OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Allow openvpn on this Iptables config

https://forums.openvpn.net/viewtopic.php?t=21366

Page 1 of 1

Allow openvpn on this Iptables config

Posted: Fri Mar 25, 2016 2:16 pm
by end
hi all,

i have this rules on my laptop and works great, i have old script that works with openvpn but i lost it and now i tray everithing from google and nothing worked...
i know that problem is that i block everithing so i need help to allow vpn on this script...i use debian and gnome-vpn...this is iptables rules...
so please help
thank you people


#!/bin/bash
IPT=/sbin/iptables

# flush all current rules
$IPT -F


# set default policy on INPUT and OUTPUT chains to DROP packets that dont match the rules
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
# only accept packets on the INPUT chain that are ESTABLISHED or RELATED to a current connection
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A OUTPUT -o wlan0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -o wlan0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -p tcp --dport 25 -j DROP
iptables -A INPUT -s 127.0.0.1/8 -j DROP
#xmasblock
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP


# Drop all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP


$IPT -A INPUT -p tcp -j LOG --log-prefix ' INPUT TCP ' --log-level 7

# We don't care about Milkosoft, Drop SMB/CIFS/etc..
iptables -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
iptables -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP

# Explicitly drop invalid incoming traffic
iptables -A INPUT -m state --state INVALID -j DROP

# Drop invalid outgoing traffic, too.
iptables -A OUTPUT -m state --state INVALID -j DROP

# If we would use NAT, INVALID packets would pass - BLOCK them anyways
iptables -A FORWARD -m state --state INVALID -j DROP

# PORT Scanners (stealth also)
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP

# TODO: Some more anti-spoofing rules? For example:
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -N SYN_FLOOD
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
iptables -A SYN_FLOOD -j DROP

# TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG

# Drop any traffic from IANA-reserved IPs.
#------------------------------------------------------------------------------

iptables -A INPUT -s 0.0.0.0/7 -j DROP
iptables -A INPUT -s 2.0.0.0/8 -j DROP
iptables -A INPUT -s 5.0.0.0/8 -j DROP
iptables -A INPUT -s 7.0.0.0/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 23.0.0.0/8 -j DROP
iptables -A INPUT -s 27.0.0.0/8 -j DROP
iptables -A INPUT -s 31.0.0.0/8 -j DROP
iptables -A INPUT -s 36.0.0.0/7 -j DROP
iptables -A INPUT -s 39.0.0.0/8 -j DROP
iptables -A INPUT -s 42.0.0.0/8 -j DROP
iptables -A INPUT -s 49.0.0.0/8 -j DROP
iptables -A INPUT -s 50.0.0.0/8 -j DROP
iptables -A INPUT -s 77.0.0.0/8 -j DROP
iptables -A INPUT -s 78.0.0.0/7 -j DROP
iptables -A INPUT -s 92.0.0.0/6 -j DROP
iptables -A INPUT -s 96.0.0.0/4 -j DROP
iptables -A INPUT -s 112.0.0.0/5 -j DROP
iptables -A INPUT -s 120.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 173.0.0.0/8 -j DROP
iptables -A INPUT -s 174.0.0.0/7 -j DROP
iptables -A INPUT -s 176.0.0.0/5 -j DROP
iptables -A INPUT -s 184.0.0.0/6 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 197.0.0.0/8 -j DROP
iptables -A INPUT -s 198.18.0.0/15 -j DROP
iptables -A INPUT -s 223.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP




# allow ONLY packets with the following protocols and port numbers to be sent out
$IPT -A OUTPUT -t filter -p tcp --dport http -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport https -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport https -j ACCEPT
$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Synfloossmall
$IPT -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
#smalludpflood
$IPT -N udp-flood
$IPT -A OUTPUT -p udp -j udp-flood
$IPT -A udp-flood -p udp -m limit --limit 50/s -j RETURN
$IPT -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
$IPT -A udp-flood -j DROP
#rateofconnectionperport
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name DDOS --rsource
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 5 --hitcount 5 --name DDOS --rsource -j DROP
#blockip
#iptables -A INPUT -s (ip-here) -j DROP


