iptables hardening - Limit output connection to few servers

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
CoyoteKG
OpenVpn Newbie
Posts: 5
Joined: Tue Jun 20, 2017 12:53 pm

iptables hardening - Limit output connection to few servers

Post by CoyoteKG » Fri Jul 21, 2017 12:01 pm

Hi,
I tried firstly to find and understand guides, but without success.

At this moment I have configured OpenVPN server, and all traffic I think it is through it. And that is good :).
It confused me because in network adapters on both devices (network card and TAP device) I see that I have Internet access.
But I tested it on funny way :). I stayed connected to OpenVPN, and restarted server, while it restarting I did not have internet connection untill server was come online again.
But that is exactly what I want!. To have all internet traffic through OpenVPN connection.

There is one problem. I want to limit that connection to only few our servers. And I tried to block all outgoing traffic except ssh, and udp openvpn, but unfortunatelly still have access to internet.
This is what I did until now, and obviously my iptables knowledge is not good enough because I did not blocked it.

This is current status

Code: Select all

[root@vpn ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp spt:openvpn

Code: Select all

[root@vpn ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.8.0.0/24          anywhere
So like you see, I drop OUTPUT traffic, and accept only ssh and opevpn, but when I'm connected to vpn, I can surf without problem.
I want firstly to block all traffic, and then enable only FTP, MySQL, MSSQL, SSH, RDP, etc etc... to few our servers. Also to browse websites also which are hosted on those servers.

Can you help me about understanding iptables, where I'm in wrong?

CoyoteKG
OpenVpn Newbie
Posts: 5
Joined: Tue Jun 20, 2017 12:53 pm

Re: iptables hardening - Limit output connection to few servers

Post by CoyoteKG » Fri Jul 21, 2017 1:57 pm

OK, I think I solved it.
I changed FORWARD chain policy to DROP, and added 2 rules.
So now is

Code: Select all

[root@vpn ~]# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.8.0.0/24 srv.xx.com
ACCEPT all -- srv.xx.com 10.8.0.0/24
And it works for now.
I'm able to open sites hosted by that server, to connect to FTP, SSH etc...
And I can't do that on any other.

I hope so that will be enough :)

CoyoteKG
OpenVpn Newbie
Posts: 5
Joined: Tue Jun 20, 2017 12:53 pm

Re: iptables hardening - Limit output connection to few servers

Post by CoyoteKG » Tue Aug 01, 2017 8:38 am

Hi,

I have new problem.
sites from this web server which I added to FORWARD chain works very slow. :/
Because on most sites there are JS, fonts which are linked to another public (for example google) servers. And those servers are not included in my iptables, because that sites trying to download that JS and after 30 seconds that failed, and site show without it.

What is the best way to set OpenVPN to disallow users to use it for torrents, darkweb etcetc...?

Post Reply