4a20 OpenVPN example 0 - linux client iptables - Telecomix Crypto Munitions Bureau

OpenVPN example 0 - linux client iptables

From Telecomix Crypto Munitions Bureau

Jump to: navigation, search

Example iptables (firewall) script for a computer that connects to an OpenVPN server. This script is based on the very first example in the tutorial about iptables.

We assume that:

  • You have OpenVPN up and running. You can connect to the OpenVPN server. (See OpenVPN example 0.)
  • Your client computer has a physical interface named eth0. You want to be able to SSH to this port.
  • Your client computer also has a virtual interface, created by OpenVPN, named tun0. In this example, the client computer serves an HTTP server that you wish should only be accessible from inside the darknet (because you host dangerous content there, or whatever.)

[edit] The firewall script

Put this in a file, name it firewall or something.

If your OpenVPN connection is started with a script named /etc/rc2.d/S98OpenVPN-client0, consider putting it in /etc/rc2.d/ with the name S99firewall. When booting a debian computer, it will go through all files in the /etc/rc2.d/ directory (or whatever runlevel you use) and call each script there, starting at S01 and continuing with S02, S03, and so on. Starting your firewall just slightly after the OpenVPN tunnel is up and running might be a good idea, if you want it to work.

You could of course just start it manually yourself.

Do not forget to make the script executable. type chmod a+x ./ScriptName.

(This script is a modified version of the very first example in the iptables tutorial.)


# module to track the state of connections
modprobe ip_conntrack

# load the iptables active FTP module, requires ip_conntrack
modprobe ip_conntrack_ftp

# sets somewhat sane sysctl stuff
sysctl -w net.ipv4.conf.all.forwarding=0           # we are not a router
#sysctl -w net.ipv4.conf.all.mc_forwarding=0        # do not propagate multicasts  (not supported since some version, i guess.)
sysctl -w net.ipv4.conf.all.rp_filter=1            # drop all packets that the kernel think are spoofed
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1   # avoid being part of smurf attacks
sysctl -w net.ipv4.conf.all.accept_source_route=0  # uncomment this if you have a complex network ;)
sysctl -w net.ipv4.tcp_syncookies=1                # saves some memory if syn-flooded

# sets default policy DROP for everything not explicitly allowed.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# your programs are allowed to talk with the internets by default.

# drop everything that has to do with IPv6
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT             # accept that your own computer sends IPv6 packets to others

# flush all previous firewall rules.
iptables -F
# nulls all counters, eg. how many packets eth0 has sent, et.c.
iptables -Z

# accept all incoming traffic to the loopback interface
# you should be allowed to talk with yourself :d
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT  # accepts incomming IPv6 packets only at loopback interface (::1), se ip6tables default above

# setting ICMP rules...
# uncomment stuff if you think you need them. they could make life easier.
# uncommenting stuff marked with X could make life easier without loosing almost any security at all.
iptables -A INPUT --protocol icmp --icmp-type 0/0 -j ACCEPT  # echo reply (you want to be able to ping others)
#iptables -A INPUT --protocol icmp --icmp-type 3/0 -j ACCEPT  # network unreachable                          X
#iptables -A INPUT --protocol icmp --icmp-type 3/1 -j ACCEPT  # host unreachable                             X
#iptables -A INPUT --protocol icmp --icmp-type 3/2 -j ACCEPT  # protocol unreachable                         X
#iptables -A INPUT --protocol icmp --icmp-type 3/3 -j ACCEPT  # port unreachable                             X
#iptables -A INPUT --protocol icmp --icmp-type 4/0 -j ACCEPT  # source quench (source runs out of bandwidth) X
#iptables -A INPUT --protocol icmp --icmp-type 5 -j ACCEPT  # router redirects etc, be careful & see sysctl above
#iptables -A INPUT --protocol icmp --icmp-type 8/0 -j ACCEPT  # echo request (respond to ping?)
#iptables -A INPUT --protocol icmp --icmp-type 30/0 -j ACCEPT  # traceroute (use tcptraceroute instead?)
iptables -A INPUT -i eth0 --protocol icmp --icmp-type 8/0 -j ACCEPT      # you want to be able to ping your computer from your physical LAN
#iptables -A INPUT -i eth0 --protocol icmp -j ACCEPT                     # uncomment to allow all ICMP-traffic from your physical LAN
# the rest of the ICMP types/codes could be ignored, i think ;)

# avoid the *feature* of "--state NEW" that allows NEW TCP packets with SYN=0 to pass
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# accepts initializing, eg. SYN, connections to port 22 and 80.
iptables -A INPUT -i eth0 --protocol tcp --destination-port 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i tun0 --protocol tcp --destination-port 80 -m state --state NEW -j ACCEPT

# accepts all traffic that is part of some session. eg. you created it or it is part of an
# already established connection to your SSH or HTTP servers.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# do not forget to update your firewall script if you add more services :b

[edit] Setting up routing

If you want everything to get routed through the VPN tunnel, type..

  1. ip route show and write down the default route, in case you want to switch back to *normal mode*
  2. ip route del default to clear the default route
  3. ip route add default remember that is the OpenVPN servers IP-address.

If you always want this to happen automatically when you boot your computer, type the following:

echo "ip route del default" >> ./firewall
echo "ip route add default" >> ./firewall

(assuming that your firewall script is named "firewall". Make sure that the script exists inside /etc/rc2.d/ and is named something like S99firewall or whatever. Otherwise this will not work.)

[edit] See also

  • iptables for a tutorial on linux firewalls/routing.
Personal tools