• Perfect iptables for OpenVPN

    From linux_forum1@21:1/5 to All on Sun Dec 26 00:20:02 2021
    This is a multi-part message in MIME format.

    SGVsbG8sIEknbSB0cnlpbmcgdG8gbWFrZSB0aGUgbW9zdCBzcGVjaWZpYywgc2VjdXJlIGFuZCBy ZXN0cmljdGl2ZSBpcHRhYmxlcyBwb3NzaWJsZSBmb3IgYSBzaW1wbGUgVlBOIGNvbm5lY3Rpb24g b24gRGViaWFuLiBDb3VsZCB5b3UgaGF2ZSBhIHF1aWNrIGxvb2sgaWYgdGhvc2UgYXJlIE9LPyBU aGFua3Mgc28gbXVjaCEKClZQTiBTZXJ2ZXIgUG9ydDoxMTk0CgpWUE4gU2VydmVyIElQOiAxODku MTc0LjEzNS4xMTAKCi1QIElOUFVUIERST1AKLVAgRk9SV0FSRCBEUk9QCi1QIE9VVFBVVCBEUk9Q Cgojbm8gZnJhZ21lbnRlZCBwYWNrZXRzCi1BIElOUFVUIC1mIC1qIERST1AKI2xvY2FsaG9zdAot QSBJTlBVVCAtcyAxMjcuMC4wLjAvOCAhIC1pIGxvIC1qIERST1AKLUEgSU5QVVQgLWkgbG8gLXMg MTI3LjAuMC4xIC1kIDEyNy4wLjAuMSAtaiBBQ0NFUFQKLUEgT1VUUFVUIC1vIGxvIC1zIDEyNy4w LjAuMSAtZCAxMjcuMC4wLjEgLWogQUNDRVBUCiMgZmlyc3QgcGFja2V0IGhhcyB0byBiZSBUQ1Ag c3luCi1BIElOUFVUIC1wIHRjcCAhIC0tc3luIC1tIHN0YXRlIC0tc3RhdGUgTkVXIC1qIERST1AK I2Ryb3Agc29wIGljbXAKLUEgSU5QVVQgLXAgaWNtcCAtLWljbXAtdHlwZSBhZGRyZXNzLW1hc2st cmVxdWVzdCAtaiBEUk9QCi1BIElOUFVUIC1wIGljbXAgLS1pY21wLXR5cGUgdGltZXN0YW1wLXJl cXVlc3QgLWogRFJPUAojUGluZyBmcm9tIGluc2lkZSB0byBvdXRzaWRlCi1BIE9VVFBVVCAtcCBp Y21wIC0taWNtcC10eXBlIGVjaG8tcmVxdWVzdCAtaiBBQ0NFUFQKLUEgSU5QVVQgLXAgaWNtcCAt LWljbXAtdHlwZSBlY2hvLXJlcGx5IC1qIEFDQ0VQVAojZHJvcCBicm9hZGNhc3QsIG11bHRpY2Fz dCBhbnljYXN0Ci1BIElOUFVUIC1tIGFkZHJ0eXBlIC0tZHN0LXR5cGUgQlJPQURDQVNUIC1qIERS T1AKLUEgSU5QVVQgLW0gYWRkcnR5cGUgLS1kc3QtdHlwZSBNVUxUSUNBU1QgLWogRFJPUAotQSBJ TlBVVCAtbSBhZGRydHlwZSAtLWRzdC10eXBlIEFOWUNBU1QgLWogRFJPUAotQSBJTlBVVCAtZCAy MjQuMC4wLjAvNCAtaiBEUk9QCiNkcm9wIGludmFsaWQKLUEgSU5QVVQgLW0gc3RhdGUgLS1zdGF0 ZSBJTlZBTElEIC1qIERST1AKI2Ryb3Agc3Bvb2ZlZCBwYWNrZXRzCi1BIElOUFVUIC1zIDAuMC4w LjAvOCAtaiBEUk9QCi1BIElOUFVUIC1kIDAuMC4wLjAvOCAtaiBEUk9QCi1BIElOUFVUIC1kIDIz OS4yNTUuMjU1LjAvMjQgLWogRFJPUAotQSBJTlBVVCAtZCAyNTUuMjU1LjI1NS4yNTUgLWogRFJP UAojIERST1AgUkZDMTkxOCBQQUNLRVRTCi1BIElOUFVUIC1zIDEwLjAuMC4wLzggLWogRFJPUAot QSBJTlBVVCAtcyAxNzIuMTYuMC4wLzEyIC1qIERST1AKLUEgSU5QVVQgLXMgMTkyLjE2OC4wLjAv MTYgLWogRFJPUAojQWxsb3cgVlBOCgotIEEgSU5QVVQgLWkgZXRoMCAtcCB1ZHAgLW0gdWRwIC1z IFsxODkuMTc0LjEzNS4xMTBdKGh0dHBzOi8vMTg5LjE3NC4xMzUuMTEwLykgLWQgMTkyLjE2OC4x LjAvMjQgLS1zcG9ydCAxMTk0IC0tZHBvcnQgMzI3Njg6NjU1MzUgLW0gY29ubnRyYWNrIC0tY3Rz dGF0ZSBFU1RBQkxJU0hFRCAtaiBBQ0NFUFQKCi1BIE9VVFBVVCAtbyBldGgwIC1wIHVkcCAtbSB1 ZHAgLXMgMTkyLjE2OC4xLjAvMjQgLWQgWzE4OS4xNzQuMTM1LjExMF0oaHR0cHM6Ly8xODkuMTc0 LjEzNS4xMTAvKSAtLWRwb3J0IDExOTQgLW0gY29ubnRyYWNrIC0tY3RzdGF0ZSBORVcsRVNUQUJM SVNIRUQgLWogQUNDRVBU

