iptables firewall configuration....

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Captnemo
OpenVpn Newbie
Posts: 2
Joined: Sat Jul 20, 2019 8:05 pm

iptables firewall configuration....

Post by Captnemo » Tue Jan 18, 2022 11:21 pm

Linux - Can someone clue me in on the correct firewall rules to:

1) Allow local network traffic (10.x.x.x & 192.168.x.x) to go in/out eth0
2) Allow the necessary OpenVPN traffic (0.0.0.0) to go out eth0
3) Force all other traffic (0.0.0.0) to go in/out TUN0

Bare minimum question: what ports are necessary for OpenVPN to connect and work?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: iptables firewall configuration....

Post by openvpn_inc » Thu Jan 20, 2022 3:51 pm

Aye-aye, Captain!
Captnemo wrote:
Tue Jan 18, 2022 11:21 pm
Linux - Can someone clue me in on the correct firewall rules to:

1) Allow local network traffic (10.x.x.x & 192.168.x.x) to go in/out eth0
2) Allow the necessary OpenVPN traffic (0.0.0.0) to go out eth0
3) Force all other traffic (0.0.0.0) to go in/out TUN0

Bare minimum question: what ports are necessary for OpenVPN to connect and work?
Well, you are confused. And we don't really do much iptables help here. I can recommend the #Netfilter channel on libera.chat IRC, and please do read the /topic if you go there. You can find some sample rulesets which can help you get started. Another place you should look is at the very excellent openvpn HOWTO. While you're there, look around the rest of the wiki as well.

Note that by default nothing is blocked, so no packets are blocked until you tell the kernel (via iptables(8)) to DROP or REJECT those packets. So that answers #1 and #2. For #3 you have routing rules that tell the kernel what to do with any given packet.

One very common mistake worth mentioning here: forwarded packets do not go through INPUT and OUTPUT chains! That's what FORWARD is for. Another thing worth mentioning: newer distros have mostly moved to use nft(8) by default; so iptables rules are translated into nft. That might be fine for simple needs, but in some cases you might want to point the /usr/sbin/iptables binary to iptables-legacy. Look up in your distro's documentation how that would be done (maybe alternatives or update-alternatives.)

hth, regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply