Groups | Search | Server Info | Login | Register
Groups > linux.debian.maint.firewall > #119
| Path | csiph.com!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!bofh.it!news.nic.it!robomod |
|---|---|
| From | Jörg Jellissen <joerg.jellissen@t-online.de> |
| Newsgroups | linux.debian.maint.firewall |
| Subject | Re: Perfect iptables for OpenVPN |
| Date | Sun, 26 Dec 2021 14:10:01 +0100 |
| Message-ID | <DyBrH-QS-5@gated-at.bofh.it> (permalink) |
| References | <Dyouu-1r3-3@gated-at.bofh.it> |
| X-Original-To | debian-firewall@lists.debian.org |
| X-Mailbox-Line | From debian-firewall-request@lists.debian.org Sun Dec 26 13:03:08 2021 |
| Old-Return-Path | <joerg.jellissen@t-online.de> |
| X-Amavis-Spam-Status | No, score=-1.359 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=2, LDO_WHITELIST=-5, NICE_REPLY_A=-0.001, NORMAL_HTTP_TO_IP=2.3, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=no autolearn_force=no |
| X-Policyd-Weight | using cached result; rate: -5.5 |
| Content-Type | multipart/alternative; boundary="------------bxQ0JWjUnJB1ZVpzNSiB8GHT" |
| MIME-Version | 1.0 |
| User-Agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1 |
| X-Toi-Expurgateid | 150726::1640523740-00009E39-1DD46731/0/0 CLEAN NORMAL |
| X-Toi-Msgid | 0055aff5-93a2-4350-96f0-1b1ca6c8193a |
| X-Mailing-List | <debian-firewall@lists.debian.org> archive/latest/9558 |
| List-ID | <debian-firewall.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-firewall/> |
| List-Archive | https://lists.debian.org/msgid-search/107d09b5-5ca6-b09e-f754-1ab8b0b64b15@t-online.de |
| Approved | robomod@news.nic.it |
| Lines | 229 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Date | Sun, 26 Dec 2021 14:02:19 +0100 |
| X-Original-Message-ID | <107d09b5-5ca6-b09e-f754-1ab8b0b64b15@t-online.de> |
| X-Original-References | <4jq_HOXOHcD2jq71IS2YzN83YsH_mEqbDznbSQAKHdr_EtsQsjq830QIej3PqSpYk4oeEyWDYgaC5lQpdHnRQrG9EGU0dyg07v02T_i8hrQ=@protonmail.com> |
| Xref | csiph.com linux.debian.maint.firewall:119 |
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
Hello, I'm using nftables with wireguard and it runs perfectly. Don't forget the forward chain if your server runs as a router and you have a private network behind your firewall. openVPN is for me Am 26.12.2021 um 00:09 schrieb linux_forum1: > Hello, I'm trying to make the most specific, secure and restrictive > iptables possible for a simple VPN connection on Debian. Could you > have a quick look if those are OK? Thanks so much! > > VPN Server Port:1194 > > VPN Server IP: 189.174.135.110 > > > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT DROP > > #no fragmented packets > -A INPUT -f -j DROP > #localhost > -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP > -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT > -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT > # first packet has to be TCP syn > -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > #drop sop icmp > -A INPUT -p icmp --icmp-type address-mask-request -j DROP > -A INPUT -p icmp --icmp-type timestamp-request -j DROP > #Ping from inside to outside > -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT > -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT > #drop broadcast, multicast anycast > -A INPUT -m addrtype --dst-type BROADCAST -j DROP > -A INPUT -m addrtype --dst-type MULTICAST -j DROP > -A INPUT -m addrtype --dst-type ANYCAST -j DROP > -A INPUT -d 224.0.0.0/4 -j DROP > #drop invalid > -A INPUT -m state --state INVALID -j DROP > #drop spoofed packets > -A INPUT -s 0.0.0.0/8 -j DROP > -A INPUT -d 0.0.0.0/8 -j DROP > -A INPUT -d 239.255.255.0/24 -j DROP > -A INPUT -d 255.255.255.255 -j DROP > # DROP RFC1918 PACKETS > -A INPUT -s 10.0.0.0/8 -j DROP > -A INPUT -s 172.16.0.0/12 -j DROP > -A INPUT -s 192.168.0.0/16 -j DROP > #Allow VPN > > - A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 > <https://189.174.135.110/> -d 192.168.1.0/24 > <https://192.168.1.0/24> --sport 1194 --dport 32768:65535 -m conntrack > --ctstate ESTABLISHED -j ACCEPT > > -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 > <https://192.168.1.0/24> -d 189.174.135.110 > <https://189.174.135.110/> --dport 1194 -m conntrack --ctstate > NEW,ESTABLISHED -j ACCEPT > > >
Back to linux.debian.maint.firewall | Previous | Next — Previous in thread | Next in thread | Find similar
Perfect iptables for OpenVPN linux_forum1 <linux_forum1@protonmail.com> - 2021-12-26 00:20 +0100
Re: Perfect iptables for OpenVPN Jörg Jellissen <joerg.jellissen@t-online.de> - 2021-12-26 14:10 +0100
Re: Perfect iptables for OpenVPN linux_forum1 <linux_forum1@protonmail.com> - 2021-12-26 14:50 +0100
Re: Perfect iptables for OpenVPN Jörg Jellissen <joerg.jellissen@t-online.de> - 2021-12-26 16:30 +0100
csiph-web