diff options
Diffstat (limited to 'sample/sample-config-files/firewall.sh')
| -rwxr-xr-x | sample/sample-config-files/firewall.sh | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/sample/sample-config-files/firewall.sh b/sample/sample-config-files/firewall.sh new file mode 100755 index 0000000..19d75ee --- /dev/null +++ b/sample/sample-config-files/firewall.sh @@ -0,0 +1,108 @@ +#!/bin/sh + +# A Sample OpenVPN-aware firewall. + +# eth0 is connected to the internet. +# eth1 is connected to a private subnet. + +# Change this subnet to correspond to your private +# ethernet subnet. Home will use HOME_NET/24 and +# Office will use OFFICE_NET/24. +PRIVATE=10.0.0.0/24 + +# Loopback address +LOOP=127.0.0.1 + +# Delete old iptables rules +# and temporarily block all traffic. +iptables -P OUTPUT DROP +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -F + +# Set default policies +iptables -P OUTPUT ACCEPT +iptables -P INPUT DROP +iptables -P FORWARD DROP + +# Prevent external packets from using loopback addr +iptables -A INPUT -i eth0 -s $LOOP -j DROP +iptables -A FORWARD -i eth0 -s $LOOP -j DROP +iptables -A INPUT -i eth0 -d $LOOP -j DROP +iptables -A FORWARD -i eth0 -d $LOOP -j DROP + +# Anything coming from the Internet should have a real Internet address +iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP +iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP +iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP +iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP +iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP +iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP + +# Block outgoing NetBios (if you have windows machines running +# on the private subnet). This will not affect any NetBios +# traffic that flows over the VPN tunnel, but it will stop +# local windows machines from broadcasting themselves to +# the internet. +iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP +iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP +iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP +iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP + +# Check source address validity on packets going out to internet +iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP + +# Allow local loopback +iptables -A INPUT -s $LOOP -j ACCEPT +iptables -A INPUT -d $LOOP -j ACCEPT + +# Allow incoming pings (can be disabled) +iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT + +# Allow services such as www and ssh (can be disabled) +iptables -A INPUT -p tcp --dport http -j ACCEPT +iptables -A INPUT -p tcp --dport ssh -j ACCEPT + +# Allow incoming OpenVPN packets +# Duplicate the line below for each +# OpenVPN tunnel, changing --dport n +# to match the OpenVPN UDP port. +# +# In OpenVPN, the port number is +# controlled by the --port n option. +# If you put this option in the config +# file, you can remove the leading '--' +# +# If you taking the stateful firewall +# approach (see the OpenVPN HOWTO), +# then comment out the line below. + +iptables -A INPUT -p udp --dport 1194 -j ACCEPT + +# Allow packets from TUN/TAP devices. +# When OpenVPN is run in a secure mode, +# it will authenticate packets prior +# to their arriving on a tun or tap +# interface. Therefore, it is not +# necessary to add any filters here, +# unless you want to restrict the +# type of packets which can flow over +# the tunnel. + +iptables -A INPUT -i tun+ -j ACCEPT +iptables -A FORWARD -i tun+ -j ACCEPT +iptables -A INPUT -i tap+ -j ACCEPT +iptables -A FORWARD -i tap+ -j ACCEPT + +# Allow packets from private subnets +iptables -A INPUT -i eth1 -j ACCEPT +iptables -A FORWARD -i eth1 -j ACCEPT + +# Keep state of connections from local machine and private subnets +iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT +iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT +iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Masquerade local subnet +iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE |