Hi folks,
I will be hosting a server for multiple customers. The application that I will be hosting is java based and uses RMI.
The customers will connect to the server via openvpn, however each customer will have their own indivudal instance of openvpn running on the server (each on a different port and using different certs and keys), and each customer will also have their own indivudal instance of the java server running (also on a different port).
What I want is, for each respective customer to:
- Be allowed to connect to the openvpn from anywhere
- Once connected to the VPN, only the port which the java server listens on will be able to be accessed.
- Everything else denied, with the exception of ssh from my own IP for admin purposes
I wish for the iptables rules to be loaded at startup, however I will have to start openvpn and the java server manually.
Does these iptables rules fit this purpose? Please keep in mind that I don't think tun0 is created until openvpn is started, however everything seems to be working ok.
Code:
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows openvpn connections from anywhere
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -p udp --dport 1195 -j ACCEPT
#Allows connections from respective openvpn tunnel to respective java server
-A INPUT -i tun0 -p tcp --dport 3050 -j ACCEPT
-A INPUT -i tun1 -p tcp --dport 3051 -j ACCEPT
# Allows SSH connections from specific host
-A INPUT -s xx.xx.xx.xx -p tcp -m state --state NEW --dport 30003 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
Since the server will be used for confidental data for my customers, I wish for my server to be as secure as possible, so any advice is very much appreciated.
Thanks