This is a multi-part message in MIME format.
Hi,
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp *-m udp* --dport 1194
you don't must use the module udp because you have specify the protocol
udp in your rule
So, this is not needed.
Am 26.12.2021 um 14:42 schrieb linux_forum1:
Hi Jörg, thanks for the reply!
Do you think those rules for the VPN connection are specific enough or
could something else be added?
- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24
--sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j
ACCEPT
-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110
--dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
All the guides only use these two rules:
I'm just worried that they use 192.168.1.0/24 because normally I see a
lot of iptables blocking this IP range for security.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, December 26th, 2021 at 2:02 PM, Jörg Jellissen <joerg.jellissen@t-online.de> wrote:
Hello,
I'm using nftables with wireguard and it runs perfectly.
Don't forget the forward chain if your server runs as a router and
you have a private network behind your firewall.
openVPN is for me
Am 26.12.2021 um 00:09 schrieb linux_forum1:
Hello, I'm trying to make the most specific, secure and restrictive
iptables possible for a simple VPN connection on Debian. Could you
have a quick look if those are OK? Thanks so much!
VPN Server Port:1194
VPN Server IP: 189.174.135.110
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
#no fragmented packets
-A INPUT -f -j DROP
#localhost
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# first packet has to be TCP syn
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#drop sop icmp
-A INPUT -p icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp --icmp-type timestamp-request -j DROP
#Ping from inside to outside
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#drop broadcast, multicast anycast
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
#drop invalid
-A INPUT -m state --state INVALID -j DROP
#drop spoofed packets
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP
# DROP RFC1918 PACKETS
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 192.168.0.0/16 -j DROP
#Allow VPN
- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110
<https://189.174.135.110/> -d 192.168.1.0/24
<https://192.168.1.0/24> --sport 1194 --dport 32768:65535 -m
conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24
<https://192.168.1.0/24> -d 189.174.135.110
<https://189.174.135.110/> --dport 1194 -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
--
Mit freundlichen Grüßen
Jörg Jellissen
Friesenstraße 3
47445 Moers
Mobil: (01573) / 5 34 42 18
Fax: (02841) / 4 08 62 77
E-Mail:
joerg.jellissen@t-online.de
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<div>-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</div>
<div>-A OUTPUT -p udp <b>-m udp</b> --dport 1194</div>
<div><br>
</div>
<div>you don't must use the module udp because you have specify the
protocol udp in your rule</div>
<div>So, this is not needed.</div>
<div><br>
</div>
<div class="moz-cite-prefix">Am 26.12.2021 um 14:42 schrieb
linux_forum1:<br>
</div>
<blockquote type="cite" cite="mid:z-C7mGv8p3Y-W3grJt_rPuwaDHbu_QRonqNCvpa2DH438QrygwEgpZRhtbn6w1DcZj4ftEaC6_CqWStVtbT2enVnEg0_UIPNc0FIwuQJ4eY=@protonmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div>Hi Jörg, thanks for the reply!<br>
</div>
<div><br>
</div>
<div>Do you think those rules for the VPN connection are specific
enough or could something else be added?<br>
</div>
<div><br>
</div>
<div>- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d
192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack
--ctstate ESTABLISHED -j ACCEPT<br>
</div>
<div><br>
</div>
<div>-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d
189.174.135.110 --dport 1194 -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT<br>
</div>
<div><br>
</div>
<div>All the guides only use these two rules:<br>
</div>
<br>
<div><br>
</div>
<div>I'm just worried that they use 192.168.1.0/24 because
normally I see a lot of iptables blocking this IP range for
security.<br>
</div>
<div><br>
</div>
<div class="protonmail_quote">
<div>‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐<br>
</div>
<div> On Sunday, December 26th, 2021 at 2:02 PM, Jörg Jellissen
<a class="moz-txt-link-rfc2396E" href="mailto:
joerg.jellissen@t-online.de"><
joerg.jellissen@t-online.de></a> wrote:<br>
</div>
<div> <br>
</div>
<blockquote type="cite" class="protonmail_quote">
<p>Hello,<br>
</p>
<p>I'm using nftables with wireguard and it runs perfectly.<br>
</p>
<p>Don't forget the forward chain if your server runs as a
router and you have a private network behind your firewall.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>openVPN is for me <br>
</p>
<div class="moz-cite-prefix">Am 26.12.2021 um 00:09 schrieb
linux_forum1:<br>
</div>
<blockquote type="cite">
<div>Hello, I'm trying to make the most specific, secure and
restrictive iptables possible for a simple VPN connection
on Debian. Could you have a quick look if those are OK?
