please help: openvpn and firewall (iptables) setting!
I am using ubuntu 10.0.4, and follow this tutor to install openvpn, without enable firewall (iptables):
It is successful.
But if I want to enable firewall following this tutor:
to do in this way:
File:/etc/iptables.firewall.rules
*filter
Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
Allow SSH connections
#
The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
The OpenVPN will be down. I know there is a remark:
By default, the rules will allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked.
Be sure to revise these rules if you add new services later.
And openVPN is using 1194, but I do not know how to insert it in the above firewall rules.
Moreover, before enable such firwall, I noticed there is something out by iptables -L:
ACCEPT all -- 10.8.0.0/24 anywhere
It disappeared after enable such rules. It is also the cause?
Please help me, I do not like the servering (OpenVPN) is running without firewall!
Thank you a lot!
10 Replies
-A INPUT -p udp –dport 1194 -j ACCEPT
That's assuming you have openvpn using udp on port 1194 (the standard setup).
If you want to allow all ports on the vpn add
-A INPUT -s 10.8.0.0/24 -j ACCEPT
OPENVPN connected, but I cannot visit any website.
Here are the sudo nano /etc/iptables.firewall.rules (I have added
-A INPUT -p udp –dport 1194 -j ACCEPT in the bottom)
*filter
Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
Allow SSH connections
#
The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
Here is the output of iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Thank you very much for your advice!
-A INPUT -j REJECT
-A FORWARD -j REJECT
Everything will be ok.
Please help!
@obs:
Did you follow this to allow using the vpn as a tunnel?
http://library.linode.com/networking/op … gh-the-vpn">http://library.linode.com/networking/openvpn/ubuntu-10.04-lucid#sph_tunnel-all-connections-through-the-vpn
Yes.
But when I delete the following 2 lines is my firewall still safely protecting me?
-A INPUT -j REJECT
-A FORWARD -j REJECT
Which works fine, I've then gone through the following guide:
However using the iptables recommendation in this guide stops the VPN from working.
Adding '-A INPUT -p udp --dport 1194 -j ACCEPT' to the iptables.firewall.rules file doesn't make any difference as this is already included in the VPN setup rules.
As the others have said the only way to get it working is to comment out the last 2 lines but that seems like overkill. In doing that arean't we opening ourselves up again to more trouble?
For now I'm just using this setup as a VPN to have a fixed IP address so I'm not worried about other services beyond SSH.
Thanks.
ALL : 10.10.10.0/24 : allow
or
All : 10.10.10.2 : allow ##whatever you are using.
You can test it via ping.
fb
To become root
su root
1- flush your iptables
iptables --flush
2- add rules to forward traffic through the VPN
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
3- connect to your VPN, don't know how to connect to your linode VPN ?? lol is ok… for example using ubuntu…
open your console on your LOCAL MACHINE the one you will use to connect to your linode VPN
apt-get update
apt-get install network-manager-openvpn openvpn
then go to
network connections > VPN > choose "Open VPN"
gateway= ip or hostname of your linode
certifcates= the ones you generated on the VPN guide
go to advanced
check "use LZO data compression"
you should be able to connect now
if everything is working right congratz !
4- let's start securing your linode server without screwing your VPN service…
allow all output traffic
iptables -A OUTPUT -j ACCEPT
loopback rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT
established inbound
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
http enable
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
https dissable
iptables -A INPUT -p tcp --dport 443 -j DROP
SMTP allow
iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
ssh enable
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
ping dissable
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
OpenVPN allow
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
masquerade subnet
iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
log
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
finally reject everything is not declared above
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
After all that work you want to save your config, don't you ? Ok, here is how
iptables-save > /etc/iptables.firewall.rules
Now you might also want to have all that rules activated every time you restart your box
sudo nano /etc/network/if-pre-up.d/firewall
put this…
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
Set the script's permissions by entering the following command
sudo chmod +x /etc/network/if-pre-up.d/firewall
iptables -A INPUT -j REJECT
no INPUT below will work
The above settings got me close, but still bombing. One of the commands wouldn't work for me (Debian6).
I was able to piece together between the above settings and the suggested settings a script that works for me and I think is secure.
Thank you very much Snap for setting me in the correct direction and the clear explanation of step-by-step commands. You are awesome.
My Script for people who may want to try and use it (again I don't have a full understanding of this I just fumbled around so I cant vouch for security):
# Generated by iptables-save v1.4.8 on Sat May 4 17:57:33 2013
*security
:INPUT ACCEPT [714:53180]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [517:337377]
COMMIT
# Completed on Sat May 4 17:57:33 2013
# Generated by iptables-save v1.4.8 on Sat May 4 17:57:33 2013
*raw
:PREROUTING ACCEPT [785:58572]
:OUTPUT ACCEPT [517:337377]
COMMIT
# Completed on Sat May 4 17:57:33 2013
# Generated by iptables-save v1.4.8 on Sat May 4 17:57:33 2013
*nat
:PREROUTING ACCEPT [73:3212]
:INPUT ACCEPT [10:556]
:OUTPUT ACCEPT [10:737]
:POSTROUTING ACCEPT [10:737]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat May 4 17:57:33 2013
# Generated by iptables-save v1.4.8 on Sat May 4 17:57:33 2013
*mangle
:PREROUTING ACCEPT [785:58572]
:INPUT ACCEPT [777:55836]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [517:337377]
:POSTROUTING ACCEPT [517:337377]
COMMIT
# Completed on Sat May 4 17:57:33 2013
# Generated by iptables-save v1.4.8 on Sat May 4 17:57:33 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-ssh - [0:0]
-A OUTPUT -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j DROP
-A FORWARD -j DROP
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Sat May 4 17:57:33 2013
1. If you choose to use this, just create a document in nano, then copy/paste this. Save it somewhere on your server.
2. Save a copy of your CURRENT firewall rules in case this does something bad. To do that:
sudo iptables-save > /location/you/want/to/save
3. Clear your current firewall settings.
$ sudo iptables -X
$ sudo iptables -t nat -F
$ sudo iptables -t nat -X
$ sudo iptables -t mangle -F
$ sudo iptables -t mangle -X
$ sudo iptables -P INPUT ACCEPT
$ sudo iptables -P FORWARD ACCEPT
$ sudo iptables -P OUTPUT ACCEPT
4. Import the copy of my firewall rules you created in step 1.
sudo iptables-restore < /location/of/saved/rules
5. Test to see if its working.
6. If working as desired, ensure you edit to include in your startup. These are the last two steps in the above post.
Cheers. Thanks everyone for your help.