Re: [Openvpn-users] openvpn and iptables rules advice

Mon, 28 Apr 2014 05:43:26 -0700 

also it can be handy to -J LOG before -J DROP to see whats being dropped.




On 28/04/2014 9:24 PM, /dev/rob0 wrote:
> On Mon, Apr 28, 2014 at 12:36:07PM +0300, Dmitry Korzhevin wrote:
>> Guys, please advice, i use next debian iptables rules to allow
>> my udp services:
>>
>> (openvpn server works on port 6000)
>>
>> iptables -I OUTPUT 2 -p udp --dport 53 -j ACCEPT
> rob0 Rule of Thumb: If you have to ask for help to make it work,
> you do not need OUTPUT filtering ...
>
>> iptables -I OUTPUT 2 -p udp --dport 1700:1750 -j ACCEPT
>> iptables -I OUTPUT 3 -p udp -m udp --dport 1812 -j ACCEPT
>> iptables -I OUTPUT 5 -p udp -m udp --dport 1813 -j ACCEPT
>> iptables -I OUTPUT 5 -p udp -m udp --dport 5950:6050 -j ACCEPT
>> iptables -I OUTPUT 5 -p udp -m udp --dport 499:510 -j ACCEPT
>> iptables -I OUTPUT 5 -p udp -m udp --dport 4490:4550 -j ACCEPT
>> iptables -I OUTPUT 20 -p udp -j DROP
> ... Just say "No" to DROP.
>
> What threat model does this filtering address? If you can't answer
> that, you have not adequately thought this through.
>
> Furthermore, this is not really the best place to ask iptables
> questions. There's nothing specific to openvpn in your question.
>
>> But after apply: ipsec, l2tp and openvpn upd on port 6000 stops
>> working.. i.e. i can't connect
>>
>> Here is my services:
>>
>> udp 0 0 0.0.0.0:500 0.0.0.0:* 3115/charon
>> udp 0 0 0.0.0.0:1701 0.0.0.0:* 2885/xl2tpd
>> udp 0 0 162.245.256.150:6000 0.0.0.0:* 2818/openvpn
>> udp 0 0 0.0.0.0:4500 0.0.0.0:* 3115/charon
>> udp6 0 0 :::500 :::* 3115/charon


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to