Privacy Idea — Step 3b

This post is part of my ongoing privacy series.  Main post is here.

In the first step, we installed, configured, and test-ran openVPN.  In this step, we are going to configure IP tables (this program allows a linux computer to act like a firewall) to make sure we have only open what we want to have open and then run openVPN as a service (aka daemon).

Text in the Courrier New font is what you should type in.
Text in the Comic Sans MS font is output.
Text in italics are notes.

  1. iptables -P INPUT ACCEPT” — this line will configure ip tables to accept all connections.  Since we are connected over ssh, we don’t want to lock ourselves out of the server.
  2. iptables -F” flush everything to start fresh.
  3. iptables -A INPUT -i lo -j ACCEPT” we want to accept everything directed to the loopback localhome address
  4. iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT” anything that is already established, we are going to allow
  5. iptables -A INPUT -p tcp –dport 22 -j ACCEPT” we are going to explicitly allow ssh to come in
  6. iptables -P INPUT DROP” if it hasn’t been allowed, we are just going to drop the packets.  No response no nothing.
  7. iptables -P OUTPUT ACCEPT” anything going out is ok
  8. iptables -A INPUT -p udp –dport 1194 -j ACCEPT” we are going to allow udp port 1194 in.  This is the port and protocol used by openVPN.  If you changed the port or protocol that openVPN runs on, make this agree with that.
  9. iptables -A FORWARD -s 192.168.27.0/255.255.255.0  -j ACCEPT” we are going to accept anything from the 192.168.27.x subnet for forwarding.  This needs to agree with the ip address you used in the server section of the config file.
  10. iptables -A FORWARD -d 192.168.27.0/255.255.255.0 -m state –state RELATED,ESTABLISHED -j ACCEPT” anything that is established headed to our vpn subnet, we are going to accept for forwarding
  11. iptables -A FORWARD -s 192.168.27.0/255.255.255.0 -m state –state RELATED,ESTABLISHED -j ACCEPT” anything headed from our vpn subnet that is already established, we are going to accept and forward
  12. iptables -t nat -A POSTROUTING -s 192.168.27.0/24 -j SNAT –to-source AAA.BBB.CCC.DDD” make sure AAA.BBB.CCC.DDD agrees with the IP address of your server.  I beat my head against the wall for an hour or so trying to sort out why I could talk to my sever but nothing else.  The instructions I found talking about using MASQUERADE only threw errors.
  13. /sbin/service iptables save” let’s save our iptables configuration
  14. nano /etc/sysctl.conf” we need to edit “net.ipv4.ip_forward = 1” (it should = 0 set it to equal 1).  This sets up networking on the server to forward.
  15. sysctl -p” this will restart networking to see the config file change
  16. iptables -L -v” this will show you something like 

    Chain INPUT (policy DROP 2552 packets, 163K bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all — lo any anywhere anywhere
    93343 24M ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
    3218 198K ACCEPT tcp — any any anywhere anywhere tcp dpt:ssh
    20 840 ACCEPT udp — any any anywhere anywhere udp dpt:openvpn

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    36358 13M ACCEPT all — any any 192.168.27.0/24 anywhere
    41184 41M ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED

    Chain OUTPUT (policy ACCEPT 104K packets, 56M bytes)
    pkts bytes target prot opt in out source destination

  17. /etc/init.d/openvpn start” this starts the openVPN daemon.  It scans /etc/openvpn/ for any .conf files.  It starts them all

References:

http://wiki.centos.org/HowTos/Network/IPTables — this is a really good page on iptables
http://kyl191.net/2012/09/getting-openvpn-to-work-on-an-openvz-vps/ — I beat my head against the wall trying to get NATting to work.  This page helped me sort it out.

Leave a Reply

Your email address will not be published. Required fields are marked *