Last active
October 26, 2024 19:38
-
-
Save Tristor/ed0f6867d2b0fa4c1f80300af6e0e12e to your computer and use it in GitHub Desktop.
Simple IPtables script for an OpenVPN server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Flushing all rules | |
iptables -F FORWARD | |
iptables -F INPUT | |
iptables -F OUTPUT | |
iptables -X | |
# Setting default filter policy | |
iptables -P INPUT DROP | |
iptables -P OUTPUT DROP | |
iptables -P FORWARD DROP | |
# Allow unlimited traffic on loopback | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A OUTPUT -o lo -j ACCEPT | |
# Accept inbound TCP packets | |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Allow incoming SSH | |
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT | |
# Allow incoming OpenVPN | |
iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT | |
#iptables -A INPUT -p tcp --dport 443 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT | |
# Accept outbound packets | |
iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# Allow DNS outbound | |
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT | |
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT | |
# Allow HTTP outbound | |
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT | |
# Allow HTTPS outbound | |
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT | |
# Enable NAT for the VPN | |
iptables -t nat -A POSTROUTING -s 172.16.100.0/24 -o eth0 -j MASQUERADE | |
# Allow TUN interface connections to OpenVPN server | |
iptables -A INPUT -i tun0 -j ACCEPT | |
# Allow TUN interface connections to be forwarded through other interfaces | |
iptables -A FORWARD -i tun0 -j ACCEPT | |
iptables -A OUTPUT -o tun0 -j ACCEPT | |
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# Allow outbound access to all networks on the Internet from the VPN | |
iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 0.0.0.0/0 -j ACCEPT | |
# Block client-to-client routing on the VPN | |
iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 172.16.100.0/24 -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi. Thanks for the snippet. But it seems you did something wrong here.... Also -m state is deprecated. You should you -m conntrack --ctstate instead.
//Forward Rules
A better choice would look like this:
//allow related,established traffic tun0<->eth0
iptables -A FORWARD -i tun0 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
//drop client to client
iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 172.16.100.0/24 -j DROP
// allow vpn traffic
iptables -A FORWARD -i tun0 -s 172.16.100.0/24 -d 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT
also this should not be needed:
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
cheers
fastboot