Re: Perfect iptables for OpenVPN

[Jörg Jellissen <joerg.jellissen@t-online.de>]

Hi,

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -p udp -m udp --dport 1194

you don't must use the module udp because you have specify the protocol udp in your rule

So, this is not needed.

Am 26.12.2021 um 14:42 schrieb linux_forum1:

Hi Jörg, thanks for the reply!

Do you think those rules for the VPN connection are specific enough or could something else be added?

- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT

-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

All the guides only use these two rules:

I'm just worried that they use 192.168.1.0/24 because normally I see a lot of iptables blocking this IP range for security.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Sunday, December 26th, 2021 at 2:02 PM, Jörg Jellissen <joerg.jellissen@t-online.de> wrote:

Hello,

I'm using nftables with wireguard and it runs perfectly.

Don't forget the forward chain if your server runs as a router and you have a private network behind your firewall.

openVPN is for me

Am 26.12.2021 um 00:09 schrieb linux_forum1:

Hello, I'm trying to make the most specific, secure and restrictive iptables possible for a simple VPN connection on Debian. Could you have a quick look if those are OK? Thanks so much!

VPN Server Port:1194

VPN Server IP: 189.174.135.110

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

#no fragmented packets

-A INPUT -f -j DROP

#localhost

-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP

-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# first packet has to be TCP syn

-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#drop sop icmp

-A INPUT -p icmp --icmp-type address-mask-request -j DROP

-A INPUT -p icmp --icmp-type timestamp-request -j DROP

#Ping from inside to outside

-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

#drop broadcast, multicast anycast

-A INPUT -m addrtype --dst-type BROADCAST -j DROP

-A INPUT -m addrtype --dst-type MULTICAST -j DROP

-A INPUT -m addrtype --dst-type ANYCAST -j DROP

-A INPUT -d 224.0.0.0/4 -j DROP

#drop invalid

-A INPUT -m state --state INVALID -j DROP

#drop spoofed packets

-A INPUT -s 0.0.0.0/8 -j DROP

-A INPUT -d 0.0.0.0/8 -j DROP

-A INPUT -d 239.255.255.0/24 -j DROP

-A INPUT -d 255.255.255.255 -j DROP

# DROP RFC1918 PACKETS

-A INPUT -s 10.0.0.0/8 -j DROP

-A INPUT -s 172.16.0.0/12 -j DROP

-A INPUT -s 192.168.0.0/16 -j DROP

#Allow VPN

- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT

-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

-- 
Mit freundlichen Grüßen

Jörg Jellissen
Friesenstraße 3
47445 Moers

Mobil: (01573) / 5 34 42 18
Fax: (02841) / 4 08 62 77

E-Mail: joerg.jellissen@t-online.de