Page 1 of 1
iptables config for Openvpn
Posted: Mon Jan 31, 2011 9:13 am
by timmyw
Hi, currently I have to stop iptables to allow my vpn connections to connect, after that iptables can be ran fine.
Can someone please share their iptables config, would be very helpful to see,
My server config
Code: Select all
route 192.168.1.0 255.255.255.0
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Re: iptables config for Openvpn
Posted: Mon Jan 31, 2011 10:39 am
by maikcat
hi there,
please post iptables -L output.. (with firewall enabled)
cheers,
michael
Re: iptables config for Openvpn
Posted: Mon Jan 31, 2011 7:02 pm
by timmyw
Hey maikcat, as requested...
Code: Select all
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:jpegmpeg
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:openvpn
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Sorry this was left out, its all a bit of a mess and I was hoping there would be a simple list of chains to added.
many thanks,
tim
Re: iptables config for Openvpn
Posted: Tue Feb 01, 2011 7:28 am
by maikcat
good day,
with a quick look, try adding the openvpn rule
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
INSIDE RH-Firewall-1-INPUT chain and see if this helps.
cheers,
michael
Re: iptables config for Openvpn
Posted: Wed Feb 02, 2011 8:23 am
by timmyw
Great! So obvious now that was the issue, for anyone else finding this thread here is my config for just the openvpn section for iptables...
Code: Select all
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m udp -p udp --dport 1194 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
many thanks michael