LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-25-2013, 09:19 AM   #1
aholak
LQ Newbie
 
Registered: Feb 2013
Posts: 6

Rep: Reputation: Disabled
I can not configure iptables to work only with openvpn


Hi,

I am currently using debian 6 with openvpn installed. I can connect from my laptop to my server without firewall.But for more security I need firewall.

I found a iptables rules but after I connect to my server from my laptop, I started firefox but couldn't able to view any webpages. I just want to allow SSH and openvpn traffic to my server.(and disable all other ports)

I am really stuck at iptables.
Please help me how to do it

Last edited by aholak; 02-25-2013 at 09:22 AM.
 
Old 02-25-2013, 09:57 AM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Raleigh, NC
Distribution: Ubuntu, PopOS, Raspbian
Posts: 1,899
Blog Entries: 36

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
Post the rules you're using with any sensitive information removed. You haven't provided any information that can be used to help you.

SAM
 
Old 02-25-2013, 10:06 AM   #3
aholak
LQ Newbie
 
Registered: Feb 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sag47 View Post
Post the rules you're using with any sensitive information removed. You haven't provided any information that can be used to help you.

SAM
Hi,

I found this rule, applied and couldn't access websites through my server:

Quote:
#!/bin/sh
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
iptables -t nat -F
iptables -t mangle -F

#
# Allow SSH connections on tcp port 22 (or whatever port you want to use)
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP #using DROP for INPUT is not always recommended. Change to ACCEPT if you prefer.
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT

#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
#Accept connections on 1194 for vpn access from clients
#Take note that the rule says "UDP", and ensure that your OpenVPN server.conf says UDP too
#
iptables -A INPUT -p udp --dport 1194 -j ACCEPT

#
#Apply forwarding for OpenVPN Tunneling
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT #10.8.0.0 ? Check your OpenVPN server.conf to be sure
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

#
#Enable forwarding
#
echo 1 > /proc/sys/net/ipv4/ip_forward


#
# Some generally optional rules. Enable and disable these as per your requirements
#

# Accept traffic with the ACK flag set
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Accept responses to DNS queries
iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept traceroutes
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT

#
# List rules
#
iptables -L -v
 
Old 02-25-2013, 12:28 PM   #4
aholak
LQ Newbie
 
Registered: Feb 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
After changing iptables -P INPUT DROP to iptables -P INPUT ACCEPT, I am able to surf websites now. But did I allowed all connections or still only ssh and openvpn port only open?
 
Old 02-26-2013, 01:02 PM   #5
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
Quote:
But did I allowed all connections or still only ssh and openvpn port only open?
Yes u allowed all ports on linux, if any service listens to it
if there is no service running or they run with default configuration, it is mostly safe. Do not panic


If you want to DROP everything coming to you linux except "openvpn" and "ssh",
add following rule to your script:
Code:
iptables -A INPUT -i tun+ -j ACCEPT
that rule means that "allow everything that comes to tun(0,1,2...) interfaces which openvpn uses.

Edit: do not trust scripts much. visit netfilter website and read tutorials manuels and other documents. use iptables scritps if u understand what it exactly does.

Last edited by maxut; 02-26-2013 at 01:06 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables openvpn squid don't work together pekoll289 Linux - Security 1 01-18-2013 11:41 AM
[SOLVED] iptables doesn't work well without OpenVPN pedrokoma Linux - Networking 3 06-02-2011 07:41 AM
Allow openvpn in IPTables jhmdev Linux - Networking 9 07-30-2009 02:48 PM
OPENVPN /IPTABLES help woodson2 Fedora 2 11-07-2008 07:54 AM
OPENVPN /IPTABLES help woodson2 Linux - Networking 3 11-06-2008 02:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration