OpenVPN example 0 - linux client iptables
From Telecomix Crypto Munitions Bureau
Example iptables (firewall) script for a computer that connects to an OpenVPN server. This script is based on the very first example in the tutorial about iptables.
We assume that:
- You have OpenVPN up and running. You can connect to the OpenVPN server. (See OpenVPN example 0.)
- Your client computer has a physical interface named eth0. You want to be able to SSH to this port.
- Your client computer also has a virtual interface, created by OpenVPN, named tun0. In this example, the client computer serves an HTTP server that you wish should only be accessible from inside the darknet (because you host dangerous content there, or whatever.)
[edit] The firewall script
Put this in a file, name it firewall or something.
If your OpenVPN connection is started with a script named /etc/rc2.d/S98OpenVPN-client0, consider putting it in /etc/rc2.d/ with the name S99firewall. When booting a debian computer, it will go through all files in the /etc/rc2.d/ directory (or whatever runlevel you use) and call each script there, starting at S01 and continuing with S02, S03, and so on. Starting your firewall just slightly after the OpenVPN tunnel is up and running might be a good idea, if you want it to work.
You could of course just start it manually yourself.
Do not forget to make the script executable. type chmod a+x ./ScriptName.
(This script is a modified version of the very first example in the iptables tutorial.)
#!/bin/sh # module to track the state of connections modprobe ip_conntrack # load the iptables active FTP module, requires ip_conntrack modprobe ip_conntrack_ftp # sets somewhat sane sysctl stuff sysctl -w net.ipv4.conf.all.forwarding=0 # we are not a router #sysctl -w net.ipv4.conf.all.mc_forwarding=0 # do not propagate multicasts (not supported since some version, i guess.) sysctl -w net.ipv4.conf.all.rp_filter=1 # drop all packets that the kernel think are spoofed sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # avoid being part of smurf attacks sysctl -w net.ipv4.conf.all.accept_source_route=0 # uncomment this if you have a complex network ;) sysctl -w net.ipv4.tcp_syncookies=1 # saves some memory if syn-flooded # sets default policy DROP for everything not explicitly allowed. iptables -P INPUT DROP iptables -P FORWARD DROP # your programs are allowed to talk with the internets by default. iptables -P OUTPUT ACCEPT # drop everything that has to do with IPv6 ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT # accept that your own computer sends IPv6 packets to others # flush all previous firewall rules. iptables -F # nulls all counters, eg. how many packets eth0 has sent, et.c. iptables -Z # accept all incoming traffic to the loopback interface # you should be allowed to talk with yourself :d iptables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT # accepts incomming IPv6 packets only at loopback interface (::1), se ip6tables default above # setting ICMP rules... # uncomment stuff if you think you need them. they could make life easier. # uncommenting stuff marked with X could make life easier without loosing almost any security at all. iptables -A INPUT --protocol icmp --icmp-type 0/0 -j ACCEPT # echo reply (you want to be able to ping others) #iptables -A INPUT --protocol icmp --icmp-type 3/0 -j ACCEPT # network unreachable X #iptables -A INPUT --protocol icmp --icmp-type 3/1 -j ACCEPT # host unreachable X #iptables -A INPUT --protocol icmp --icmp-type 3/2 -j ACCEPT # protocol unreachable X #iptables -A INPUT --protocol icmp --icmp-type 3/3 -j ACCEPT # port unreachable X #iptables -A INPUT --protocol icmp --icmp-type 4/0 -j ACCEPT # source quench (source runs out of bandwidth) X #iptables -A INPUT --protocol icmp --icmp-type 5 -j ACCEPT # router redirects etc, be careful & see sysctl above #iptables -A INPUT --protocol icmp --icmp-type 8/0 -j ACCEPT # echo request (respond to ping?) #iptables -A INPUT --protocol icmp --icmp-type 30/0 -j ACCEPT # traceroute (use tcptraceroute instead?) iptables -A INPUT -i eth0 --protocol icmp --icmp-type 8/0 -j ACCEPT # you want to be able to ping your computer from your physical LAN #iptables -A INPUT -i eth0 --protocol icmp -j ACCEPT # uncomment to allow all ICMP-traffic from your physical LAN # the rest of the ICMP types/codes could be ignored, i think ;) # avoid the *feature* of "--state NEW" that allows NEW TCP packets with SYN=0 to pass iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # accepts initializing, eg. SYN, connections to port 22 and 80. iptables -A INPUT -i eth0 --protocol tcp --destination-port 22 -m state --state NEW -j ACCEPT iptables -A INPUT -i tun0 --protocol tcp --destination-port 80 -m state --state NEW -j ACCEPT # accepts all traffic that is part of some session. eg. you created it or it is part of an # already established connection to your SSH or HTTP servers. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # do not forget to update your firewall script if you add more services :b
[edit] Setting up routing
If you want everything to get routed through the VPN tunnel, type..
- ip route show and write down the default route, in case you want to switch back to *normal mode*
- ip route del default to clear the default route
- ip route add default 172.16.1.1 remember that 172.16.1.1 is the OpenVPN servers IP-address.
If you always want this to happen automatically when you boot your computer, type the following:
echo "ip route del default" >> ./firewall echo "ip route add default 172.16.1.1" >> ./firewall
(assuming that your firewall script is named "firewall". Make sure that the script exists inside /etc/rc2.d/ and is named something like S99firewall or whatever. Otherwise this will not work.)
[edit] See also
- iptables for a tutorial on linux firewalls/routing.