# Drop all invalid packets
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP


# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
#$IPT -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
#$IPT -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
#$IPT -A INPUT -m recent --name portscan --remove
#$IPT -A FORWARD -m recent --name portscan --remove

# Allow loopback interface to do anything.
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

# If we would use NAT, INVALID packets would pass - BLOCK them anyways
iptables -A FORWARD -m state --state INVALID -j DROP




#recursive DNS queries
iptables -A INPUT -p udp -m udp --dport 53 -i ! -j DROP

iptables -A INPUT -p udp -m udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery --rsource

iptables -A INPUT -p udp -m udp --dport 53 -m string --from 50 --algo bm --hex-string "|0000FF0001|" -m recent --name dnsanyquery --rcheck --seconds 10 --hitcount 1 -j DROP


iptables -A INPUT -m recent --name psc --update --seconds 60 -j DROP
iptables -A INPUT -i ! -m tcp -p tcp --dport 1433 -m recent --name psc --set -j DROP
iptables -A INPUT -i ! -m tcp -p tcp --dport 3306 -m recent --name psc --set -j DROP
iptables -A INPUT -i ! -m tcp -p tcp --dport 8086 -m recent --name psc --set -j DROP
iptables -A INPUT -i ! -m tcp -p tcp --dport 10000 -m recent --name psc --set -j DROP
iptables -A INPUT -s 99.99.99.99 -j DROP

# block all other udp
iptables -A OUTPUT -p udp -j DROP
iptables -A OUTPUT -p udp -j DROP

iptables -A INPUT -p udp -m udp --dport 1:20500 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --rsource -j DROP
iptables -A INPUT -p udp -m udp --dport 1:20500 -m state --state NEW -j LOG --log-prefix "UDPFLOOD" -m recent --set --name DEFAULT --rsource

# Allow traffic on OpenVPN udp port
iptables -A INPUT -i wlan0 -p udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -o wlan0 -p udp --dport 1194 -j ACCEPT

# Allow traffic in/out tun0
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

# Allow icmp in/out
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A OUTPUT -o wlan0 -d 10.8.0.1/24 -j ACCEPT
iptables -A OUTPUT -o wlan0 -d 192.168.0.1/24 -j ACCEPT


#blockport
#iptables -A INPUT -j DROP -p tcp --destination-port 110 -i eth0


iptables -A INPUT -p udp --dport 80 -j LOG


$IPT -N LOGGING
$IPT -A INPUT -j LOGGING
$IPT -A OUTPUT -j LOGGING
$IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
$IPT -A LOGGING -j DROP
$IPT -I INPUT -j LOG
$IPT -I FORWARD -j LOG
$IPT -I OUTPUT -j LOG
$IPT -t nat -I PREROUTING -j LOG
$IPT -t nat -I POSTROUTING -j LOG
$IPT -t nat -I OUTPUT -j LOG





echo Firewall configured.

Re: Allow openvpn on this Iptables config

Posted: Fri Mar 25, 2016 3:52 pm
by end
hi, i make it work with this. but is it other rules owerwrite with this. can someone help secure it better.


put bellow iptable -F

#Allow loopback device (internal communication)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow all local traffic.
iptables -A INPUT -s 192.168.0.14 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.14 -j ACCEPT
#Allow VPN establishment
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --sport 1194 -j ACCEPT
#Accept all TUN connections (tun = VPN tunnel)

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Re: Allow openvpn on this Iptables config

Posted: Fri Mar 25, 2016 5:53 pm
by Traffic
While I can not help with iptables, please note:
end wrote:#Allow all local traffic.
iptables -A INPUT -s 192.168.0.14 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.14 -j ACCEPT
NOTE:
  • your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
:arrow: Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN :!:
  • You are advised to change your server LAN to a more unique RFC1918 compliant subnet. f.e 192.168.143.0/24

Re: Allow openvpn on this Iptables config

Posted: Sat Mar 26, 2016 1:59 am
by end
hi,
thanks for advice, i have experience in conflikt ip by fixing other pc...but probably never think that way when conflikt appears in this case....

my goal in this rule was if someone hack in my internal network and whant exploit thru my vpn that block him, beacouse only my ip is allowed.
maybe this not right way but my logic worked that way...
if someone have another opnion of cours i will apriciate help.

