1#!/bin/sh 2 3# A Sample OpenVPN-aware firewall. 4 5# eth0 is connected to the internet. 6# eth1 is connected to a private subnet. 7 8# Change this subnet to correspond to your private 9# ethernet subnet. Home will use HOME_NET/24 and 10# Office will use OFFICE_NET/24. 11PRIVATE=10.0.0.0/24 12 13# Loopback address 14LOOP=127.0.0.1 15 16# Delete old iptables rules 17# and temporarily block all traffic. 18iptables -P OUTPUT DROP 19iptables -P INPUT DROP 20iptables -P FORWARD DROP 21iptables -F 22 23# Set default policies 24iptables -P OUTPUT ACCEPT 25iptables -P INPUT DROP 26iptables -P FORWARD DROP 27 28# Prevent external packets from using loopback addr 29iptables -A INPUT -i eth0 -s $LOOP -j DROP 30iptables -A FORWARD -i eth0 -s $LOOP -j DROP 31iptables -A INPUT -i eth0 -d $LOOP -j DROP 32iptables -A FORWARD -i eth0 -d $LOOP -j DROP 33 34# Anything coming from the Internet should have a real Internet address 35iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP 36iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP 37iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP 38iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP 39iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP 40iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP 41 42# Block outgoing NetBios (if you have windows machines running 43# on the private subnet). This will not affect any NetBios 44# traffic that flows over the VPN tunnel, but it will stop 45# local windows machines from broadcasting themselves to 46# the internet. 47iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP 48iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP 49iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP 50iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP 51 52# Check source address validity on packets going out to internet 53iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP 54 55# Allow local loopback 56iptables -A INPUT -s $LOOP -j ACCEPT 57iptables -A INPUT -d $LOOP -j ACCEPT 58 59# Allow incoming pings (can be disabled) 60iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT 61 62# Allow services such as www and ssh (can be disabled) 63iptables -A INPUT -p tcp --dport http -j ACCEPT 64iptables -A INPUT -p tcp --dport ssh -j ACCEPT 65 66# Allow incoming OpenVPN packets 67# Duplicate the line below for each 68# OpenVPN tunnel, changing --dport n 69# to match the OpenVPN UDP port. 70# 71# In OpenVPN, the port number is 72# controlled by the --port n option. 73# If you put this option in the config 74# file, you can remove the leading '--' 75# 76# If you taking the stateful firewall 77# approach (see the OpenVPN HOWTO), 78# then comment out the line below. 79 80iptables -A INPUT -p udp --dport 1194 -j ACCEPT 81 82# Allow packets from TUN/TAP devices. 83# When OpenVPN is run in a secure mode, 84# it will authenticate packets prior 85# to their arriving on a tun or tap 86# interface. Therefore, it is not 87# necessary to add any filters here, 88# unless you want to restrict the 89# type of packets which can flow over 90# the tunnel. 91 92iptables -A INPUT -i tun+ -j ACCEPT 93iptables -A FORWARD -i tun+ -j ACCEPT 94iptables -A INPUT -i tap+ -j ACCEPT 95iptables -A FORWARD -i tap+ -j ACCEPT 96 97# Allow packets from private subnets 98iptables -A INPUT -i eth1 -j ACCEPT 99iptables -A FORWARD -i eth1 -j ACCEPT 100 101# Keep state of connections from local machine and private subnets 102iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT 103iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 104iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT 105iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 106 107# Masquerade local subnet 108iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE 109