Firewall for OpenVPN

Hi,

I'm trying to set up my firewall for my openvpn network. Right now, I have the following rules:

iptables -P FORWARD DROP
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state NEW -j ACCEPT

However, although I can establish an HTTP connection, no data is being returned.

If I allow all packets through using

iptables -A FORWARD -j ACCEPT

Then everything works.

If I log the packets not accepted for forwarding, I see they look like

IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45770 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=271 TOS=0x00 PREC=0x00 TTL=63 ID=45771 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=45772 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=45773 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=271 TOS=0x00 PREC=0x00 TTL=63 ID=45774 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=45775 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45776 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK FIN URGP=0

Should I just be allowing all traffic from tun0 to eth0? Is there any risk there? I found the original suggestion to only allow NEW traffic on several websites, but it doesn't seem to be correct…

3 Replies

My opinion is that it is ok to set the FORWARD chain policy as ACCEPT. If you properly restrict the exterior packets, ie. the INPUT chain, I don't see any risk.

I just allow all traffic from tun0 to the vpn server IP. This is ok for me because a) I consider myself a trusted client b) i require a password to connect to the VPN.

So the rule you would need is:

iptables -A INPUT -d 192.168.XX.X/32 -i tun+ -j ACCEPT

Where 192.168.XX.X is the IP of the OpenVPN server.

This rule allows all traffic from any tun interface if the destination is the VPN server. I do tun+ and not tun0 because if OpenVPN gets hosed and locks up tun0, it would open tun1 (i think). So the iptables rule has it covered.

I'm accepting all traffic from tun+. Does that mean that there's no reason to deny forwarding?

I assume that on the return path (-i eth0 -o tun+), I should still only forward ESTABLISHED and RELATED (or is that also pointless since I ahve an input rule on -i eth0 that only accepts RELATED and ESTABLISHED.

> I assume that on the return path (-i eth0 -o tun+), I should still only forward ESTABLISHED and RELATED (or is that also pointless since I ahve an input rule on -i eth0 that only accepts RELATED and ESTABLISHED.

I don't think you need the FORWARD rule for the return path. If you are only accepting ESTABLISHED and RELATED on eth0, that's the only thing that's going to get to tun+, via NAT.

I believe it is only "Forwarding" when it is going from tun+ -> eth0. On the return trip, it would be via NAT, which would hit on INPUT and not FORWARD. That's my theory… :/

On the first question, I still think there is no reason to deny forwarding.

Someone else, please chime in on this FORWARD question.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct