correct way to configure iptables

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
sutra
OpenVpn Newbie
Posts: 8
Joined: Fri Jul 21, 2017 8:10 am

correct way to configure iptables

Post by sutra » Mon Jul 24, 2017 3:45 pm

I've got the latest access server virtual appliance (2.1.9) running with 2 x interfaces (1 x public, 1 x private). I'd like to filter traffic using iptables and have entered rules to the ASO_IN_POST chain and they are working after I restart at the client side.

What is the best way to make these rules persist after a server restart? (as they currently do not, even after iptables-save) I don't want to break the link between openvpn and iptables. Alternatively is there a better way to configure this that I've somehow missed as relatively new to openvpn?

sutra
OpenVpn Newbie
Posts: 8
Joined: Fri Jul 21, 2017 8:10 am

Re: correct way to configure iptables

Post by sutra » Thu Jul 27, 2017 1:21 pm

I installed iptables-persistent and have now fixed this issue by running the following script from /usr/local/openvpn_as/scripts

Code: Select all

 ./confdba --mod --key=iptables.vpn.disable.filter --value=True --prof=Default
page here detailing the access server functionality:

https://openvpn.net/index.php/access-se ... erver.html

contains this text if that link ever goes awol:

OpenVPN Access Server uses iptables on the host as part of its sophisticated NAT-ing and routing of VPN-related traffic. Access Server adds rules to the "filter", "nat" and "mangle" tables of iptables. Some of these iptables changes are made when openvpnas starts up; others occur when configuration changes are made to the Access Server. There are additional iptables changes that relate to per-user IP addresses and routes in Access Server.

The AS v1.2.0 release also includes the ability to disable particular types of iptables modifications, if the corresponding Access Server functionality is not used (and iptables rule modification is undesirable).
There are three related settings, identified by these config keys:

iptables.vpn.disable.filter
iptables.vpn.disable.nat
iptables.vpn.disable.mangle

For each setting you can use a CLI command to modify the Boolean value. Go to the
/usr/local/openvpn_as/scripts directory and run

./confdba --mod --key=key_name --value=boolean_value --prof=profile_name

where
key_name is one of the three config keys listed above (e.g., "iptables.vpn.disable.nat")
boolean_value is either "True" or "False"
profile_name is the name of the configuration profile (e.g., "Default")
For instance, to disable the Access Server's modification of the iptables NAT table:

./confdba --mod --key=iptables.vpn.disable.nat --value=True --prof=Default

You can use "./confdba --show" to view the config and see the current values for each key. These four config keys are True by default (and treated as True if not defined).

Warning:
Disabling the iptables modification should only be done if you understand the iptables rules that are added by Access Server (by examining output of iptables and/or iptables-save) and you add your own iptables rules that are equivalent to those automatically added by Access Server. Otherwise, disabling these modifications will most likely render Access Server inoperable.

Post Reply