    PGRpdj5IZWxsbywgSSdtIHRyeWluZyB0byBtYWtlIHRoZSBtb3N0IHNwZWNpZmljLCBzZWN1cmUg YW5kIHJlc3RyaWN0aXZlIGlwdGFibGVzIHBvc3NpYmxlIGZvciBhIHNpbXBsZSBWUE4gY29ubmVj dGlvbiBvbiBEZWJpYW4uIENvdWxkIHlvdSBoYXZlIGEgcXVpY2sgbG9vayBpZiB0aG9zZSBhcmUg T0s/IFRoYW5rcyBzbyBtdWNoITxicj48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PlZQTiBTZXJ2 ZXIgUG9ydDoxMTk0PGJyPjwvZGl2PjxwIHN0eWxlPSJib3gtc2l6aW5nOiBib3JkZXItYm94OyBv dmVyZmxvdy13cmFwOiBicmVhay13b3JkOyB3b3JkLWJyZWFrOiBicmVhay13b3JkOyBtYXJnaW46 IDBweCAwcHggMTBweDsgY29sb3I6IHJnYigyNiwgMjYsIDI3KTsgZm9udC1mYW1pbHk6IC1hcHBs ZS1zeXN0ZW0sIHN5c3RlbS11aSwgQmxpbmtNYWNTeXN0ZW1Gb250LCAmcXVvdDtTZWdvZSBVSSZx dW90OywgUm9ib3RvLCAmcXVvdDtIZWx2ZXRpY2EgTmV1ZSZxdW90OywgQXJpYWwsIHNhbnMtc2Vy aWY7IGZvbnQtc2l6ZTogMTRweDsgZm9udC1zdHlsZTogbm9ybWFsOyBmb250LXZhcmlhbnQtbGln YXR1cmVzOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2VpZ2h0OiA0 MDA7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IG9ycGhhbnM6IDI7IHRleHQtYWxpZ246IHN0YXJ0 OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5v cm1hbDsgd2lkb3dzOiAyOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXN0cm9rZS13 aWR0aDogMHB4OyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1LCAyNTUsIDI1NSk7IHRleHQtZGVj b3JhdGlvbi10aGlja25lc3M6IGluaXRpYWw7IHRleHQtZGVjb3JhdGlvbi1zdHlsZTogaW5pdGlh bDsgdGV4dC1kZWNvcmF0aW9uLWNvbG9yOiBpbml0aWFsOyI+VlBOIFNlcnZlciBJUDogMTg5LjE3 NC4xMzUuMTEwPGJyPjwvcD48ZGl2Pjxicj48L2Rpdj48ZGl2Pi1QIElOUFVUIERST1A8YnI+PC9k aXY+PGRpdj4tUCBGT1JXQVJEIERST1A8YnI+PC9kaXY+PGRpdj4tUCBPVVRQVVQgRFJPUDxicj48 L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PiNubyBmcmFnbWVudGVkIHBhY2tldHM8YnI+PC9kaXY+ PGRpdj4tQSBJTlBVVCAtZiAtaiBEUk9QPGJyPjwvZGl2PjxkaXY+I2xvY2FsaG9zdDxicj48L2Rp dj48ZGl2Pi1BIElOUFVUIC1zIDEyNy4wLjAuMC84ICEgLWkgbG8gLWogRFJPUDxicj48L2Rpdj48 ZGl2Pi1BIElOUFVUIC1pIGxvIC1zIDEyNy4wLjAuMSAtZCAxMjcuMC4wLjEgLWogQUNDRVBUPGJy PjwvZGl2PjxkaXY+LUEgT1VUUFVUIC1vIGxvIC1zIDEyNy4wLjAuMSAtZCAxMjcuMC4wLjEgLWog QUNDRVBUPGJyPjwvZGl2PjxkaXY+IyBmaXJzdCBwYWNrZXQgaGFzIHRvIGJlIFRDUCBzeW48YnI+ PC9kaXY+PGRpdj4tQSBJTlBVVCAtcCB0Y3AgISAtLXN5biAtbSBzdGF0ZSAtLXN0YXRlIE5FVyAt aiBEUk9QPGJyPjwvZGl2PjxkaXY+I2Ryb3Agc29wIGljbXA8YnI+PC9kaXY+PGRpdj4tQSBJTlBV VCAtcCBpY21wIC0taWNtcC10eXBlIGFkZHJlc3MtbWFzay1yZXF1ZXN0IC1qIERST1A8YnI+PC9k aXY+PGRpdj4tQSBJTlBVVCAtcCBpY21wIC0taWNtcC10eXBlIHRpbWVzdGFtcC1yZXF1ZXN0IC1q IERST1A8YnI+PC9kaXY+PGRpdj4jUGluZyBmcm9tIGluc2lkZSB0byBvdXRzaWRlPGJyPjwvZGl2 PjxkaXY+Jm5ic3A7LUEgT1VUUFVUIC1wIGljbXAgLS1pY21wLXR5cGUgZWNoby1yZXF1ZXN0IC1q IEFDQ0VQVDxicj48L2Rpdj48ZGl2PiZuYnNwOy1BIElOUFVUIC1wIGljbXAgLS1pY21wLXR5cGUg ZWNoby1yZXBseSAtaiBBQ0NFUFQ8YnI+PC9kaXY+PGRpdj4jZHJvcCBicm9hZGNhc3QsIG11bHRp Y2FzdCBhbnljYXN0PGJyPjwvZGl2PjxkaXY+LUEgSU5QVVQgLW0gYWRkcnR5cGUgLS1kc3QtdHlw ZSBCUk9BRENBU1QgLWogRFJPUDxicj48L2Rpdj48ZGl2Pi1BIElOUFVUIC1tIGFkZHJ0eXBlIC0t ZHN0LXR5cGUgTVVMVElDQVNUIC1qIERST1A8YnI+PC9kaXY+PGRpdj4tQSBJTlBVVCAtbSBhZGRy dHlwZSAtLWRzdC10eXBlIEFOWUNBU1QgLWogRFJPUDxicj48L2Rpdj48ZGl2Pi1BIElOUFVUIC1k IDIyNC4wLjAuMC80IC1qIERST1A8YnI+PC9kaXY+PGRpdj4jZHJvcCBpbnZhbGlkPGJyPjwvZGl2 PjxkaXY+LUEgSU5QVVQgLW0gc3RhdGUgLS1zdGF0ZSBJTlZBTElEIC1qIERST1A8YnI+PC9kaXY+ PGRpdj4jZHJvcCBzcG9vZmVkIHBhY2tldHM8YnI+PC9kaXY+PGRpdj4tQSBJTlBVVCAtcyAwLjAu MC4wLzggLWogRFJPUDxicj48L2Rpdj48ZGl2Pi1BIElOUFVUIC1kIDAuMC4wLjAvOCAtaiBEUk9Q PGJyPjwvZGl2PjxkaXY+LUEgSU5QVVQgLWQgMjM5LjI1NS4yNTUuMC8yNCAtaiBEUk9QPGJyPjwv ZGl2PjxkaXY+LUEgSU5QVVQgLWQgMjU1LjI1NS4yNTUuMjU1IC1qIERST1A8YnI+PC9kaXY+PGRp dj4jIERST1AgUkZDMTkxOCBQQUNLRVRTPGJyPjwvZGl2PjxkaXY+LUEgSU5QVVQgLXMgMTAuMC4w LjAvOCAtaiBEUk9QPGJyPjwvZGl2PjxkaXY+LUEgSU5QVVQgLXMgMTcyLjE2LjAuMC8xMiAtaiBE Uk9QPGJyPjwvZGl2PjxkaXY+LUEgSU5QVVQgLXMgMTkyLjE2OC4wLjAvMTYgLWogRFJPUDxicj48 L2Rpdj48ZGl2PiNBbGxvdyBWUE48YnI+PC9kaXY+PHAgZGlyPSJsdHIiPi0gQSBJTlBVVCAtaSBl dGgwIC1wIHVkcCAtbSB1ZHAgLXMmbmJzcDs8YSBocmVmPSJodHRwczovLzE4OS4xNzQuMTM1LjEx MC8iIHJlbD0ibm9vcGVuZXIgbm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPjE4OS4xNzQuMTM1 LjExMDwvYT4mbmJzcDstZCZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vMTkyLjE2OC4xLjAvMjQiIHJl bD0ibm9vcGVuZXIgbm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPjE5Mi4xNjguMS4wLzI0PC9h PiZuYnNwOy0tc3BvcnQgMTE5NCAtLWRwb3J0IDMyNzY4OjY1NTM1IC1tIGNvbm50cmFjayAtLWN0 c3RhdGUmbmJzcDtFU1RBQkxJU0hFRCAtaiBBQ0NFUFQmbmJzcDsgPGJyPjwvcD48ZGl2IGRpcj0i bHRyIj4tQSBPVVRQVVQgLW8gZXRoMCAtcCB1ZHAgLW0gdWRwIC1zJm5ic3A7PGEgaHJlZj0iaHR0 cHM6Ly8xOTIuMTY4LjEuMC8yNCIgcmVsPSJub29wZW5lciBub3JlZmVycmVyIiB0YXJnZXQ9Il9i bGFuayI+MTkyLjE2OC4xLjAvMjQ8L2E+Jm5ic3A7LWQmbmJzcDs8YSBocmVmPSJodHRwczovLzE4 OS4xNzQuMTM1LjExMC8iIHJlbD0ibm9vcGVuZXIgbm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsi PjE4OS4xNzQuMTM1LjExMDwvYT4mbmJzcDstLWRwb3J0IDExOTQgLW0gY29ubnRyYWNrIC0tY3Rz dGF0ZSBORVcsRVNUQUJMSVNIRUQgLWogQUNDRVBUJm5ic3A7Jm5ic3A7PGJyPjwvZGl2PjxwIHN0 eWxlPSJib3gtc2l6aW5nOiBib3JkZXItYm94OyBvdmVyZmxvdy13cmFwOiBicmVhay13b3JkOyB3 b3JkLWJyZWFrOiBicmVhay13b3JkOyBtYXJnaW46IDBweCAwcHggMTBweDsgZm9udC1zaXplOiAx NHB4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1saWdhdHVyZXM6IG5vcm1hbDsg Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IDQwMDsgbGV0dGVyLXNwYWNp bmc6IG5vcm1hbDsgb3JwaGFuczogMjsgdGV4dC1hbGlnbjogc3RhcnQ7IHRleHQtaW5kZW50OiAw cHg7IHRleHQtdHJhbnNmb3JtOiBub25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3aWRvd3M6IDI7 IHdvcmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IHRleHQt ZGVjb3JhdGlvbi10aGlja25lc3M6IGluaXRpYWw7IHRleHQtZGVjb3JhdGlvbi1zdHlsZTogaW5p dGlhbDsgdGV4dC1kZWNvcmF0aW9uLWNvbG9yOiBpbml0aWFsOyI+PGJyPjwvcD48ZGl2Pjxicj48 L2Rpdj4=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?J=c3=b6rg_Jellissen?=@21:1/5 to All on Sun Dec 26 14:10:01 2021
    This is a multi-part message in MIME format.
    Hello,

