How to achieve these firewall settings with OpenVPN?

[houmie75]

Hello everyone,

Is there a way to prevent NetScans to be run while connected to OpenVPN?
For IKEv2 I have the following firewall settings which disallows a NetScan by reducing the requests per second to 5. (Making it too slow to be useful or be detected by the provider)

Code: Select all

iptables -N PRIVATE_ADDRS_FILTER
iptables -N OUTGOING
iptables -A OUTGOING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTGOING -j PRIVATE_ADDRS_FILTER
iptables -A OUTGOING -m conntrack --ctstate NEW -m hashlimit --hashlimit-name NETSCANv4 --hashlimit-upto 5/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-srcmask 32  -j ACCEPT
iptables -A PRIVATE_ADDRS_FILTER -d 10.0.0.0/8 -j DROP
iptables -A PRIVATE_ADDRS_FILTER -d 172.16.0.0/12 -j DROP
iptables -A PRIVATE_ADDRS_FILTER -d 192.168.0.0/16 -j DROP

In IKEv2 I would do this to forward the IPSEC traffic to OUTGOING section that I created earlier.

Code: Select all

iptables -A FORWARD -m policy --pol ipsec --dir in -j OUTGOING

But how could I achieve this in OpenVPN? Ipsec is built into the kernel and iptables is an interface to kernel functionality. Whereas openvpn is userspace only.

Could I achieve the same thing in OpenVPN by doing this: (although this sends all packets to OUTGOING and not just the VPN packets)

Code: Select all

iptables -A FORWARD -m policy --pol none --dir in -j OUTGOING

Many Thanks,

[houmie75]

Actually I believe this is the forwarding part that I need to pass on from ACCEPT to OUTGOING:

Code: Select all

iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT

But is it from eth0 to tun0 that I have to forward to OUTGOING
or tun0 to eth0?