Persisting iptables config after reboot

tfrearson
OpenVpn Newbie
Posts: 1
Joined: Thu Sep 29, 2016 7:57 pm

Persisting iptables config after reboot

Postby tfrearson » Fri Oct 07, 2016 4:04 pm

I have a question about the openvpn appliance. I deployed it last week and most everything has been working great. One of the things I wanted out of my VPN is being able to restrict access to certain services on the domain. The approach I have taken is to edit the iptables config on the appliance so that only certain ports (DNS, HTTPS, ping, etc...) will work. The thing I am having trouble with is getting the iptables configuration to persist on a reboot.

I have made changes with the iptables command:

Code: Select all

sudo iptables -I AS0_IN_POST 1 -p tcp --dport 80 -d 192.168.1.0/24 -j ACCEPT

and then save that configuration to a file. I have tried both:

Code: Select all

iptables-save > /usr/share/iptables.uprules

and

Code: Select all

iptables-save /etc/iptables.uprules

Then I add a script to /etc/network/if-pre-up.d/iptablesup.

Code: Select all

#!/bin/sh
iptables-restore < /usr/share/iptables.uprules
exit 0

I have tried restoring from both of the paths that I have saved to as well as trying to put the script in /etc/network/if-up.d/
When I reboot I get the same configuration that is loaded by default by openvpn_as. I have added some logging to the script and can see that it is actually running with the expected results so it seems like sometime after if-up runs, openvpn_as is applying it's own configuration. I can't find where for the life of me though.

I may be going about this the wring way, maybe there is somewhere in the openvpn_as configuration I should be declaring these services, maybe I don't need iptables at all?

Any help here would be much appreciated, I am so close to being able to start having people use this!

sutra
OpenVpn Newbie
Posts: 7
Joined: Fri Jul 21, 2017 8:10 am

Re: Persisting iptables config after reboot

Postby sutra » Tue Jul 25, 2017 11:47 am

Did you ever find a way to resolve this? I'm having the same problem and I'm keen to find a way of saving iptables after a reboot without breaking the link between openvpn<>iptables

TiTex
OpenVPN Expert
Posts: 209
Joined: Tue Apr 12, 2011 6:22 am

Re: Persisting iptables config after reboot

Postby TiTex » Tue Jul 25, 2017 12:14 pm

on redhat/centos 7 based appliance you can do
yum install iptables-services
service iptables start - start the service
service iptables enable - enable to start the service when system starts
service iptables save - save your rules , after you've added your rules

you can also create a systemd service unit or create a simple bash script and add it's full path to your /etc/rc.local (make sure rc.local and the script is executable in this case)

on ubuntu/debian you could do among other ways
in /etc/network/interfaces , something like

Code: Select all

iface eth0 inet static
       address 10.10.0.10
       netmask 255.255.255.0
       dns-nameservers 8.8.8.8
       pre-up iptables-restore < /etc/iptables.save


also from the man page
There exists for each of the above mentioned options a directory /etc/network/if-<option>.d/ the scripts in which are run (with no arguments) using run-parts(8) after the option itself has been pro‐
cessed. Please note that as post-up and pre-down are aliases, no files in the corresponding directories are processed. Please use if-up.d and if-down.d directories instead.


and the scripts probably should be executable

sutra
OpenVpn Newbie
Posts: 7
Joined: Fri Jul 21, 2017 8:10 am

Re: Persisting iptables config after reboot

Postby sutra » Wed Jul 26, 2017 8:44 am

I've got the access server (ubuntu) appliance downloaded from the openvpn site, so I'll try adding the iptables-restore command to the interfaces file. Thanks

sutra
OpenVpn Newbie
Posts: 7
Joined: Fri Jul 21, 2017 8:10 am

Re: Persisting iptables config after reboot

Postby sutra » Thu Jul 27, 2017 7:59 am

I had no joy with adding the following to /etc/network/intefaces after iptables-save > /etc/iptables.save

Code: Select all

pre-up iptables-restore < /etc/iptables.save


tried adding it to /etc/rc.local too without success so I installed:

Code: Select all

apt-get install iptables-persistent


tried various ways of saving the current iptables including

Code: Select all

dpkg-reconfigure iptables-persistent
iptables-save > /etc/iptables/rules.v4
netfilter-persistent save


iptables rules still not persisting after a reboot

sutra
OpenVpn Newbie
Posts: 7
Joined: Fri Jul 21, 2017 8:10 am

Re: Persisting iptables config after reboot

Postby sutra » Thu Jul 27, 2017 1:19 pm

Now fixed this issue by running the following script from /usr/local/openvpn_as/scripts

Code: Select all

 ./confdba --mod --key=iptables.vpn.disable.filter --value=True --prof=Default


page here detailing the access server functionality:

https://openvpn.net/index.php/access-se ... erver.html

contains this text if that link ever goes awol:

OpenVPN Access Server uses iptables on the host as part of its sophisticated NAT-ing and routing of VPN-related traffic. Access Server adds rules to the "filter", "nat" and "mangle" tables of iptables. Some of these iptables changes are made when openvpnas starts up; others occur when configuration changes are made to the Access Server. There are additional iptables changes that relate to per-user IP addresses and routes in Access Server.

The AS v1.2.0 release also includes the ability to disable particular types of iptables modifications, if the corresponding Access Server functionality is not used (and iptables rule modification is undesirable).
There are three related settings, identified by these config keys:

iptables.vpn.disable.filter
iptables.vpn.disable.nat
iptables.vpn.disable.mangle

For each setting you can use a CLI command to modify the Boolean value. Go to the
/usr/local/openvpn_as/scripts directory and run

./confdba --mod --key=key_name --value=boolean_value --prof=profile_name

where
key_name is one of the three config keys listed above (e.g., "iptables.vpn.disable.nat")
boolean_value is either "True" or "False"
profile_name is the name of the configuration profile (e.g., "Default")
For instance, to disable the Access Server's modification of the iptables NAT table:

./confdba --mod --key=iptables.vpn.disable.nat --value=True --prof=Default

You can use "./confdba --show" to view the config and see the current values for each key. These four config keys are True by default (and treated as True if not defined).

Warning:
Disabling the iptables modification should only be done if you understand the iptables rules that are added by Access Server (by examining output of iptables and/or iptables-save) and you add your own iptables rules that are equivalent to those automatically added by Access Server. Otherwise, disabling these modifications will most likely render Access Server inoperable.


Return to “General Questions”

Who is online

Users browsing this forum: No registered users and 2 guests