I spent lots of time but not successful, so please help!

I am using ubuntu 10.0.4, and follow this tutor to install openvpn, without enable firewall (iptables):
http://library.linode.com/networking/op ... 0.04-lucid

It is successful.

But if I want to enable firewall following this tutor:
http://library.linode.com/securing-your-server

to do in this way:
File:/etc/iptables.firewall.rules

*filter

# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT



The OpenVPN will be down. I know there is a remark:
By default, the rules will allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked.


Be sure to revise these rules if you add new services later.


And openVPN is using 1194, but I do not know how to insert it in the above firewall rules.

Moreover, before enable such firwall, I noticed there is something out by iptables -L:

ACCEPT all -- 10.8.0.0/24 anywhere

It disappeared after enable such rules. It is also the cause?

Please help me, I do not like the servering (OpenVPN) is running without firewall!

Thank you a lot!

You'll want this to enable openvpn's port

-A INPUT -p udp --dport 1194 -j ACCEPT

That's assuming you have openvpn using udp on port 1194 (the standard setup).

If you want to allow all ports on the vpn add
-A INPUT -s 10.8.0.0/24 -j ACCEPT

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Thank a lot for your help.

OPENVPN connected, but I cannot visit any website.

Here are the sudo nano /etc/iptables.firewall.rules (I have added
-A INPUT -p udp --dport 1194 -j ACCEPT in the bottom)

*filter

# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT



Here is the output of iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere


Thank you very much for your advice!

If I delete:

-A INPUT -j REJECT
-A FORWARD -j REJECT


Everything will be ok.

Please help!

Did you follow this to allow using the vpn as a tunnel?
http://library.linode.com/networking/op ... gh-the-vpn

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Yes.

I had this exact problem and fixed it the same way as the original poster.

But when I delete the following 2 lines is my firewall still safely protecting me?
-A INPUT -j REJECT
-A FORWARD -j REJECT

I too would like some help here regarding the best iptables setup. On a clean install I went through the following guide:

http://library.linode.com/networking/op ... 0-maverick

Which works fine, I've then gone through the following guide:

http://library.linode.com/securing-your-server

However using the iptables recommendation in this guide stops the VPN from working.

Adding '-A INPUT -p udp --dport 1194 -j ACCEPT' to the iptables.firewall.rules file doesn't make any difference as this is already included in the VPN setup rules.

As the others have said the only way to get it working is to comment out the last 2 lines but that seems like overkill. In doing that arean't we opening ourselves up again to more trouble?

For now I'm just using this setup as a VPN to have a fixed IP address so I'm not worried about other services beyond SSH.

Thanks.

If your using hosts.deny you should put your openvpn address in /etc/hosts.allow also ie

ALL : 10.10.10.0/24 : allow
or
All : 10.10.10.2 : allow ##whatever you are using.

You can test it via ping.

fb

To issue all of this commands you might want to be logged as root, so you don't have to put sudo everytime.

To become root

su root

1- flush your iptables

iptables --flush

2- add rules to forward traffic through the VPN

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

3- connect to your VPN, don't know how to connect to your linode VPN ?? lol is ok... for example using ubuntu...
open your console on your LOCAL MACHINE the one you will use to connect to your linode VPN

apt-get update
apt-get install network-manager-openvpn openvpn

then go to
network connections > VPN > choose "Open VPN"
gateway= ip or hostname of your linode
certifcates= the ones you generated on the VPN guide
go to advanced
check "use LZO data compression"

you should be able to connect now

if everything is working right congratz ! if not, there are errors you should check /var/log/syslog

4- let's start securing your linode server without screwing your VPN service...

#allow all output traffic

iptables -A OUTPUT -j ACCEPT

#loopback rules

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT

#established inbound

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#http enable

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#https dissable

iptables -A INPUT -p tcp --dport 443 -j DROP

#SMTP allow

iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

#ssh enable

iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#ping dissable

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

#OpenVPN allow

iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

#masquerade subnet

iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE

#log

iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#finally reject everything is not declared above

iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

After all that work you want to save your config, don't you ? Ok, here is how

iptables-save > /etc/iptables.firewall.rules

Now you might also want to have all that rules activated every time you restart your box

sudo nano /etc/network/if-pre-up.d/firewall

put this...

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

Set the script's permissions by entering the following command

sudo chmod +x /etc/network/if-pre-up.d/firewall

WARNING! The order of this commands are VERY important, for example if you put something like...
iptables -A INPUT -j REJECT
no INPUT below will work

I am a noob to all of this, so take that under consideration.

The above settings got me close, but still bombing. One of the commands wouldn't work for me (Debian6).

I was able to piece together between the above settings and the suggested settings a script that works for me and I think is secure.

Thank you very much Snap for setting me in the correct direction and the clear explanation of step-by-step commands. You are awesome.

My Script for people who may want to try and use it (again I don't have a full understanding of this I just fumbled around so I cant vouch for security):

# Generated by iptables-save v1.4.8 on Sat May  4 17:57:33 2013
*security
:INPUT ACCEPT [714:53180]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [517:337377]
COMMIT
# Completed on Sat May  4 17:57:33 2013
# Generated by iptables-save v1.4.8 on Sat May  4 17:57:33 2013
*raw
:PREROUTING ACCEPT [785:58572]
:OUTPUT ACCEPT [517:337377]
COMMIT
# Completed on Sat May  4 17:57:33 2013
# Generated by iptables-save v1.4.8 on Sat May  4 17:57:33 2013
*nat
:PREROUTING ACCEPT [73:3212]
:INPUT ACCEPT [10:556]
:OUTPUT ACCEPT [10:737]
:POSTROUTING ACCEPT [10:737]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Sat May  4 17:57:33 2013
# Generated by iptables-save v1.4.8 on Sat May  4 17:57:33 2013
*mangle
:PREROUTING ACCEPT [785:58572]
:INPUT ACCEPT [777:55836]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [517:337377]
:POSTROUTING ACCEPT [517:337377]
COMMIT
# Completed on Sat May  4 17:57:33 2013
# Generated by iptables-save v1.4.8 on Sat May  4 17:57:33 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-ssh - [0:0]
-A OUTPUT -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh 
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7  
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 10.8.0.0/24 -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-port-unreachable 

-A INPUT -j DROP 
-A FORWARD -j DROP
-A fail2ban-ssh -j RETURN 
COMMIT
# Completed on Sat May  4 17:57:33 2013

1. If you choose to use this, just create a document in nano, then copy/paste this. Save it somewhere on your server.
2. Save a copy of your CURRENT firewall rules in case this does something bad. To do that:

sudo iptables-save > /location/you/want/to/save

3. Clear your current firewall settings.

$ sudo iptables -X
$ sudo iptables -t nat -F
$ sudo iptables -t nat -X
$ sudo iptables -t mangle -F
$ sudo iptables -t mangle -X
$ sudo iptables -P INPUT ACCEPT
$ sudo iptables -P FORWARD ACCEPT
$ sudo iptables -P OUTPUT ACCEPT

4. Import the copy of my firewall rules you created in step 1.

sudo iptables-restore < /location/of/saved/rules

5. Test to see if its working.

6. If working as desired, ensure you edit to include in your startup. These are the last two steps in the above post.

Cheers. Thanks everyone for your help.