    I'm using nftables with wireguard and it runs perfectly.

    Don't forget the forward chain if your server runs as a router and you
    have a private network behind your firewall.




    openVPN is for me

    Am 26.12.2021 um 00:09 schrieb linux_forum1:
    Hello, I'm trying to make the most specific, secure and restrictive
    iptables possible for a simple VPN connection on Debian. Could you
    have a quick look if those are OK? Thanks so much!

    VPN Server Port:1194

    VPN Server IP: 189.174.135.110


    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT DROP

    #no fragmented packets
    -A INPUT -f -j DROP
    #localhost
    -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
    -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    # first packet has to be TCP syn
    -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    #drop sop icmp
    -A INPUT -p icmp --icmp-type address-mask-request -j DROP
    -A INPUT -p icmp --icmp-type timestamp-request -j DROP
    #Ping from inside to outside
     -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
     -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    #drop broadcast, multicast anycast
    -A INPUT -m addrtype --dst-type BROADCAST -j DROP
    -A INPUT -m addrtype --dst-type MULTICAST -j DROP
    -A INPUT -m addrtype --dst-type ANYCAST -j DROP
    -A INPUT -d 224.0.0.0/4 -j DROP
    #drop invalid
    -A INPUT -m state --state INVALID -j DROP
    #drop spoofed packets
    -A INPUT -s 0.0.0.0/8 -j DROP
    -A INPUT -d 0.0.0.0/8 -j DROP
    -A INPUT -d 239.255.255.0/24 -j DROP
    -A INPUT -d 255.255.255.255 -j DROP
    # DROP RFC1918 PACKETS
    -A INPUT -s 10.0.0.0/8 -j DROP
    -A INPUT -s 172.16.0.0/12 -j DROP
    -A INPUT -s 192.168.0.0/16 -j DROP
    #Allow VPN

