Groups | Search | Server Info | Login | Register

Groups > linux.debian.maint.firewall > #120

Re: Perfect iptables for OpenVPN

From linux_forum1 <linux_forum1@protonmail.com>
Newsgroups linux.debian.maint.firewall
Subject Re: Perfect iptables for OpenVPN
Date 2021-12-26 14:50 +0100
Message-ID <DyC4p-14g-1@gated-at.bofh.it> (permalink)
References <Dyouu-1r3-3@gated-at.bofh.it> <DyBrH-QS-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi Jörg, thanks for the reply!

Do you think those rules for the VPN connection are specific enough or could something else be added?

- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT

-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

All the guides only use these two rules:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1194

I'm just worried that they use 192.168.1.0/24 because normally I see a lot of iptables blocking this IP range for security.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, December 26th, 2021 at 2:02 PM, Jörg Jellissen <joerg.jellissen@t-online.de> wrote:

> Hello,
>
> I'm using nftables with wireguard and it runs perfectly.
>
> Don't forget the forward chain if your server runs as a router and you have a private network behind your firewall.
>
> openVPN is for me
>
> Am 26.12.2021 um 00:09 schrieb linux_forum1:
>
>> Hello, I'm trying to make the most specific, secure and restrictive iptables possible for a simple VPN connection on Debian. Could you have a quick look if those are OK? Thanks so much!
>>
>> VPN Server Port:1194
>>
>> VPN Server IP: 189.174.135.110
>>
>> -P INPUT DROP
>> -P FORWARD DROP
>> -P OUTPUT DROP
>>
>> #no fragmented packets
>> -A INPUT -f -j DROP
>> #localhost
>> -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
>> -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
>> -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
>> # first packet has to be TCP syn
>> -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
>> #drop sop icmp
>> -A INPUT -p icmp --icmp-type address-mask-request -j DROP
>> -A INPUT -p icmp --icmp-type timestamp-request -j DROP
>> #Ping from inside to outside
>> -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
>> -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
>> #drop broadcast, multicast anycast
>> -A INPUT -m addrtype --dst-type BROADCAST -j DROP
>> -A INPUT -m addrtype --dst-type MULTICAST -j DROP
>> -A INPUT -m addrtype --dst-type ANYCAST -j DROP
>> -A INPUT -d 224.0.0.0/4 -j DROP
>> #drop invalid
>> -A INPUT -m state --state INVALID -j DROP
>> #drop spoofed packets
>> -A INPUT -s 0.0.0.0/8 -j DROP
>> -A INPUT -d 0.0.0.0/8 -j DROP
>> -A INPUT -d 239.255.255.0/24 -j DROP
>> -A INPUT -d 255.255.255.255 -j DROP
>> # DROP RFC1918 PACKETS
>> -A INPUT -s 10.0.0.0/8 -j DROP
>> -A INPUT -s 172.16.0.0/12 -j DROP
>> -A INPUT -s 192.168.0.0/16 -j DROP
>> #Allow VPN
>>
>> - A INPUT -i eth0 -p udp -m udp -s [189.174.135.110](https://189.174.135.110/) -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
>>
>> -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d [189.174.135.110](https://189.174.135.110/) --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Back to linux.debian.maint.firewall | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Perfect iptables for OpenVPN linux_forum1 <linux_forum1@protonmail.com> - 2021-12-26 00:20 +0100
  Re: Perfect iptables for OpenVPN Jörg Jellissen <joerg.jellissen@t-online.de> - 2021-12-26 14:10 +0100
    Re: Perfect iptables for OpenVPN linux_forum1 <linux_forum1@protonmail.com> - 2021-12-26 14:50 +0100
      Re: Perfect iptables for OpenVPN Jörg Jellissen <joerg.jellissen@t-online.de> - 2021-12-26 16:30 +0100

csiph-web