and sorry for bad english tiping im better in understanding than typing :)

i only whant make shure that this rules dont conflict and maybe inpruve it better...

i know this rule without vpn works beacouse i tested it with kali, but im sceptic in vpn rule so any help will help..

if someone have any questions about kali or debian or ubuntu i will do my best to help...

thanks people

Re: Allow openvpn on this Iptables config

Posted: Mon Mar 28, 2016 2:38 am
by end
hi, now i installed crypto dns and allow with this and this is working

this is put bellow input outpot and forward drop policy and working without this not working. but is it possible allow vpn like this to put bellow input outpot forward drop and then allow vpn...i wont first drop everything then allow vpn is it possible...

thanks for help


iptables -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
...etc etc....

Re: Allow openvpn on this Iptables config

Posted: Tue Mar 29, 2016 2:36 am
by end
ok i get it... my script finaly looks like this and work with opnevpn, cryptodns over normal home router on debian...feel free to use it...

#!/bin/bash
IPT=/sbin/iptables

# flush all current rules
$IPT -F


$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

#Allow loopback device (internal communication)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
#Allow all local traffic.
iptables -A INPUT -s 192.168.0.14 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.14 -j ACCEPT
#Allow VPN establishment
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --sport 1194 -j ACCEPT
#Accept all TUN connections (tun = VPN tunnel)
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
# only accept packets on the INPUT chain that are ESTABLISHED or RELATED to a current connection
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A OUTPUT -o wlan0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -o wlan0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A OUTPUT -o tun0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -o tun0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -p tcp --dport 25 -j DROP
iptables -A INPUT -s 127.0.0.1/8 -j DROP
iptables -A INPUT -j DROP
#xmasblock
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP


# Drop all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP


$IPT -A INPUT -p tcp -j LOG --log-prefix ' INPUT TCP ' --log-level 7

# We don't care about Milkosoft, Drop SMB/CIFS/etc..
iptables -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
iptables -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP

# Explicitly drop invalid incoming traffic
iptables -A INPUT -m state --state INVALID -j DROP

# Drop invalid outgoing traffic, too.
iptables -A OUTPUT -m state --state INVALID -j DROP

# If we would use NAT, INVALID packets would pass - BLOCK them anyways
iptables -A FORWARD -m state --state INVALID -j DROP

# PORT Scanners (stealth also)
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP

# TODO: Some more anti-spoofing rules? For example:
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -N SYN_FLOOD
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
iptables -A SYN_FLOOD -j DROP

# TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG

# Drop any traffic from IANA-reserved IPs.
#------------------------------------------------------------------------------

iptables -A INPUT -s 0.0.0.0/7 -j DROP
iptables -A INPUT -s 2.0.0.0/8 -j DROP
iptables -A INPUT -s 5.0.0.0/8 -j DROP
iptables -A INPUT -s 7.0.0.0/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 23.0.0.0/8 -j DROP
iptables -A INPUT -s 27.0.0.0/8 -j DROP
iptables -A INPUT -s 31.0.0.0/8 -j DROP
iptables -A INPUT -s 36.0.0.0/7 -j DROP
iptables -A INPUT -s 39.0.0.0/8 -j DROP
iptables -A INPUT -s 42.0.0.0/8 -j DROP
iptables -A INPUT -s 49.0.0.0/8 -j DROP
iptables -A INPUT -s 50.0.0.0/8 -j DROP
iptables -A INPUT -s 77.0.0.0/8 -j DROP
iptables -A INPUT -s 78.0.0.0/7 -j DROP
iptables -A INPUT -s 92.0.0.0/6 -j DROP
iptables -A INPUT -s 96.0.0.0/4 -j DROP
iptables -A INPUT -s 112.0.0.0/5 -j DROP
iptables -A INPUT -s 120.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 173.0.0.0/8 -j DROP
iptables -A INPUT -s 174.0.0.0/7 -j DROP
iptables -A INPUT -s 176.0.0.0/5 -j DROP
iptables -A INPUT -s 184.0.0.0/6 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 197.0.0.0/8 -j DROP
iptables -A INPUT -s 198.18.0.0/15 -j DROP
iptables -A INPUT -s 223.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP




