diff --git a/OpenVPN-server:-Firewall-configuration-(using-iptables).md b/OpenVPN-server:-Firewall-configuration-(using-iptables).md
new file mode 100644
index 0000000..074c420
--- /dev/null
+++ b/OpenVPN-server:-Firewall-configuration-(using-iptables).md
@@ -0,0 +1,100 @@
+### Optional: Firewall configuration (using iptables)
+If your server is visible to the world, you might want prevent port 53/80 from being accessible from the outside. You will still be able to connect to your Pi-hole from within the VPN.
+
+Using `iptables`: First, verify that there is no rule that explicitly accepts `http` requests
+```
+sudo iptables -L --line-numbers
+```
+
+If you get something like
+
+Chain INPUT (policy ACCEPT)
+num target prot opt source destination
+1 ACCEPT tcp -- anywhere anywhere tcp dpt:http
+2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
+3 ACCEPT udp -- anywhere anywhere udp dpt:domain
+
+Chain FORWARD (policy ACCEPT)
+num target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+num target prot opt source destination
+
+you have to first explicitly delete the first INPUT rule using:
+```
+sudo iptables -D INPUT 1
+```
+
+Then you can add an explicit rule that allows access from within the VPN
+```
+sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
+sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
+sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
+sudo iptables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
+```
+
+And another one that prevents access from everywhere else
+```
+sudo iptables -A INPUT -p tcp --destination-port 53 -j DROP
+sudo iptables -A INPUT -p tcp --destination-port 80 -j DROP
+sudo iptables -A INPUT -p udp --destination-port 53 -j DROP
+sudo iptables -A INPUT -p udp --destination-port 80 -j DROP
+```
+
+Your configuration should look like
+
+sudo iptables -L -v --line-numbers
+Chain INPUT (policy ACCEPT 104 packets, 8691 bytes)
+num pkts bytes target prot opt in out source destination
+1 0 0 ACCEPT tcp -- tun0 any anywhere anywhere tcp dpt:domain
+2 0 0 ACCEPT tcp -- tun0 any anywhere anywhere tcp dpt:http
+3 0 0 ACCEPT udp -- tun0 any anywhere anywhere udp dpt:domain
+4 0 0 ACCEPT udp -- tun0 any anywhere anywhere udp dpt:http
+5 0 0 DROP tcp -- any any anywhere anywhere tcp dpt:domain
+6 0 0 DROP tcp -- any any anywhere anywhere tcp dpt:http
+7 0 0 DROP udp -- any any anywhere anywhere udp dpt:domain
+8 0 0 DROP udp -- any any anywhere anywhere udp dpt:http
+
+Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+num pkts bytes target prot opt in out source destination
+
+Chain OUTPUT (policy ACCEPT 83 packets, 11305 bytes)
+num pkts bytes target prot opt in out source destination
+
+while there might be other rules in your table. Note that the order of the list entries matters!
+
+---
+### Optional: IPv6
+
+Note that you will have to repeat the firewall setup using `ip6tables` if your server is also reachable via IPv6:
+
+```
+sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
+sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
+sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
+sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
+sudo ip6tables -A INPUT -p tcp --destination-port 53 -j DROP
+sudo ip6tables -A INPUT -p tcp --destination-port 80 -j DROP
+sudo ip6tables -A INPUT -p udp --destination-port 53 -j DROP
+sudo ip6tables -A INPUT -p udp --destination-port 80 -j DROP
+```
+
+```
+sudo ip6tables -L
+Chain INPUT (policy ACCEPT)
+target prot opt source destination
+ACCEPT tcp anywhere anywhere tcp dpt:domain
+ACCEPT tcp anywhere anywhere tcp dpt:http
+ACCEPT udp anywhere anywhere udp dpt:domain
+ACCEPT udp anywhere anywhere udp dpt:http
+DROP tcp anywhere anywhere tcp dpt:domain
+DROP tcp anywhere anywhere tcp dpt:http
+DROP udp anywhere anywhere udp dpt:domain
+DROP udp anywhere anywhere udp dpt:http
+
+Chain FORWARD (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+target prot opt source destination
+```
\ No newline at end of file