Groups | Search | Server Info | Login | Register

Groups > linux.debian.maint.firewall > #119

Re: Perfect iptables for OpenVPN

From Jörg Jellissen <joerg.jellissen@t-online.de>
Newsgroups linux.debian.maint.firewall
Subject Re: Perfect iptables for OpenVPN
Date 2021-12-26 14:10 +0100
Message-ID <DyBrH-QS-5@gated-at.bofh.it> (permalink)
References <Dyouu-1r3-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hello,

I'm using nftables with wireguard and it runs perfectly.

Don't forget the forward chain if your server runs as a router and you 
have a private network behind your firewall.




openVPN is for me

Am 26.12.2021 um 00:09 schrieb linux_forum1:
> Hello, I'm trying to make the most specific, secure and restrictive 
> iptables possible for a simple VPN connection on Debian. Could you 
> have a quick look if those are OK? Thanks so much!
>
> VPN Server Port:1194
>
> VPN Server IP: 189.174.135.110
>
>
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT DROP
>
> #no fragmented packets
> -A INPUT -f -j DROP
> #localhost
> -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
> -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
> -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
> # first packet has to be TCP syn
> -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> #drop sop icmp
> -A INPUT -p icmp --icmp-type address-mask-request -j DROP
> -A INPUT -p icmp --icmp-type timestamp-request -j DROP
> #Ping from inside to outside
>  -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
>  -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
> #drop broadcast, multicast anycast
> -A INPUT -m addrtype --dst-type BROADCAST -j DROP
> -A INPUT -m addrtype --dst-type MULTICAST -j DROP
> -A INPUT -m addrtype --dst-type ANYCAST -j DROP
> -A INPUT -d 224.0.0.0/4 -j DROP
> #drop invalid
> -A INPUT -m state --state INVALID -j DROP
> #drop spoofed packets
> -A INPUT -s 0.0.0.0/8 -j DROP
> -A INPUT -d 0.0.0.0/8 -j DROP
> -A INPUT -d 239.255.255.0/24 -j DROP
> -A INPUT -d 255.255.255.255 -j DROP
> # DROP RFC1918 PACKETS
> -A INPUT -s 10.0.0.0/8 -j DROP
> -A INPUT -s 172.16.0.0/12 -j DROP
> -A INPUT -s 192.168.0.0/16 -j DROP
> #Allow VPN
>
> - A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 
> <https://189.174.135.110/> -d 192.168.1.0/24 
> <https://192.168.1.0/24> --sport 1194 --dport 32768:65535 -m conntrack 
> --ctstate ESTABLISHED -j ACCEPT
>
> -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 
> <https://192.168.1.0/24> -d 189.174.135.110 
> <https://189.174.135.110/> --dport 1194 -m conntrack --ctstate 
> NEW,ESTABLISHED -j ACCEPT
>
>
>

Back to linux.debian.maint.firewall | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Perfect iptables for OpenVPN linux_forum1 <linux_forum1@protonmail.com> - 2021-12-26 00:20 +0100
  Re: Perfect iptables for OpenVPN Jörg Jellissen <joerg.jellissen@t-online.de> - 2021-12-26 14:10 +0100
    Re: Perfect iptables for OpenVPN linux_forum1 <linux_forum1@protonmail.com> - 2021-12-26 14:50 +0100
      Re: Perfect iptables for OpenVPN Jörg Jellissen <joerg.jellissen@t-online.de> - 2021-12-26 16:30 +0100

csiph-web