# allow ONLY packets with the following protocols and port numbers to be sent out
$IPT -A OUTPUT -t filter -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -t filter -p tcp --dport 443 -j ACCEPT
$IPT -A OUTPUT -t filter -p udp --dport 443 -j ACCEPT
#block all other udp
iptables -A OUTPUT -p udp -j DROP
ip6tables -A OUTPUT -p udp -j DROP
iptables -A OUTPUT -j DROP
$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Synfloossmall
$IPT -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
#smalludpflood
$IPT -N udp-flood
$IPT -A OUTPUT -p udp -j udp-flood
$IPT -A udp-flood -p udp -m limit --limit 50/s -j RETURN
$IPT -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
$IPT -A udp-flood -j DROP
#rateofconnectionperport
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name DDOS --rsource
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 5 --hitcount 5 --name DDOS --rsource -j DROP
#blockip
#iptables -A INPUT -s (ip-here) -j DROP


# Drop all invalid packets
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP


# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
#$IPT -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
#$IPT -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
#$IPT -A INPUT -m recent --name portscan --remove
#$IPT -A FORWARD -m recent --name portscan --remove

# Allow loopback interface to do anything.
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

# If we would use NAT, INVALID packets would pass - BLOCK them anyways
iptables -A FORWARD -m state --state INVALID -j DROP
#iptables -A INPUT -m iprange --src-range 74.125.229.164-74.125.229.174 -j DROP



#recursive DNS queries
iptables -A INPUT -p udp -m udp --dport 53 -i ! -j DROP

iptables -A INPUT -p udp -m udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery --rsource

iptables -A INPUT -p udp -m udp --dport 53 -m string --from 50 --algo bm --hex-string "|0000FF0001|" -m recent --name dnsanyquery --rcheck --seconds 10 --hitcount 1 -j DROP


iptables -A INPUT -m recent --name psc --update --seconds 60 -j DROP
iptables -A INPUT -i ! -m tcp -p tcp --dport 1433 -m recent --name psc --set -j DROP
iptables -A INPUT -i ! -m tcp -p tcp --dport 3306 -m recent --name psc --set -j DROP
iptables -A INPUT -i ! -m tcp -p tcp --dport 8086 -m recent --name psc --set -j DROP
iptables -A INPUT -i ! -m tcp -p tcp --dport 10000 -m recent --name psc --set -j DROP
iptables -A INPUT -s 99.99.99.99 -j DROP

# block all other udp
iptables -A OUTPUT -p udp -j DROP
iptables -A OUTPUT -p udp -j DROP

iptables -A INPUT -p udp -m udp --dport 1:20500 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --rsource -j DROP
iptables -A INPUT -p udp -m udp --dport 1:20500 -m state --state NEW -j LOG --log-prefix "UDPFLOOD" -m recent --set --name DEFAULT --rsource



#blockport
#iptables -A INPUT -j DROP -p tcp --destination-port 110 -i eth0
#SCRIPT FOR BLOCKED IPFILE
for x in $(cat /home/xyz/bipo)
do
iptables -A INPUT -s $x -j DROP
echo dobro
done

#for x in $(cat /home/xyz/bdom)
#do
#iptables -A INPUT -s $x -j DROP
#iptables -A OUTPUT -d $x -j DROP
#echo dobro1
#done
iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

iptables -A INPUT -p udp --dport 80 -j LOG
$IPT -N LOGGING
$IPT -A INPUT -j LOGGING
$IPT -A OUTPUT -j LOGGING
$IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
$IPT -A LOGGING -j DROP
$IPT -I INPUT -j LOG
$IPT -I FORWARD -j LOG
$IPT -I OUTPUT -j LOG
$IPT -t nat -I PREROUTING -j LOG
$IPT -t nat -I POSTROUTING -j LOG
$IPT -t nat -I OUTPUT -j LOG
echo Firewall configured.

Re: Allow openvpn on this Iptables config

Posted: Tue Mar 29, 2016 11:23 am
by Traffic
end wrote:ok i get it... my script finaly looks like this and work with opnevpn, cryptodns over normal home router on debian...feel free to use it...
Thanks for letting us know your solution 8-)
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/