    - A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 <https://189.174.135.110/> -d 192.168.1.0/24 <https://192.168.1.0/24> --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT

    -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 <https://192.168.1.0/24> -d 189.174.135.110 <https://189.174.135.110/> --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT



    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    <body>
    <p>Hello,</p>
    <p>I'm using nftables with wireguard and it runs perfectly.</p>
    <p>Don't forget the forward chain if your server runs as a router
    and you have a private network behind your firewall.</p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p>openVPN is for me <br>
    </p>
    <div class="moz-cite-prefix">Am 26.12.2021 um 00:09 schrieb
    linux_forum1:<br>
    </div>
    <blockquote type="cite" cite="mid:4jq_HOXOHcD2jq71IS2YzN83YsH_mEqbDznbSQAKHdr_EtsQsjq830QIej3PqSpYk4oeEyWDYgaC5lQpdHnRQrG9EGU0dyg07v02T_i8hrQ=@protonmail.com">
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <div>Hello, I'm trying to make the most specific, secure and
    restrictive iptables possible for a simple VPN connection on
    Debian. Could you have a quick look if those are OK? Thanks so
    much!<br>
    </div>
    <div><br>
    </div>
    <div>VPN Server Port:1194<br>
    </div>
    <p style="box-sizing: border-box; overflow-wrap: break-word;
    word-break: break-word; margin: 0px 0px 10px; color: rgb(26, 26,
    27); font-family: -apple-system, system-ui, BlinkMacSystemFont,
    &quot;Segoe UI&quot;, Roboto, &quot;Helvetica Neue&quot;, Arial,
    sans-serif; font-size: 14px; font-style: normal;
    font-variant-ligatures: normal; font-variant-caps: normal;
    font-weight: 400; letter-spacing: normal; orphans: 2;
    text-align: start; text-indent: 0px; text-transform: none;
    white-space: normal; widows: 2; word-spacing: 0px;
    -webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
    255); text-decoration-thickness: initial; text-decoration-style:
    initial; text-decoration-color: initial;">VPN Server IP:
    189.174.135.110<br>
    </p>
    <div><br>
    </div>
    <div>-P INPUT DROP<br>
    </div>
    <div>-P FORWARD DROP<br>
    </div>
    <div>-P OUTPUT DROP<br>
    </div>
    <div><br>
    </div>
    <div>#no fragmented packets<br>
    </div>
    <div>-A INPUT -f -j DROP<br>
    </div>
    <div>#localhost<br>
    </div>
    <div>-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP<br>
    </div>
    <div>-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<br>
    </div>
    <div>-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<br>
    </div>
    <div># first packet has to be TCP syn<br>
    </div>
    <div>-A INPUT -p tcp ! --syn -m state --state NEW -j DROP<br>
    </div>
    <div>#drop sop icmp<br>
    </div>
    <div>-A INPUT -p icmp --icmp-type address-mask-request -j DROP<br>
    </div>
    <div>-A INPUT -p icmp --icmp-type timestamp-request -j DROP<br>
    </div>
    <div>#Ping from inside to outside<br>
    </div>
    <div> -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT<br>
    </div>
    <div> -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT<br>
    </div>
    <div>#drop broadcast, multicast anycast<br>
    </div>
    <div>-A INPUT -m addrtype --dst-type BROADCAST -j DROP<br>
    </div>
    <div>-A INPUT -m addrtype --dst-type MULTICAST -j DROP<br>
    </div>
    <div>-A INPUT -m addrtype --dst-type ANYCAST -j DROP<br>
    </div>
    <div>-A INPUT -d 224.0.0.0/4 -j DROP<br>
    </div>
    <div>#drop invalid<br>
    </div>
    <div>-A INPUT -m state --state INVALID -j DROP<br>
    </div>
    <div>#drop spoofed packets<br>
    </div>
    <div>-A INPUT -s 0.0.0.0/8 -j DROP<br>
    </div>
    <div>-A INPUT -d 0.0.0.0/8 -j DROP<br>
    </div>
    <div>-A INPUT -d 239.255.255.0/24 -j DROP<br>
    </div>
    <div>-A INPUT -d 255.255.255.255 -j DROP<br>
    </div>
    <div># DROP RFC1918 PACKETS<br>
    </div>
    <div>-A INPUT -s 10.0.0.0/8 -j DROP<br>
    </div>
    <div>-A INPUT -s 172.16.0.0/12 -j DROP<br>
    </div>
    <div>-A INPUT -s 192.168.0.0/16 -j DROP<br>
    </div>
    <div>#Allow VPN<br>
    </div>
    <p dir="ltr">- A INPUT -i eth0 -p udp -m udp -s <a
    href="https://189.174.135.110/" rel="noopener noreferrer"
    target="_blank" moz-do-not-send="true">189.174.135.110</a> -d <a
    href="https://192.168.1.0/24" rel="noopener noreferrer"
    target="_blank" moz-do-not-send="true">192.168.1.0/24</a> --sport
    1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j
    ACCEPT  <br>
    </p>
    <div dir="ltr">-A OUTPUT -o eth0 -p udp -m udp -s <a
    href="https://192.168.1.0/24" rel="noopener noreferrer"
    target="_blank" moz-do-not-send="true">192.168.1.0/24</a> -d <a
    href="https://189.174.135.110/" rel="noopener noreferrer"
    target="_blank" moz-do-not-send="true">189.174.135.110</a> --dport
    1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT  <br>
    </div>
    <p style="box-sizing: border-box; overflow-wrap: break-word;
    word-break: break-word; margin: 0px 0px 10px; font-size: 14px;
    font-style: normal; font-variant-ligatures: normal;
    font-variant-caps: normal; font-weight: 400; letter-spacing:
    normal; orphans: 2; text-align: start; text-indent: 0px;
    text-transform: none; white-space: normal; widows: 2;
    word-spacing: 0px; -webkit-text-stroke-width: 0px;
    text-decoration-thickness: initial; text-decoration-style:
    initial; text-decoration-color: initial;"><br>
    </p>
    <div><br>
    </div>
    </blockquote>
    </body>
    </html>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?J=c3=b6rg_Jellissen?=@21:1/5 to All on Sun Dec 26 16:30:01 2021
    This is a multi-part message in MIME format.
    Hi,

