To issue all of this commands you might want to be logged as root, so you don't have to put sudo everytime.
To become root
Code:
su root
1- flush your iptables
Code:
iptables --flush
2- add rules to forward traffic through the VPN
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
3- connect to your VPN, don't know how to connect to your linode VPN ?? lol is ok... for example using ubuntu...
open your console on your LOCAL MACHINE the one you will use to connect to your linode VPN
Code:
apt-get update
apt-get install network-manager-openvpn openvpn
then go to
network connections > VPN > choose "Open VPN"
gateway= ip or hostname of your linode
certifcates= the ones you generated on the VPN guide
go to advanced
check "use LZO data compression"
you should be able to connect now
if everything is working right congratz !
if not, there are errors you should check /var/log/syslog4- let's start securing your linode server without screwing your VPN service...
#allow all output traffic
Code:
iptables -A OUTPUT -j ACCEPT
#loopback rules
Code:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT
#established inbound
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#http enable
Code:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#https dissable
Code:
iptables -A INPUT -p tcp --dport 443 -j DROP
#SMTP allow
Code:
iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#ssh enable
Code:
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#ping dissable
Code:
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
#OpenVPN allow
Code:
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
#masquerade subnet
Code:
iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
#log
Code:
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#finally reject everything is not declared above
Code:
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
After all that work you want to save your config, don't you ? Ok, here is how
Code:
iptables-save > /etc/iptables.firewall.rules
Now you might also want to have all that rules activated every time you restart your box
Code:
sudo nano /etc/network/if-pre-up.d/firewall
put this...
Code:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
Set the script's permissions by entering the following command
Code:
sudo chmod +x /etc/network/if-pre-up.d/firewall
WARNING! The order of this commands are VERY important, for example if you put something like...
iptables -A INPUT -j REJECT
no INPUT below will work