Groups | Search | Server Info | Login | Register
Groups > linux.debian.maint.firewall > #120
| Path | csiph.com!aioe.org!bofh.it!news.nic.it!robomod |
|---|---|
| From | linux_forum1 <linux_forum1@protonmail.com> |
| Newsgroups | linux.debian.maint.firewall |
| Subject | Re: Perfect iptables for OpenVPN |
| Date | Sun, 26 Dec 2021 14:50:01 +0100 |
| Message-ID | <DyC4p-14g-1@gated-at.bofh.it> (permalink) |
| References | <Dyouu-1r3-3@gated-at.bofh.it> <DyBrH-QS-5@gated-at.bofh.it> |
| X-Original-To | Jörg Jellissen <joerg.jellissen@t-online.de> |
| X-Mailbox-Line | From debian-firewall-request@lists.debian.org Sun Dec 26 13:42:45 2021 |
| Old-Return-Path | <linux_forum1@protonmail.com> |
| X-Amavis-Spam-Status | No, score=0.445 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, BODY_8BITS=1.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=2, LDO_WHITELIST=-5, NORMAL_HTTP_TO_IP=2.3, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001] autolearn=no autolearn_force=no |
| X-Policyd-Weight | using cached result; rate: -5.5 |
| Reply-To | linux_forum1 <linux_forum1@protonmail.com> |
| MIME-Version | 1.0 |
| Content-Type | multipart/alternative; boundary="b1_sOBgDMIQZFdehuqZy7Su7qQ6fL39vSXSsxyIHPTxM" |
| X-Mailing-List | <debian-firewall@lists.debian.org> archive/latest/9559 |
| List-ID | <debian-firewall.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-firewall/> |
| List-Archive | https://lists.debian.org/msgid-search/z-C7mGv8p3Y-W3grJt_rPuwaDHbu_QRonqNCvpa2DH438QrygwEgpZRhtbn6w1DcZj4ftEaC6_CqWStVtbT2enVnEg0_UIPNc0FIwuQJ4eY=@protonmail.com |
| Approved | robomod@news.nic.it |
| Lines | 169 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Cc | debian-firewall@lists.debian.org |
| X-Original-Date | Sun, 26 Dec 2021 13:42:30 +0000 |
| X-Original-Message-ID | <z-C7mGv8p3Y-W3grJt_rPuwaDHbu_QRonqNCvpa2DH438QrygwEgpZRhtbn6w1DcZj4ftEaC6_CqWStVtbT2enVnEg0_UIPNc0FIwuQJ4eY=@protonmail.com> |
| X-Original-References | <4jq_HOXOHcD2jq71IS2YzN83YsH_mEqbDznbSQAKHdr_EtsQsjq830QIej3PqSpYk4oeEyWDYgaC5lQpdHnRQrG9EGU0dyg07v02T_i8hrQ=@protonmail.com> <107d09b5-5ca6-b09e-f754-1ab8b0b64b15@t-online.de> |
| Xref | csiph.com linux.debian.maint.firewall:120 |
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
Hi Jörg, thanks for the reply! Do you think those rules for the VPN connection are specific enough or could something else be added? - A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT All the guides only use these two rules: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m udp --dport 1194 I'm just worried that they use 192.168.1.0/24 because normally I see a lot of iptables blocking this IP range for security. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, December 26th, 2021 at 2:02 PM, Jörg Jellissen <joerg.jellissen@t-online.de> wrote: > Hello, > > I'm using nftables with wireguard and it runs perfectly. > > Don't forget the forward chain if your server runs as a router and you have a private network behind your firewall. > > openVPN is for me > > Am 26.12.2021 um 00:09 schrieb linux_forum1: > >> Hello, I'm trying to make the most specific, secure and restrictive iptables possible for a simple VPN connection on Debian. Could you have a quick look if those are OK? Thanks so much! >> >> VPN Server Port:1194 >> >> VPN Server IP: 189.174.135.110 >> >> -P INPUT DROP >> -P FORWARD DROP >> -P OUTPUT DROP >> >> #no fragmented packets >> -A INPUT -f -j DROP >> #localhost >> -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP >> -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT >> -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT >> # first packet has to be TCP syn >> -A INPUT -p tcp ! --syn -m state --state NEW -j DROP >> #drop sop icmp >> -A INPUT -p icmp --icmp-type address-mask-request -j DROP >> -A INPUT -p icmp --icmp-type timestamp-request -j DROP >> #Ping from inside to outside >> -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT >> -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT >> #drop broadcast, multicast anycast >> -A INPUT -m addrtype --dst-type BROADCAST -j DROP >> -A INPUT -m addrtype --dst-type MULTICAST -j DROP >> -A INPUT -m addrtype --dst-type ANYCAST -j DROP >> -A INPUT -d 224.0.0.0/4 -j DROP >> #drop invalid >> -A INPUT -m state --state INVALID -j DROP >> #drop spoofed packets >> -A INPUT -s 0.0.0.0/8 -j DROP >> -A INPUT -d 0.0.0.0/8 -j DROP >> -A INPUT -d 239.255.255.0/24 -j DROP >> -A INPUT -d 255.255.255.255 -j DROP >> # DROP RFC1918 PACKETS >> -A INPUT -s 10.0.0.0/8 -j DROP >> -A INPUT -s 172.16.0.0/12 -j DROP >> -A INPUT -s 192.168.0.0/16 -j DROP >> #Allow VPN >> >> - A INPUT -i eth0 -p udp -m udp -s [189.174.135.110](https://189.174.135.110/) -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT >> >> -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d [189.174.135.110](https://189.174.135.110/) --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Back to linux.debian.maint.firewall | Previous | Next — Previous in thread | Next in thread | Find similar
Perfect iptables for OpenVPN linux_forum1 <linux_forum1@protonmail.com> - 2021-12-26 00:20 +0100
Re: Perfect iptables for OpenVPN Jörg Jellissen <joerg.jellissen@t-online.de> - 2021-12-26 14:10 +0100
Re: Perfect iptables for OpenVPN linux_forum1 <linux_forum1@protonmail.com> - 2021-12-26 14:50 +0100
Re: Perfect iptables for OpenVPN Jörg Jellissen <joerg.jellissen@t-online.de> - 2021-12-26 16:30 +0100
csiph-web