Linode Forum

[mikeage]

Hi,

I'm trying to set up my firewall for my openvpn network. Right now, I have the following rules:

Code:
iptables -P FORWARD DROP
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state NEW -j ACCEPT

However, although I can establish an HTTP connection, no data is being returned.

If I allow all packets through using
Code:
iptables -A FORWARD -j ACCEPT

Then everything works.

If I log the packets not accepted for forwarding, I see they look like
Code:
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45770 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=271 TOS=0x00 PREC=0x00 TTL=63 ID=45771 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=45772 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=45773 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=271 TOS=0x00 PREC=0x00 TTL=63 ID=45774 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=45775 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK URGP=0
IN=tun0 OUT=eth0 SRC=192.168.2.5 DST=209.85.171.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45776 DF PROTO=TCP SPT=37063 DPT=80 WINDOW=92 RES=0x00 ACK FIN URGP=0


Should I just be allowing all traffic from tun0 to eth0? Is there any risk there? I found the original suggestion to only allow NEW traffic on several websites, but it doesn't seem to be correct...

[fuzzman442]

My opinion is that it is ok to set the FORWARD chain policy as ACCEPT. If you properly restrict the exterior packets, ie. the INPUT chain, I don't see any risk.

I just allow all traffic from tun0 to the vpn server IP. This is ok for me because a) I consider myself a trusted client b) i require a password to connect to the VPN.

So the rule you would need is:

iptables -A INPUT -d 192.168.XX.X/32 -i tun+ -j ACCEPT

Where 192.168.XX.X is the IP of the OpenVPN server.

This rule allows all traffic from any tun interface if the destination is the VPN server. I do tun+ and not tun0 because if OpenVPN gets hosed and locks up tun0, it would open tun1 (i think). So the iptables rule has it covered.

[mikeage]

I'm accepting all traffic from tun+. Does that mean that there's no reason to deny forwarding?

I assume that on the return path (-i eth0 -o tun+), I should still only forward ESTABLISHED and RELATED (or is that also pointless since I ahve an input rule on -i eth0 that only accepts RELATED and ESTABLISHED.

[fuzzman442]

Quote: I assume that on the return path (-i eth0 -o tun+), I should still only forward ESTABLISHED and RELATED (or is that also pointless since I ahve an input rule on -i eth0 that only accepts RELATED and ESTABLISHED.

I don't think you need the FORWARD rule for the return path. If you are only accepting ESTABLISHED and RELATED on eth0, that's the only thing that's going to get to tun+, via NAT.

I believe it is only "Forwarding" when it is going from tun+ -> eth0. On the return trip, it would be via NAT, which would hit on INPUT and not FORWARD. That's my theory... :/

On the first question, I still think there is no reason to deny forwarding.

Someone else, please chime in on this FORWARD question.