Firewall for OpenVPN
I'm trying to set up my firewall for my openvpn network. Right now, I have the following rules:
iptables -P FORWARD DROP
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state NEW -j ACCEPT
However, although I can establish an HTTP connection, no data is being returned.
If I allow all packets through using
iptables -A FORWARD -j ACCEPT
Then everything works.
If I log the packets not accepted for forwarding, I see they look like
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45770 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=271 TOS=0x00 PREC=0x00 TTL=63 ID=45771 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=45772 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=45773 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=271 TOS=0x00 PREC=0x00 TTL=63 ID=45774 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=45775 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45776 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK FIN URGP=0
Should I just be allowing all traffic from tun0 to eth0? Is there any risk there? I found the original suggestion to only allow NEW traffic on several websites, but it doesn't seem to be correct…
3 Replies
I just allow all traffic from tun0 to the vpn server IP. This is ok for me because a) I consider myself a trusted client b) i require a password to connect to the VPN.
So the rule you would need is:
iptables -A INPUT -d 192.168.XX.X/32 -i tun+ -j ACCEPT
Where 192.168.XX.X is the IP of the OpenVPN server.
This rule allows all traffic from any tun interface if the destination is the VPN server. I do tun+ and not tun0 because if OpenVPN gets hosed and locks up tun0, it would open tun1 (i think). So the iptables rule has it covered.
I assume that on the return path (-i eth0 -o tun+), I should still only forward ESTABLISHED and RELATED (or is that also pointless since I ahve an input rule on -i eth0 that only accepts RELATED and ESTABLISHED.
> I assume that on the return path (-i eth0 -o tun+), I should still only forward ESTABLISHED and RELATED (or is that also pointless since I ahve an input rule on -i eth0 that only accepts RELATED and ESTABLISHED.
I don't think you need the FORWARD rule for the return path. If you are only accepting ESTABLISHED and RELATED on eth0, that's the only thing that's going to get to tun+, via NAT.
I believe it is only "Forwarding" when it is going from tun+ -> eth0. On the return trip, it would be via NAT, which would hit on INPUT and not FORWARD. That's my theory… :/
On the first question, I still think there is no reason to deny forwarding.
Someone else, please chime in on this FORWARD question.