iptables for openvpn

[greg]

Hello,

There is a millions of script iptables for openvpn on internet but no one works, I have 3 daemon's with one interface eth0, here is my rules:

Code: Select all

#!/bin/sh 
 
# Vider les tables actuelles 
iptables -t filter -F 
 
# Vider les règles personnelles 
iptables -t filter -X 

#Effacer toutes les règles de nat
iptables -t nat -F

# Interdire toute connexion entrante et sortante 
iptables -t filter -P INPUT DROP 
iptables -t filter -P FORWARD DROP 
iptables -t filter -P OUTPUT DROP 

# Ne pas casser les connexions etablies 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

# Autoriser loopback 
iptables -t filter -A INPUT -i lo -j ACCEPT 
iptables -t filter -A OUTPUT -o lo -j ACCEPT 
 
# ICMP (Ping) 
iptables -t filter -A INPUT -p icmp -j ACCEPT 
iptables -t filter -A OUTPUT -p icmp -j ACCEPT 

# DNS In/Out 
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT 
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT 
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT 
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT  

# SSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

# SSH Out
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

#serveur auth
iptables -I INPUT -s 11.11.11.11 -j ACCEPT
#pptp
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT    
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT 
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT 
iptables -A INPUT -i eth0 -p gre -j ACCEPT 

#openvpn

iptables -A INPUT -p tcp --dport 1194 -j ACCEPT 
iptables -A INPUT -p tcp --dport 1195 -j ACCEPT 
iptables -A INPUT -p tcp --dport 1196 -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --dport 1195 -j ACCEPT
iptables -A INPUT -p udp --dport 1196 -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -j ACCEPT 

iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT 
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -j ACCEPT


# HTTP + HTTPS Out 
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT 
 
# HTTP + HTTPS In 
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT 


# flood et deny
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 2/second -j ACCEPT

#scan des ports
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP

# nat rules here like:iptables -t nat -A POSTROUTING -s 10.1.0.0/255.255.255.240 -o eth0 -j SNAT --to 72.20.26.97
iptables -t nat -A POSTROUTING -s 10.1.0.16/255.255.255.240 -o eth0 -j SNAT --to some-ip-here
iptables -t nat -A POSTROUTING -s 10.1.0.32/255.255.255.240 -o eth0 -j SNAT --to some-ip-here
iptables -t nat -A POSTROUTING -s 10.1.0.48/255.255.255.240 -o eth0 -j SNAT --to some-ip-here

etc

what i missed?


thanks

[Bebop]

There is a millions of script iptables for openvpn on internet but no one works

First: What are you trying to achieve (Tunneling, Networking, Remote access)? What architecture is your server on (Dedicated or VPS)?

IPTABLES can be configured to 'work' in just a few lines, but until you know your specific goals, then a specific config is not possible.

If you want a simple tunnel, with security then I can show you a setup which definitely works: topic7722.html

I wrote that for my self, and have used it many times -- so if it is a tunnel you want, then the code is there to use. If not tunnel, then do specify.

At the very core is this:

#
#Accept connections on 1194 for vpn access from clients
#Take note that the rule says "UDP", and ensure that your OpenVPN server.conf says UDP too
#
iptables -A INPUT -p udp --dport 1194 -j ACCEPT

#
#Apply forwarding for OpenVPN Tunneling
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT #10.8.0.0 ? Check your OpenVPN server.conf to be sure
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

#
#Enable forwarding
#
echo 1 > /proc/sys/net/ipv4/ip_forward

You NEED that. Everything else is optional.

If you do find you solution here, please to write back and share what it was.

[greg]

hello bebop,

Sorry for replaying late...

I tried your script and it is working if I don't drop the incoming traffic:

Code: Select all

iptables -t filter -P INPUT ACCEPT 
iptables -t filter -P FORWARD ACCEPT 
iptables -t filter -P OUTPUT ACCEPT 

But it is not really secure?

[Bebop]

not really secure?

Definitely not as secure. It would depend on what ports you want to prevent others from seeing on your machine.

If you are happy to leave it as it is, then no need to worry further. If security is absolutely a top priority, then maybe worth trying to try it with 'drop' again.

[greg]

I will keep that for the moment. I have another problem with the virtual interfaces...

I will update this topic later.

Thanks