LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page iptables for secure systems including openvpn
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-27-2009, 07:42 AM   #1
jonnytabpni
Member
 
Registered: Sep 2008
Posts: 68

Rep: Reputation: 16
iptables for secure systems including openvpn

Hi folks,

I will be hosting a server for multiple customers. The application that I will be hosting is java based and uses RMI.

The customers will connect to the server via openvpn, however each customer will have their own indivudal instance of openvpn running on the server (each on a different port and using different certs and keys), and each customer will also have their own indivudal instance of the java server running (also on a different port).

What I want is, for each respective customer to:
- Be allowed to connect to the openvpn from anywhere
- Once connected to the VPN, only the port which the java server listens on will be able to be accessed.
- Everything else denied, with the exception of ssh from my own IP for admin purposes

I wish for the iptables rules to be loaded at startup, however I will have to start openvpn and the java server manually.

Does these iptables rules fit this purpose? Please keep in mind that I don't think tun0 is created until openvpn is started, however everything seems to be working ok.

Code:
*filter

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows openvpn connections from anywhere
-A INPUT -p udp --dport 1194 -j ACCEPT 
-A INPUT -p udp --dport 1195 -j ACCEPT 

#Allows connections from respective openvpn tunnel to respective java server
-A INPUT -i tun0 -p tcp --dport 3050 -j ACCEPT
-A INPUT -i tun1 -p tcp --dport 3051 -j ACCEPT

#  Allows SSH connections from specific host
-A INPUT -s xx.xx.xx.xx -p tcp -m state --state NEW --dport 30003 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT
Since the server will be used for confidental data for my customers, I wish for my server to be as secure as possible, so any advice is very much appreciated.

Thanks
Last edited by jonnytabpni; 12-27-2009 at 07:45 AM.
 
Old 12-28-2009, 12:33 AM   #2
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661

Rep: Reputation: 66
Quote:
Originally Posted by jonnytabpni View Post
Hi folks,

however each customer will have their own indivudal instance of openvpn running on the server (each on a different port and using different certs and keys), and each customer will also have their own indivudal instance of the java server running (also on a different port).
I think you current iptables rules not satisfy quoted criteria.

thnks
 
0 members found this post helpful.
Old 12-28-2009, 08:22 AM   #3
jonnytabpni
Member
 
Registered: Sep 2008
Posts: 68

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by vishesh View Post
I think you current iptables rules not satisfy quoted criteria.

thnks
Can you please explain to me where you feel that I'm going wrong?

Thanks
 
Old 12-31-2009, 11:35 AM   #4
jonnytabpni
Member
 
Registered: Sep 2008
Posts: 68

Original Poster
Rep: Reputation: 16
bump
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Installing OpenVPN on Linux and Unix Systems LXer Syndicated Linux News 0 12-04-2009 09:00 AM
Can I use OpenVPN to create a secure connection for Remote Desktop HGeneAnthony Linux - Software 4 04-29-2006 05:50 AM
LXer: Sun Microsystems Delivers Three-in-One Punch to the Competition With World Record Results on Three Operating Systems, Including Solaris 10 LXer Syndicated Linux News 0 02-07-2006 09:46 PM
LXer: Creating secure wireless access points with OpenBSD and OpenVPN LXer Syndicated Linux News 0 12-13-2005 09:31 AM
making openvpn secure with openssl ( ? ) antken Linux - Networking 1 03-31-2004 09:14 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:02 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration