3 # A Sample OpenVPN-aware firewall.
5 # eth0 is connected to the internet.
6 # eth1 is connected to a private subnet.
8 # Change this subnet to correspond to your private
9 # ethernet subnet. Home will use HOME_NET/24 and
10 # Office will use OFFICE_NET/24.
16 # Delete old iptables rules
17 # and temporarily block all traffic.
18 iptables
-P OUTPUT DROP
19 iptables
-P INPUT DROP
20 iptables
-P FORWARD DROP
23 # Set default policies
24 iptables
-P OUTPUT ACCEPT
25 iptables
-P INPUT DROP
26 iptables
-P FORWARD DROP
28 # Prevent external packets from using loopback addr
29 iptables
-A INPUT
-i eth0
-s $LOOP -j DROP
30 iptables
-A FORWARD
-i eth0
-s $LOOP -j DROP
31 iptables
-A INPUT
-i eth0
-d $LOOP -j DROP
32 iptables
-A FORWARD
-i eth0
-d $LOOP -j DROP
34 # Anything coming from the Internet should have a real Internet address
35 iptables
-A FORWARD
-i eth0
-s 192.168.0.0/16 -j DROP
36 iptables
-A FORWARD
-i eth0
-s 172.16.0.0/12 -j DROP
37 iptables
-A FORWARD
-i eth0
-s 10.0.0.0/8 -j DROP
38 iptables
-A INPUT
-i eth0
-s 192.168.0.0/16 -j DROP
39 iptables
-A INPUT
-i eth0
-s 172.16.0.0/12 -j DROP
40 iptables
-A INPUT
-i eth0
-s 10.0.0.0/8 -j DROP
42 # Block outgoing NetBios (if you have windows machines running
43 # on the private subnet). This will not affect any NetBios
44 # traffic that flows over the VPN tunnel, but it will stop
45 # local windows machines from broadcasting themselves to
47 iptables
-A FORWARD
-p tcp
--sport 137:139 -o eth0
-j DROP
48 iptables
-A FORWARD
-p udp
--sport 137:139 -o eth0
-j DROP
49 iptables
-A OUTPUT
-p tcp
--sport 137:139 -o eth0
-j DROP
50 iptables
-A OUTPUT
-p udp
--sport 137:139 -o eth0
-j DROP
52 # Check source address validity on packets going out to internet
53 iptables
-A FORWARD
-s ! $PRIVATE -i eth1
-j DROP
55 # Allow local loopback
56 iptables
-A INPUT
-s $LOOP -j ACCEPT
57 iptables
-A INPUT
-d $LOOP -j ACCEPT
59 # Allow incoming pings (can be disabled)
60 iptables
-A INPUT
-p icmp
--icmp-type echo-request
-j ACCEPT
62 # Allow services such as www and ssh (can be disabled)
63 iptables
-A INPUT
-p tcp
--dport http
-j ACCEPT
64 iptables
-A INPUT
-p tcp
--dport ssh -j ACCEPT
66 # Allow incoming OpenVPN packets
67 # Duplicate the line below for each
68 # OpenVPN tunnel, changing --dport n
69 # to match the OpenVPN UDP port.
71 # In OpenVPN, the port number is
72 # controlled by the --port n option.
73 # If you put this option in the config
74 # file, you can remove the leading '--'
76 # If you taking the stateful firewall
77 # approach (see the OpenVPN HOWTO),
78 # then comment out the line below.
80 iptables
-A INPUT
-p udp
--dport 1194 -j ACCEPT
82 # Allow packets from TUN/TAP devices.
83 # When OpenVPN is run in a secure mode,
84 # it will authenticate packets prior
85 # to their arriving on a tun or tap
86 # interface. Therefore, it is not
87 # necessary to add any filters here,
88 # unless you want to restrict the
89 # type of packets which can flow over
92 iptables
-A INPUT
-i tun
+ -j ACCEPT
93 iptables
-A FORWARD
-i tun
+ -j ACCEPT
94 iptables
-A INPUT
-i tap
+ -j ACCEPT
95 iptables
-A FORWARD
-i tap
+ -j ACCEPT
97 # Allow packets from private subnets
98 iptables
-A INPUT
-i eth1
-j ACCEPT
99 iptables
-A FORWARD
-i eth1
-j ACCEPT
101 # Keep state of connections from local machine and private subnets
102 iptables
-A OUTPUT
-m state
--state NEW
-o eth0
-j ACCEPT
103 iptables
-A INPUT
-m state
--state ESTABLISHED
,RELATED
-j ACCEPT
104 iptables
-A FORWARD
-m state
--state NEW
-o eth0
-j ACCEPT
105 iptables
-A FORWARD
-m state
--state ESTABLISHED
,RELATED
-j ACCEPT
107 # Masquerade local subnet
108 iptables
-t nat
-A POSTROUTING
-s $PRIVATE -o eth0
-j MASQUERADE