Help Please: openVPN iptables trouble

I followed the helpful community guide to setting up openVPN on my Linode but I am running into problems that relate to my iptables config.

I am a total amateur at server configurations so my pre-existing iptables entries are all from a previous guide I used to get my server up and running.

The situation is that I can connect via an openVPN client to my Linode, but I can't browse the web. For example, I can't browse to google.com and I can't ping google.com, but I CAN ping an IP Address.

If I flush iptables then everything works just fine.

Here is my iptables.up.rules file – the only additions I made during the openVPN install are the three lines under "# Allows openVPN connections"

Any help anyone could offer for getting me back on the right track will be very much appreciated!

*filter

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allows openVPN connections
-A INPUT -p udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

3 Replies

Well I hit the right search term on google and figured out that I was missing the following

# Allow TUN interface connections to OpenVPN server
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT

So the only piece still broken is that I can't add the following instruction to my iptables.up.rules file…

-t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Because I get the following error when I try to roll them in

iptables-restore v1.4.4: Line 41 seems to have a -t table option.

But openVPN doesn't work with out that so I have to run it from the command line to get openVPN running.

Is there any way that can be added to my rules file so that everything is done automatically at reboot?

iptables-restore is designed to work with iptables-save. To use it properly, you'll want to set up the rules how you want them (using iptables from the command line), and then do

# iptables-save > iptables.rules

The rules will then be arranged in the way iptables-restore expects them to be. -rt

Awesome. fixed me right up.

Thanks you, I very much appreciate it.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct