[Techtalk] iptables rules for openvpn review, please
Carla Schroder
carla at bratgrrl.com
Tue Feb 27 18:21:44 UTC 2007
Hey all,
These are the iptables rules I use on my firewall to allow remote OpenVPN
clients in. I invite smart persons to peck at them and point out weaknesses
and improvements.
Default policies:
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
everything else ACCEPT
#Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 1.2.3.4
[blah blah other stuff]
#openvpn rules
$ipt -A INPUT -i eth0 -p udp -s $remote-ip --sport 1194 --dport 1194 -j ACCEPT
$ipt -A OUTPUT -o eth0 -p udp -d $remote-ip --dport 1194 --sport 1194 -j
ACCEPT
$ipt -A INPUT -i tun0 -j ACCEPT
$ipt -A OUTPUT -o tun0 -j ACCEPT
$ipt -A FORWARD -i tun0 -j ACCEPT
This is for a routed, not bridged VPN. Thanks!
Carla
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
Linux geek and random computer tamer
check out my Linux Cookbook!
http://www.oreilly.com/catalog/linuxckbk/
best book for sysadmins and power users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Techtalk
mailing list