iptables is blocking 1194 when i tell it not to...

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Post Reply
maskedkuma
OpenVpn Newbie
Posts: 3
Joined: Tue Aug 01, 2017 10:46 am

iptables is blocking 1194 when i tell it not to...

Post by maskedkuma » Tue Aug 01, 2017 10:51 am

i want to block eth0 incoming traffic, with exceptions for 22,80,443 and allow all incoming traffic on tun0.

i have openvpn client config, with route-nopull and i add routes from a script with route add -net 10.8.0.0/24 dev tun0 and on the server I have client-to-client and specify static ips with client-config-dir

I have found that ufw was messing up my config, so I am trying with traditional iptables rules. with the below rules, everything works as desired, except that I am wide open on the internet.

Code: Select all

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s EXTERNALIP/32 -o enp0s20f0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT ! -s EXTERNALIP/32 -o enp0s20f0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1003 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1003 -j ACCEPT
-A OUTPUT ! -s EXTERNALIP/32 -o enp0s20f0 -j REJECT --reject-with icmp-port-unreachable
when I try to nail it down with the following, I can no longer connect to the vpn pm 1194. I can still connect on ssh and http via eth0.

Code: Select all

-A INPUT  -p tcp -m multiport --dports 22,80,443 -j ACCEPT
-A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT
-A INPUT -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A INPUT -i eth0 -j DROP
specifically, everything works until I add the last line...

I have tried iptables -P INPUT DROP with the same effect, and many other variables - it prevents 1194 access from eth0

TiTex
OpenVPN Expert
Posts: 269
Joined: Tue Apr 12, 2011 6:22 am

Re: iptables is blocking 1194 when i tell it not to...

Post by TiTex » Wed Sep 27, 2017 2:12 pm

as i see it , you are only allowing NEW packets which when the first sequence in a session is seen by the netfilter/network stack (this is where you can rate limit for example) and no RELATED traffic is allowed which means it will never get ESTABLISHED .
I might be wrong here but that's my understanding of this.

Post Reply