Thanks so much!<br>
</div>
<div><br>
</div>
<div>VPN Server Port:1194<br>
</div>
<p style="box-sizing: border-box; overflow-wrap: break-word;
word-break: break-word; margin: 0px 0px 10px; color:
rgb(26, 26, 27); font-family: -apple-system, system-ui,
BlinkMacSystemFont, "Segoe UI", Roboto,
"Helvetica Neue", Arial, sans-serif; font-size:
14px; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space:
normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255,
255, 255); text-decoration-thickness: initial;
text-decoration-style: initial; text-decoration-color:
initial;">VPN Server IP: 189.174.135.110<br>
</p>
<div><br>
</div>
<div>-P INPUT DROP<br>
</div>
<div>-P FORWARD DROP<br>
</div>
<div>-P OUTPUT DROP<br>
</div>
<div><br>
</div>
<div>#no fragmented packets<br>
</div>
<div>-A INPUT -f -j DROP<br>
</div>
<div>#localhost<br>
</div>
<div>-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP<br>
</div>
<div>-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<br>
</div>
<div>-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<br>
</div>
<div># first packet has to be TCP syn<br>
</div>
<div>-A INPUT -p tcp ! --syn -m state --state NEW -j DROP<br>
</div>
<div>#drop sop icmp<br>
</div>
<div>-A INPUT -p icmp --icmp-type address-mask-request -j
DROP<br>
</div>
<div>-A INPUT -p icmp --icmp-type timestamp-request -j DROP<br>
</div>
<div>#Ping from inside to outside<br>
</div>
<div>-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT<br>
</div>
<div>-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT<br>
</div>
<div>#drop broadcast, multicast anycast<br>
</div>
<div>-A INPUT -m addrtype --dst-type BROADCAST -j DROP<br>
</div>
<div>-A INPUT -m addrtype --dst-type MULTICAST -j DROP<br>
</div>
<div>-A INPUT -m addrtype --dst-type ANYCAST -j DROP<br>
</div>
<div>-A INPUT -d 224.0.0.0/4 -j DROP<br>
</div>
<div>#drop invalid<br>
</div>
<div>-A INPUT -m state --state INVALID -j DROP<br>
</div>
<div>#drop spoofed packets<br>
</div>
<div>-A INPUT -s 0.0.0.0/8 -j DROP<br>
</div>
<div>-A INPUT -d 0.0.0.0/8 -j DROP<br>
</div>
<div>-A INPUT -d 239.255.255.0/24 -j DROP<br>
</div>
<div>-A INPUT -d 255.255.255.255 -j DROP<br>
</div>
<div># DROP RFC1918 PACKETS<br>
</div>
<div>-A INPUT -s 10.0.0.0/8 -j DROP<br>
</div>
<div>-A INPUT -s 172.16.0.0/12 -j DROP<br>
</div>
<div>-A INPUT -s 192.168.0.0/16 -j DROP<br>
</div>
<div>#Allow VPN<br>
</div>
<p dir="ltr">- A INPUT -i eth0 -p udp -m udp -s <a
href="
https://189.174.135.110/" rel="noreferrer nofollow
noopener" target="_blank" moz-do-not-send="true">189.174.135.110</a>
-d <a href="
https://192.168.1.0/24" rel="noreferrer
nofollow noopener" target="_blank"
moz-do-not-send="true">192.168.1.0/24</a> --sport 1194
--dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j
ACCEPT <br>
</p>
<div dir="ltr">-A OUTPUT -o eth0 -p udp -m udp -s <a
href="
https://192.168.1.0/24" rel="noreferrer nofollow
noopener" target="_blank" moz-do-not-send="true">192.168.1.0/24</a>
-d <a href="
https://189.174.135.110/" rel="noreferrer
nofollow noopener" target="_blank"
moz-do-not-send="true">189.174.135.110</a> --dport 1194
-m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT <br>
</div>
<p style="box-sizing: border-box; overflow-wrap: break-word;
word-break: break-word; margin: 0px 0px 10px; font-size:
14px; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space:
normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration-thickness:
initial; text-decoration-style: initial;
text-decoration-color: initial;"><br>
</p>
<div><br>
</div>
</blockquote>
</blockquote>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Mit freundlichen Grüßen
Jörg Jellissen
Friesenstraße 3
47445 Moers
Mobil: (01573) / 5 34 42 18
Fax: (02841) / 4 08 62 77
E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:
joerg.jellissen@t-online.de">
joerg.jellissen@t-online.de</a></pre>
</body>
</html>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)