[Techtalk] iptables rules for openvpn review, please

John Clarke johnc+linuxchix at kirriwa.net
Wed Feb 28 00:14:30 UTC 2007

On Tue, Feb 27, 2007 at 10:21:44 -0800, Carla Schroder wrote:

Hi Carla,

> #openvpn rules
> $ipt -A INPUT -i eth0 -p udp -s $remote-ip --sport 1194 --dport 1194 -j ACCEPT 
> $ipt -A OUTPUT -o eth0 -p udp -d $remote-ip --dport 1194 --sport 1194 -j  ACCEPT 

I don't think you can guarantee that the source port number is also
1194, and I always use state matching to simplify the rules, so I'd have
something like this:

    $ipt -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    $ipt -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    $ipt -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    $ipt -A INPUT -i eth0 -p udp -s $remote-ip -d $local-ip --dport 1194 -m state --state NEW -j ACCEPT

(state matching first so that most packets fall out there rather than
traversing the whole chain)

> $ipt -A INPUT -i tun0 -j ACCEPT 
> $ipt -A OUTPUT -o tun0 -j ACCEPT 
> $ipt -A FORWARD -i tun0 -j ACCEPT

These are OK, if you want to allow everything from the remote end of the
vpn.  You're also allowing the other end to forward traffic out to the
rest of your network.  Maybe I'm paranoid, but I'd restrict what the
remote end of the vpn is allowed to do.

If you want, I'll share the rules I use for my openvpn server and
clients, or if you have any particular filtering in mind, let me know
and I'll generate a suitable set of rules for you.


> Why is it defensive driving doesn't imply the use of defensive grenades?
Because the fragmentation caing will damage your paintwork and glass.
            -- Chris Suslowicz

More information about the Techtalk mailing list