Created OpenVPN server: Firewall configuration (using iptables) (markdown)

2025-04-28 20:14:24 +02:00 · 2017-01-26 13:48:52 +01:00 · 2017-01-26 13:48:52 +01:00 · a7c4b14381
commit a7c4b14381
parent ef07f59ef8
1 changed files with 100 additions and 0 deletions
--- a/OpenVPN-server:-Firewall-configuration-(using-iptables).md
+++ b/OpenVPN-server:-Firewall-configuration-(using-iptables).md
@ -0,0 +1,100 @@
+### Optional: Firewall configuration (using iptables)
+If your server is visible to the world, you might want prevent port 53/80 from being accessible from the outside. You will still be able to connect to your Pi-hole from within the VPN.
+
+Using `iptables`: First, verify that there is no rule that explicitly accepts `http` requests
+```
+sudo iptables -L --line-numbers
+```
+
+If you get something like
+<pre>
+Chain INPUT (policy ACCEPT)
+num  target     prot opt source               destination         
+<b>1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http</b>
+2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
+3    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
+
+Chain FORWARD (policy ACCEPT)
+num  target     prot opt source               destination         
+
+Chain OUTPUT (policy ACCEPT)
+num  target     prot opt source               destination         
+</pre>
+you have to first explicitly delete the first INPUT rule using:
+```
+sudo iptables -D INPUT 1
+```
+
+Then you can add an explicit rule that allows access from within the VPN
+```
+sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
+sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
+sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
+sudo iptables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
+```
+
+And another one that prevents access from everywhere else
+```
+sudo iptables -A INPUT -p tcp --destination-port 53 -j DROP
+sudo iptables -A INPUT -p tcp --destination-port 80 -j DROP
+sudo iptables -A INPUT -p udp --destination-port 53 -j DROP
+sudo iptables -A INPUT -p udp --destination-port 80 -j DROP
+```
+
+Your configuration should look like
+<pre>
+sudo iptables -L -v --line-numbers
+Chain INPUT (policy ACCEPT 104 packets, 8691 bytes)
+num   pkts bytes target     prot opt in     out     source               destination         
+1        0     0 ACCEPT     tcp  --  <b>tun0</b>   any     anywhere             anywhere             tcp dpt:domain
+2        0     0 ACCEPT     tcp  --  <b>tun0</b>   any     anywhere             anywhere             tcp dpt:http
+3        0     0 ACCEPT     udp  --  <b>tun0</b>   any     anywhere             anywhere             udp dpt:domain
+4        0     0 ACCEPT     udp  --  <b>tun0</b>   any     anywhere             anywhere             udp dpt:http
+5        0     0 DROP       tcp  --  <b>any</b>    any     anywhere             anywhere             tcp dpt:domain
+6        0     0 DROP       tcp  --  <b>any</b>    any     anywhere             anywhere             tcp dpt:http
+7        0     0 DROP       udp  --  <b>any</b>    any     anywhere             anywhere             udp dpt:domain
+8        0     0 DROP       udp  --  <b>any</b>    any     anywhere             anywhere             udp dpt:http
+
+Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+num   pkts bytes target     prot opt in     out     source               destination         
+
+Chain OUTPUT (policy ACCEPT 83 packets, 11305 bytes)
+num   pkts bytes target     prot opt in     out     source               destination
+</pre>
+while there might be other rules in your table. Note that the order of the list entries matters!
+
+---
+### Optional: IPv6
+
+Note that you will have to repeat the firewall setup using `ip6tables` if your server is also reachable via IPv6:
+
+```
+sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
+sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
+sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
+sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
+sudo ip6tables -A INPUT -p tcp --destination-port 53 -j DROP
+sudo ip6tables -A INPUT -p tcp --destination-port 80 -j DROP
+sudo ip6tables -A INPUT -p udp --destination-port 53 -j DROP
+sudo ip6tables -A INPUT -p udp --destination-port 80 -j DROP
+```
+
+```
+sudo ip6tables -L
+Chain INPUT (policy ACCEPT)
+target     prot opt source               destination         
+ACCEPT     tcp      anywhere             anywhere             tcp dpt:domain
+ACCEPT     tcp      anywhere             anywhere             tcp dpt:http
+ACCEPT     udp      anywhere             anywhere             udp dpt:domain
+ACCEPT     udp      anywhere             anywhere             udp dpt:http
+DROP       tcp      anywhere             anywhere             tcp dpt:domain
+DROP       tcp      anywhere             anywhere             tcp dpt:http
+DROP       udp      anywhere             anywhere             udp dpt:domain
+DROP       udp      anywhere             anywhere             udp dpt:http
+
+Chain FORWARD (policy ACCEPT)
+target     prot opt source               destination         
+
+Chain OUTPUT (policy ACCEPT)
+target     prot opt source               destination
+```