IPTABLES secure Internet tunnel

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

IPTABLES secure Internet tunnel

Post by Bebop » Wed Mar 02, 2011 9:43 pm

Goal:
  • Your Linux server becomes a secure tunnel between OpenVPN clients and Internet
Requirements:
  • Linux with OpenVPN server installed
  • An OpenVPN client (Windows or Linux, doesnt matter), for testing purposes
Assuming:
  • Your server machine is only used to tunnel Internet traffic. If your server has other purposes, such as web-hosting or DNS, then you can add the required rules to the script. (such as opening port 80,443, and 53 etc).
Code:

The code will differ slightly depending on your Linux server (Dedicated, XEN, OpenVZ).
  • If your server is a Dedicated server or XEN VPS server then:

    Code: Select all

    #!/bin/sh
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
iptables -t nat -F
iptables -t mangle -F

#
# Allow SSH connections on tcp port 22 (or whatever port you want to use)
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP                #using DROP for INPUT is not always recommended. Change to ACCEPT if you prefer. 
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT

#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
#Accept connections on 1194 for vpn access from clients
#Take note that the rule says "UDP", and ensure that your OpenVPN server.conf says UDP too
#
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
  
#
#Apply forwarding for OpenVPN Tunneling
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT     #10.8.0.0 ? Check your OpenVPN server.conf to be sure
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

#
#Enable forwarding
# 
echo 1 > /proc/sys/net/ipv4/ip_forward


#
# Some generally optional rules. Enable and disable these as per your requirements
# 

# Accept traffic with the ACK flag set
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Accept responses to DNS queries
iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept traceroutes
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT

#
# List rules
#
iptables -L -v
  • If your server is an openVZ VPS then:

    Code: Select all

    #!/bin/sh
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
 iptables -F
 iptables -t nat -F
 iptables -t mangle -F
 
#
# Allow SSH connections on tcp port 22 (or whatever port you want to use)
#
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP                #using DROP for INPUT is not always recommended. Change to ACCEPT if you prefer. 
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT

#
# Set access for localhost
#
 iptables -A INPUT -i lo -j ACCEPT

#
# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
#Accept connections on 1194 for vpn access from clients
#Take note that the rule says "UDP", and ensure that your OpenVPN server.conf says UDP too
#
 iptables -A INPUT -p udp --dport 1194 -j ACCEPT
  
#
#Apply forwarding for OpenVPN Tunneling
#
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT     #10.8.0.0 ? Check your OpenVPN server.conf to be sure
 iptables -A FORWARD -j REJECT
 iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 100.200.255.256   #Use your OpenVPN server's real external IP here

#
#Enable forwarding
# 
 echo 1 > /proc/sys/net/ipv4/ip_forward


#
# Some generally optional rules. Enable and disable these as per your requirements
# 

# Accept traffic with the ACK flag set
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Accept responses to DNS queries
iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept traceroutes
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT

#
# List rules
#
 iptables -L -v
with the only difference between the two codes being that the masquerade command was replaced with a SNAT in the openVZ example, and eth0 was replaced with venet0.

Execution:
  • Save the scripts as firewall_setup_script.sh and chmod to 755. Execute the script at the Linux command line.
Testing:
  • From your client, connect to the OpenVPN server. Visit http://www.whatismyip.com, and take note whether your IP is shown as your ISP IP or your VPN server IP.

*definitions

VPN: Virtual Private Network
VPS: Virtual Private Server
The cure for boredom is curiosity
Top
Rahul
OpenVpn Newbie
Posts: 19
Joined: Fri Oct 14, 2011 5:04 am

Re: IPTABLES secure Internet tunnel

Post by Rahul » Sun Oct 16, 2011 2:27 pm

how to make clients config and extra ports?
Top
slartibartfast
OpenVpn Newbie
Posts: 1
Joined: Fri Nov 18, 2011 6:43 pm

Re: IPTABLES secure Internet tunnel

Post by slartibartfast » Fri Nov 18, 2011 6:46 pm

Thanks Bebop :D

I am on an OpenVZ LAMP server. Everything was working except that the server could not ping the clients. Changing the MASQUERADE to SNAT fixed it!!
Top
User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: IPTABLES secure Internet tunnel

Post by Bebop » Sat Nov 19, 2011 8:59 pm

slartibartfast wrote:Thanks Bebop :D

I am on an OpenVZ LAMP server. Everything was working except that the server could not ping the clients. Changing the MASQUERADE to SNAT fixed it!!
I appreciate the feedback, thank you.

Also, Rahul... I can help you with some client config.. if you start a fresh topic in the forum I (or someone) will help you there.
The cure for boredom is curiosity
Top
jsloan2
OpenVpn Newbie
Posts: 3
Joined: Sat Jan 29, 2011 7:26 pm

Re: IPTABLES secure Internet tunnel

Post by jsloan2 » Mon Jan 16, 2012 3:31 am

I realize this is an old thread but it really helped me get my IPTABLES config squared away.
I would like to just contribute slightly.

This config works fantastically under the condition that you do not have any traffic that originate on the LAN side toward the VPN subnet. (This includes DNS responses)

To remediate this just add this line:

Code: Select all

iptables -I FORWARD 3 -d 10.8.0.0/24 -j ACCEPT     #10.8.0.0 ? Check your OpenVPN server.conf to be sure
This in conjunction with the previous configs will accept forwarding requests when your VPN subnet is the SOURCE or DESTINATION.

Thanks for the help Bebop.
Top
pellemannen
OpenVpn Newbie
Posts: 2
Joined: Thu Apr 18, 2013 6:54 pm

Re: IPTABLES secure Internet tunnel

Post by pellemannen » Mon Apr 22, 2013 5:53 pm

Hello and thanks for the scripts!

I'm trying to get my new OpenVPN server to work.
It's installed on Ubuntu 12.04 LTS. I don't have any problem to connect and reach the local network and the wide world, BUT, the client dont get the server public ip when Im looking at whatsmyip.org.

I used the dedicated server script and added

Code: Select all

iptables -I FORWARD 3 -d 10.8.0.0/24 -j ACCEPT
It only have one NIC.
Public IP: xxx.xxx.xxx.xxx
eth0-static ip: 10.0.1.3 255.255.255.0
client-net (tun): 10.8.0.0

My test client at this moment is an iPhone...

Any ideas?
Top
dakkar
OpenVpn Newbie
Posts: 1
Joined: Fri Mar 25, 2016 12:14 pm

Re: IPTABLES secure Internet tunnel

Post by dakkar » Fri Mar 25, 2016 12:16 pm

Six years later this is still the best config for LXC and OpenVZ containers. If you are using proxmox 4 you need to change the venet0 bits to eth# depending on what you set up the container with. The networking is slightly different for the device name in the new versions.
Top
Locked

Return to “Routing and Firewall Scripts”