Persisting iptables config after reboot
Posted: Fri Oct 07, 2016 4:04 pm
I have a question about the openvpn appliance. I deployed it last week and most everything has been working great. One of the things I wanted out of my VPN is being able to restrict access to certain services on the domain. The approach I have taken is to edit the iptables config on the appliance so that only certain ports (DNS, HTTPS, ping, etc...) will work. The thing I am having trouble with is getting the iptables configuration to persist on a reboot.
I have made changes with the iptables command:
and then save that configuration to a file. I have tried both:
and
Then I add a script to /etc/network/if-pre-up.d/iptablesup.
I have tried restoring from both of the paths that I have saved to as well as trying to put the script in /etc/network/if-up.d/
When I reboot I get the same configuration that is loaded by default by openvpn_as. I have added some logging to the script and can see that it is actually running with the expected results so it seems like sometime after if-up runs, openvpn_as is applying it's own configuration. I can't find where for the life of me though.
I may be going about this the wring way, maybe there is somewhere in the openvpn_as configuration I should be declaring these services, maybe I don't need iptables at all?
Any help here would be much appreciated, I am so close to being able to start having people use this!
I have made changes with the iptables command:
Code: Select all
sudo iptables -I AS0_IN_POST 1 -p tcp --dport 80 -d 192.168.1.0/24 -j ACCEPT
Code: Select all
iptables-save > /usr/share/iptables.uprules
Code: Select all
iptables-save /etc/iptables.uprules
Code: Select all
#!/bin/sh
iptables-restore < /usr/share/iptables.uprules
exit 0
When I reboot I get the same configuration that is loaded by default by openvpn_as. I have added some logging to the script and can see that it is actually running with the expected results so it seems like sometime after if-up runs, openvpn_as is applying it's own configuration. I can't find where for the life of me though.
I may be going about this the wring way, maybe there is somewhere in the openvpn_as configuration I should be declaring these services, maybe I don't need iptables at all?
Any help here would be much appreciated, I am so close to being able to start having people use this!