I am trying to configure iptables on one of my computers to ONLY be allowed to do the following:
1. The computer
IS allowed to be accessed by other computers on the
LOCAL network.
2.
ALL internet traffic (IN and OUT)
MUST use the tun0 (OpenVPN tunnel) interface.
3.
ALL other traffic that doesn't apply to the above two rules
MUST be
DROPPED.
My iptables script seems to be working the way I want it to, but I wanted another set of eyes to see if they can catch any "security holes" I may be missing regarding the rules I described above. It is very important that this computer can only be allowed these specific rules.
I will take any suggestions that anyone may have.
Thanks for your time!
Code:
#!/bin/bash
#Set variables
IPT=/sbin/iptables
VPN=x.x.x.x
LAN=192.168.0.0/24
#Flush rules
$IPT -F
$IPT -X
#Default policies and define chains
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
#Allow input from LAN and tun0 ONLY
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i tun0 -m conntrack --ctstate NEW -j ACCEPT
$IPT -A INPUT -s $LAN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A INPUT -j DROP
#Allow output from lo and tun0 ONLY
$IPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o tun0 -m conntrack --ctstate NEW -j ACCEPT
$IPT -A OUTPUT -d $VPN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A OUTPUT -j DROP
exit 0