-
-
Save Tristor/ed0f6867d2b0fa4c1f80300af6e0e12e to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # Flushing all rules | |
| iptables -F FORWARD | |
| iptables -F INPUT | |
| iptables -F OUTPUT | |
| iptables -X | |
| # Setting default filter policy | |
| iptables -P INPUT DROP | |
| iptables -P OUTPUT DROP | |
| iptables -P FORWARD DROP | |
| # Allow unlimited traffic on loopback | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| # Accept inbound TCP packets | |
| iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow incoming SSH | |
| iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT | |
| # Allow incoming OpenVPN | |
| iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT | |
| #iptables -A INPUT -p tcp --dport 443 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT | |
| # Accept outbound packets | |
| iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # Allow DNS outbound | |
| iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT | |
| iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT | |
| # Allow HTTP outbound | |
| iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT | |
| # Allow HTTPS outbound | |
| iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT | |
| # Enable NAT for the VPN | |
| iptables -t nat -A POSTROUTING -s 172.16.100.0/24 -o eth0 -j MASQUERADE | |
| # Allow TUN interface connections to OpenVPN server | |
| iptables -A INPUT -i tun0 -j ACCEPT | |
| # Allow TUN interface connections to be forwarded through other interfaces | |
| iptables -A FORWARD -i tun0 -j ACCEPT | |
| iptables -A OUTPUT -o tun0 -j ACCEPT | |
| iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # Allow outbound access to all networks on the Internet from the VPN | |
| iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 0.0.0.0/0 -j ACCEPT | |
| # Block client-to-client routing on the VPN | |
| iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 172.16.100.0/24 -j DROP |
Hi. Thanks for the snippet. But it seems you did something wrong here.... Also -m state is deprecated. You should you -m conntrack --ctstate instead.
//Forward Rules
- iptables -A FORWARD -i tun0 -j ACCEPT #kinda useless. but well. depends on your needs...
- iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 0.0.0.0/0 -j ACCEPT # overrules rule 5.
- iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 172.16.100.0/24 -j DROP # this rule will never been hit. see rule 4.
A better choice would look like this:
//allow related,established traffic tun0<->eth0
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
//drop client to client
iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 172.16.100.0/24 -j DROP
// allow vpn traffic
iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT
also this should not be needed:
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
cheers
fastboot
@Tristor are that rules working still today?
Can you provide the same for ip6tables? :)
Isn't line #37 masked by the line #35?
Typo: "tun+" in the line #38