PM12/25/21
to
Hello, I'm trying to make the most specific, secure and restrictive iptables possible for a simple VPN connection on Debian. Could you have a quick look if those are OK? Thanks so much!
VPN Server Port:1194
VPN Server IP: 189.174.135.110
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
#no fragmented packets
-A INPUT -f -j DROP
#localhost
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# first packet has to be TCP syn
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#drop sop icmp
-A INPUT -p icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp --icmp-type timestamp-request -j DROP
#Ping from inside to outside
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#drop broadcast, multicast anycast
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
#drop invalid
-A INPUT -m state --state INVALID -j DROP
#drop spoofed packets
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP
# DROP RFC1918 PACKETS
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 192.168.0.0/16 -j DROP
#Allow VPN
- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Jörg Jellissen
Dec 26, 2021, 8:10:03 AM12/26/21
to
Hello,
I'm using nftables with wireguard and it runs perfectly.
Don't forget the forward chain if your server runs as a router and you have a private network behind your firewall.
openVPN is for me
linux_forum1
Dec 26, 2021, 8:50:02 AM12/26/21
to
Hi Jörg, thanks for the reply!
Do you think those rules for the VPN connection are specific enough or could something else be added?
- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
All the guides only use these two rules:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1194
I'm just worried that they use 192.168.1.0/24 because normally I see a lot of iptables blocking this IP range for security.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Jörg Jellissen
Dec 26, 2021, 10:30:03 AM12/26/21
to
Hi,
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1194
you don't must use the module udp because you have specify the
protocol udp in your rule
So, this is not needed.
Am 26.12.2021 um 14:42 schrieb
linux_forum1:
Hi Jörg, thanks for the reply!
Do you think those rules for the VPN connection are specific enough or could something else be added?
- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
All the guides only use these two rules:
-- Mit freundlichen Grüßen Jörg Jellissen Friesenstraße 3 47445 Moers Mobil: (01573) / 5 34 42 18 Fax: (02841) / 4 08 62 77 E-Mail: joerg.j...@t-online.de
0 new messages