IPTables is currently too open (maybe not safe) shouldn't it be set to DROP by default?

[houmie]

Checklist

• I read the README
• I read the FAQ
• I searched the issues
• My issue is about the script, and not OpenVPN itself

Describe the issue
The current firewall settings seem to be too open. It is pretty much accepting anything. I don't think that's safe.
Shouldn't the INPUT and FORWARD policies rather be set to DROP by default and only allow specific ports and traffic to come through?

Current Firewall Setting:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1789
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables-save

*nat
:PREROUTING ACCEPT [232:25774]
:INPUT ACCEPT [131:7833]
:OUTPUT ACCEPT [60:4203]
:POSTROUTING ACCEPT [60:4203]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [2961:44107176]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2434:727585]
-A INPUT -i eth0 -p udp -m udp --dport 1789 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
COMMIT

[ufukty]

This issue needs more attention. I tried different config and it seems working for know. I have doubts about its strictness.

*filter

:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Keep state
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loopback
-A INPUT -i lo -j ACCEPT

# SSH
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# VPN-INPUT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i eth0 -p <openvpn_protocol> --dport <openvpn_port> -j ACCEPT

# VPN ACCESS TO INTERNET
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -o tun0 -i eth0 -j ACCEPT

COMMIT

*nat

:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# VPN ACCESS TO INTERNET
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

COMMIT

More strict version here https://gist.github.com/Tristor/ed0f6867d2b0fa4c1f80300af6e0e12e

[angristan]

Thanks, feel free to open a PR

[omexlu]

Anybody can supply me the iptables and ip6tables commands from the linked article to make it more strict? I am not familiar with iptables only used ufw and its not working very well with this script.

Thanks.

[ufukty]

@omexlu

1. Create a file at /etc/iptables/rules.v4 and write your iptables commands in it. Commands above can be example for you.
2. Create another file at /etc/systemd/system/iptables-openvpn.service. Write those in it:

   [Unit]
   Description=iptables rules for OpenVPN
   Before=network-online.target
   Wants=network-online.target
   
   [Service]
   Type=oneshot
   ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
   ExecReload=/usr/bin/iptables-restore /etc/iptables/rules.v4
   RemainAfterExit=yes
   
   [Install]
   WantedBy=multi-user.target
   

3. Run those commands, use sudo if systemctl requires:

   systemctl daemon-reload
   systemctl enable iptables-openvpn
   systemctl start iptables-openvpn
   

Some of those are already in the script.

As a note, I have to say you should not rely on firewall rules you found on internet without checking if it suits your use case. If you don't know how to set firewall rules, you should learn it initially.

[omexlu]

@ufukty

Thanks for your answer, this file must be overwritten, right /etc/systemd/system/iptables-openvpn.service?
What with the ip6tables? And how to disable the settings made by the script?

Thanks in advance for your help :)

[ufukty]

@omexlu

You can compare content of the service file created by script before overwrite it.

You can see repository script uses two shell script, one to load rules at system start and one other to remove rules when systemctl asks for. My approach is using iptables-restore, which is a CLI tool generally used for restoring iptables rules after each restart and uses system service for run iptables-restore in this regard.

If you want IPv6 rules too, maybe original approach (with shell script) could be better since iptables6-restore will need additional treatment.

If you want the stick with original approach, don't create the file I suggested to you, instead, modify the content of /etc/iptables/add-openvpn-rules.sh and /etc/iptables/rm-openvpn-rules.sh created by script. If you want to convert those iptables commands we shared above to shell commands, simple put iptables before each command. After conversion, each line should be looking like iptables <command>. You can take original rules as example.

[omexlu]

Maybe something like this:

#!/bin/sh

# Default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Keep state
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loopback
iptables -A INPUT -i lo -j ACCEPT

# SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# same here as install script
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT

# Default policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT 

# Keep state
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loopback
ip6tables -A INPUT -i lo -j ACCEPT

# SSH
ip6tables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# same here as install script
ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT

And the same inverted for the remove script.

[ufukty]

@omexlu

I don't have any expertise with IPv6 rules for OpenVPN.

Are you sure you are using the eth0 interface of the server for SSH connection. If you are not sure, run ip route or ifconfig to learn.

[omexlu]

I don't know at this point because the cloud-server is not buyed actually but I make preparations 😉

And the above is only for example, but normally it is eth0.

But thats not a problem can be adjusted the problem is more the whole conception of the rules 🙈

[ufukty]

@omexlu Then it could be better to delete -i eth0 part until you are sure.

[omexlu]

This is only an example nothing is setting up until now 😊

I only want to know how to make the openvpn-server not so wide open like this install script does 🙈

But I need ipv4 and ipv6 support.

I can not really find something on the net related to openvpn with one more strict configuration.

Maybe @angristan can help here or adjust his script because in default is very a security risk.