    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -p udp *-m udp* --dport 1194

    you don't must use the module udp because you have specify the protocol
    udp in your rule
    So, this is not needed.

    Am 26.12.2021 um 14:42 schrieb linux_forum1:
    Hi Jörg, thanks for the reply!

    Do you think those rules for the VPN connection are specific enough or
    could something else be added?

    - A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24
    --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j
    ACCEPT

    -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110
    --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

    All the guides only use these two rules:


    I'm just worried that they use 192.168.1.0/24 because normally I see a
    lot of iptables blocking this IP range for security.

    ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
    On Sunday, December 26th, 2021 at 2:02 PM, Jörg Jellissen <joerg.jellissen@t-online.de> wrote:

    Hello,

    I'm using nftables with wireguard and it runs perfectly.

    Don't forget the forward chain if your server runs as a router and
    you have a private network behind your firewall.




    openVPN is for me

    Am 26.12.2021 um 00:09 schrieb linux_forum1:
    Hello, I'm trying to make the most specific, secure and restrictive
    iptables possible for a simple VPN connection on Debian. Could you
    have a quick look if those are OK? Thanks so much!

    VPN Server Port:1194

    VPN Server IP: 189.174.135.110


    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT DROP

    #no fragmented packets
    -A INPUT -f -j DROP
    #localhost
    -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
    -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    # first packet has to be TCP syn
    -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    #drop sop icmp
    -A INPUT -p icmp --icmp-type address-mask-request -j DROP
    -A INPUT -p icmp --icmp-type timestamp-request -j DROP
    #Ping from inside to outside
    -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    #drop broadcast, multicast anycast
    -A INPUT -m addrtype --dst-type BROADCAST -j DROP
    -A INPUT -m addrtype --dst-type MULTICAST -j DROP
    -A INPUT -m addrtype --dst-type ANYCAST -j DROP
    -A INPUT -d 224.0.0.0/4 -j DROP
    #drop invalid
    -A INPUT -m state --state INVALID -j DROP
    #drop spoofed packets
    -A INPUT -s 0.0.0.0/8 -j DROP
    -A INPUT -d 0.0.0.0/8 -j DROP
    -A INPUT -d 239.255.255.0/24 -j DROP
    -A INPUT -d 255.255.255.255 -j DROP
    # DROP RFC1918 PACKETS
    -A INPUT -s 10.0.0.0/8 -j DROP
    -A INPUT -s 172.16.0.0/12 -j DROP
    -A INPUT -s 192.168.0.0/16 -j DROP
    #Allow VPN

