LinuxQuestions.org - I can not configure iptables to work only with openvpn

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - I can not configure iptables to work only with openvpn (https://www.linuxquestions.org/questions/linux-networking-3/i-can-not-configure-iptables-to-work-only-with-openvpn-4175451621/)

I can not configure iptables to work only with openvpn

Hi,

I am currently using debian 6 with openvpn installed. I can connect from my laptop to my server without firewall.But for more security I need firewall.

I found a iptables rules but after I connect to my server from my laptop, I started firefox but couldn't able to view any webpages. I just want to allow SSH and openvpn traffic to my server.(and disable all other ports)

I am really stuck at iptables.
Please help me how to do it

Post the rules you're using with any sensitive information removed. You haven't provided any information that can be used to help you.

SAM

Quote:

Originally Posted by sag47 (Post 4899331)

Post the rules you're using with any sensitive information removed. You haven't provided any information that can be used to help you.

SAM

Hi,

I found this rule, applied and couldn't access websites through my server:

Quote:

#!/bin/sh
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
iptables -t nat -F
iptables -t mangle -F

#
# Allow SSH connections on tcp port 22 (or whatever port you want to use)
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP #using DROP for INPUT is not always recommended. Change to ACCEPT if you prefer.
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT

#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
#Accept connections on 1194 for vpn access from clients
#Take note that the rule says "UDP", and ensure that your OpenVPN server.conf says UDP too
#
iptables -A INPUT -p udp --dport 1194 -j ACCEPT

#
#Apply forwarding for OpenVPN Tunneling
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT #10.8.0.0 ? Check your OpenVPN server.conf to be sure
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

#
#Enable forwarding
#
echo 1 > /proc/sys/net/ipv4/ip_forward

#
# Some generally optional rules. Enable and disable these as per your requirements
#

# Accept traffic with the ACK flag set
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Accept responses to DNS queries
iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept traceroutes
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT

#
# List rules
#
iptables -L -v

After changing iptables -P INPUT DROP to iptables -P INPUT ACCEPT, I am able to surf websites now. But did I allowed all connections or still only ssh and openvpn port only open?

Quote:

But did I allowed all connections or still only ssh and openvpn port only open?

Yes u allowed all ports on linux, if any service listens to it ;)
if there is no service running or they run with default configuration, it is mostly safe. Do not panic :)

If you want to DROP everything coming to you linux except "openvpn" and "ssh",
add following rule to your script:

Code:

iptables -A INPUT -i tun+ -j ACCEPT

that rule means that "allow everything that comes to tun(0,1,2...) interfaces which openvpn uses.

Edit: do not trust scripts much. visit netfilter website and read tutorials manuels and other documents. use iptables scritps if u understand what it exactly does.