Hi,
Hi Jörg, thanks for the reply!
Do you think those rules for the VPN connection are specific enough or could something else be added?
- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
All the guides only use these two rules:
I'm just worried that they use 192.168.1.0/24 because normally I see a lot of iptables blocking this IP range for security.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, December 26th, 2021 at 2:02 PM, Jörg Jellissen <joerg.jellissen@t-online.de> wrote:
Hello,
I'm using nftables with wireguard and it runs perfectly.
Don't forget the forward chain if your server runs as a router and you have a private network behind your firewall.
openVPN is for me
Am 26.12.2021 um 00:09 schrieb linux_forum1:
Hello, I'm trying to make the most specific, secure and restrictive iptables possible for a simple VPN connection on Debian. Could you have a quick look if those are OK? Thanks so much!
VPN Server Port:1194
VPN Server IP: 189.174.135.110
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
#no fragmented packets
-A INPUT -f -j DROP
#localhost
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# first packet has to be TCP syn
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#drop sop icmp
-A INPUT -p icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp --icmp-type timestamp-request -j DROP
#Ping from inside to outside
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#drop broadcast, multicast anycast
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
#drop invalid
-A INPUT -m state --state INVALID -j DROP
#drop spoofed packets
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP
# DROP RFC1918 PACKETS
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 192.168.0.0/16 -j DROP
#Allow VPN
- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-- Mit freundlichen Grüßen Jörg Jellissen Friesenstraße 3 47445 Moers Mobil: (01573) / 5 34 42 18 Fax: (02841) / 4 08 62 77 E-Mail: joerg.jellissen@t-online.de