    - A INPUT -i eth0 -p udp -m udp -s 189.174.135.110
    <https://189.174.135.110/> -d 192.168.1.0/24
    <https://192.168.1.0/24> --sport 1194 --dport 32768:65535 -m
    conntrack --ctstate ESTABLISHED -j ACCEPT

    -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24
    <https://192.168.1.0/24> -d 189.174.135.110
    <https://189.174.135.110/> --dport 1194 -m conntrack --ctstate
    NEW,ESTABLISHED -j ACCEPT



    --
    Mit freundlichen Grüßen

    Jörg Jellissen
    Friesenstraße 3
    47445 Moers

    Mobil: (01573) / 5 34 42 18
    Fax: (02841) / 4 08 62 77

    E-Mail:joerg.jellissen@t-online.de

    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    <body>
    <p>Hi,</p>
    <div>-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</div>
    <div>-A OUTPUT -p udp <b>-m udp</b> --dport 1194</div>
    <div><br>
    </div>
    <div>you don't must use the module udp because you have specify the
    protocol udp in your rule</div>
    <div>So, this is not needed.</div>
    <div><br>
    </div>
    <div class="moz-cite-prefix">Am 26.12.2021 um 14:42 schrieb
    linux_forum1:<br>
    </div>
    <blockquote type="cite" cite="mid:z-C7mGv8p3Y-W3grJt_rPuwaDHbu_QRonqNCvpa2DH438QrygwEgpZRhtbn6w1DcZj4ftEaC6_CqWStVtbT2enVnEg0_UIPNc0FIwuQJ4eY=@protonmail.com">
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <div>Hi Jörg, thanks for the reply!<br>
    </div>
    <div><br>
    </div>
    <div>Do you think those rules for the VPN connection are specific
    enough or could something else be added?<br>
    </div>
    <div><br>
    </div>
    <div>- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d
    192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack
    --ctstate ESTABLISHED -j ACCEPT<br>
    </div>
    <div><br>
    </div>
    <div>-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d
    189.174.135.110 --dport 1194 -m conntrack --ctstate
    NEW,ESTABLISHED -j ACCEPT<br>
    </div>
    <div><br>
    </div>
    <div>All the guides only use these two rules:<br>
    </div>
    <br>
    <div><br>
    </div>
    <div>I'm just worried that they use 192.168.1.0/24 because
    normally I see a lot of iptables blocking this IP range for
    security.<br>
    </div>
    <div><br>
    </div>
    <div class="protonmail_quote">
    <div>‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐<br>
    </div>
    <div> On Sunday, December 26th, 2021 at 2:02 PM, Jörg Jellissen
    <a class="moz-txt-link-rfc2396E" href="mailto:joerg.jellissen@t-online.de">&lt;joerg.jellissen@t-online.de&gt;</a> wrote:<br>
    </div>
    <div> <br>
    </div>
    <blockquote type="cite" class="protonmail_quote">
    <p>Hello,<br>
    </p>
    <p>I'm using nftables with wireguard and it runs perfectly.<br>
    </p>
    <p>Don't forget the forward chain if your server runs as a
    router and you have a private network behind your firewall.<br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p>openVPN is for me <br>
    </p>
    <div class="moz-cite-prefix">Am 26.12.2021 um 00:09 schrieb
    linux_forum1:<br>
    </div>
    <blockquote type="cite">
    <div>Hello, I'm trying to make the most specific, secure and
    restrictive iptables possible for a simple VPN connection
    on Debian. Could you have a quick look if those are OK?
    Thanks so much!<br>
    </div>
    <div><br>
    </div>
    <div>VPN Server Port:1194<br>
    </div>
    <p style="box-sizing: border-box; overflow-wrap: break-word;
    word-break: break-word; margin: 0px 0px 10px; color:
    rgb(26, 26, 27); font-family: -apple-system, system-ui,
    BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto,
    &quot;Helvetica Neue&quot;, Arial, sans-serif; font-size:
    14px; font-style: normal; font-variant-ligatures: normal;
    font-variant-caps: normal; font-weight: 400;
    letter-spacing: normal; orphans: 2; text-align: start;
    text-indent: 0px; text-transform: none; white-space:
    normal; widows: 2; word-spacing: 0px;
    -webkit-text-stroke-width: 0px; background-color: rgb(255,
    255, 255); text-decoration-thickness: initial;
