I am new at openvpn and I set up a lxc container running openvpn server in a VPS machine.
So here are the iptables rules that I am using in HOST machine.
Code: Select all
# Generated by iptables-save v1.4.21 on Tue Apr 18 10:37:20 2017
*nat
:PREROUTING ACCEPT [412:26844]
:INPUT ACCEPT [14:863]
:OUTPUT ACCEPT [4:263]
:POSTROUTING ACCEPT [24:1123]
-A PREROUTING -i eth0 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Apr 18 10:37:20 2017
# Generated by iptables-save v1.4.21 on Tue Apr 18 10:37:20 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [999:126221]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A UDP -p udp -m udp --dport 1194 -j ACCEPT
-A fw-interfaces -i br0 -j ACCEPT
-A fw-open -d 192.168.1.2/32 -p udp -m udp --dport 1194 -j ACCEPT
COMMIT
# Completed on Tue Apr 18 10:37:20 2017
Code: Select all
// Filter table
# iptables -N TCP
# iptables -N UDP
# iptables -P OUTPUT ACCEPT
# iptables -P INPUT DROP
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
# iptables -A TCP -p tcp --dport 22 -j ACCEPT
# iptables -A UDP -p udp --dport 1194 -j ACCEPT
// NAT table
# iptables -N fw-interfaces
# iptables -N fw-open
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -j fw-interfaces
# iptables -A FORWARD -j fw-open
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreachable
# iptables -P FORWARD DROP
# iptables -A fw-interfaces -i br0 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 192.168.1.1/24 -o eth0 -j MASQUERADE
# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1194 -j DNAT --to 192.168.1.2:1194
# iptables -A fw-open -d 192.168.1.2 -p udp --dport 1194 -j ACCEPT
The guest has veth0 (192.168.1.2) interface and a tun0 (10.8.0.1) from openvpn server
At this stage, in guest machine everything is working (ping, nslookup, apt-update). The problem now is that if i connect from another machine a vpn client , it seems that it losts DNS/HTTP requests routing. In this other machine i can ping specific IPs (e.g ping 172.217.17.100) but not domain names (e.g ping www.google.com) and cannot visit any IP from a web browser.
A dnsmasq server is running on HOST and listens at br0 interface. Should i add any specific rule for that ?
Thank you.