    text-decoration-style: initial; text-decoration-color:
    initial;">VPN Server IP: 189.174.135.110<br>
    </p>
    <div><br>
    </div>
    <div>-P INPUT DROP<br>
    </div>
    <div>-P FORWARD DROP<br>
    </div>
    <div>-P OUTPUT DROP<br>
    </div>
    <div><br>
    </div>
    <div>#no fragmented packets<br>
    </div>
    <div>-A INPUT -f -j DROP<br>
    </div>
    <div>#localhost<br>
    </div>
    <div>-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP<br>
    </div>
    <div>-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<br>
    </div>
    <div>-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<br>
    </div>
    <div># first packet has to be TCP syn<br>
    </div>
    <div>-A INPUT -p tcp ! --syn -m state --state NEW -j DROP<br>
    </div>
    <div>#drop sop icmp<br>
    </div>
    <div>-A INPUT -p icmp --icmp-type address-mask-request -j
    DROP<br>
    </div>
    <div>-A INPUT -p icmp --icmp-type timestamp-request -j DROP<br>
    </div>
    <div>#Ping from inside to outside<br>
    </div>
    <div>-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT<br>
    </div>
    <div>-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT<br>
    </div>
    <div>#drop broadcast, multicast anycast<br>
    </div>
    <div>-A INPUT -m addrtype --dst-type BROADCAST -j DROP<br>
    </div>
    <div>-A INPUT -m addrtype --dst-type MULTICAST -j DROP<br>
    </div>
    <div>-A INPUT -m addrtype --dst-type ANYCAST -j DROP<br>
    </div>
    <div>-A INPUT -d 224.0.0.0/4 -j DROP<br>
    </div>
    <div>#drop invalid<br>
    </div>
    <div>-A INPUT -m state --state INVALID -j DROP<br>
    </div>
    <div>#drop spoofed packets<br>
    </div>
    <div>-A INPUT -s 0.0.0.0/8 -j DROP<br>
    </div>
    <div>-A INPUT -d 0.0.0.0/8 -j DROP<br>
    </div>
    <div>-A INPUT -d 239.255.255.0/24 -j DROP<br>
    </div>
    <div>-A INPUT -d 255.255.255.255 -j DROP<br>
    </div>
    <div># DROP RFC1918 PACKETS<br>
    </div>
    <div>-A INPUT -s 10.0.0.0/8 -j DROP<br>
    </div>
    <div>-A INPUT -s 172.16.0.0/12 -j DROP<br>
    </div>
    <div>-A INPUT -s 192.168.0.0/16 -j DROP<br>
    </div>
    <div>#Allow VPN<br>
    </div>
    <p dir="ltr">- A INPUT -i eth0 -p udp -m udp -s <a
    href="https://189.174.135.110/" rel="noreferrer nofollow
    noopener" target="_blank" moz-do-not-send="true">189.174.135.110</a>
    -d <a href="https://192.168.1.0/24" rel="noreferrer
    nofollow noopener" target="_blank"
    moz-do-not-send="true">192.168.1.0/24</a> --sport 1194
    --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j
    ACCEPT <br>
    </p>
    <div dir="ltr">-A OUTPUT -o eth0 -p udp -m udp -s <a
    href="https://192.168.1.0/24" rel="noreferrer nofollow
    noopener" target="_blank" moz-do-not-send="true">192.168.1.0/24</a>
    -d <a href="https://189.174.135.110/" rel="noreferrer
    nofollow noopener" target="_blank"
    moz-do-not-send="true">189.174.135.110</a> --dport 1194
    -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT <br>
    </div>
    <p style="box-sizing: border-box; overflow-wrap: break-word;
    word-break: break-word; margin: 0px 0px 10px; font-size:
    14px; font-style: normal; font-variant-ligatures: normal;
    font-variant-caps: normal; font-weight: 400;
    letter-spacing: normal; orphans: 2; text-align: start;
    text-indent: 0px; text-transform: none; white-space:
    normal; widows: 2; word-spacing: 0px;
    -webkit-text-stroke-width: 0px; text-decoration-thickness:
    initial; text-decoration-style: initial;
    text-decoration-color: initial;"><br>
    </p>
    <div><br>
    </div>
    </blockquote>
    </blockquote>
    </div>
    </blockquote>
    <pre class="moz-signature" cols="72">--
    Mit freundlichen Grüßen

    Jörg Jellissen
    Friesenstraße 3
    47445 Moers

    Mobil: (01573) / 5 34 42 18
    Fax: (02841) / 4 08 62 77

    E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:joerg.jellissen@t-online.de">joerg.jellissen@t-online.de</a></pre>
    </body>
    </html>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)