1#!/bin/sh
2
3# A Sample OpenVPN-aware firewall.
4
5# eth0 is connected to the internet.
6# eth1 is connected to a private subnet.
7
8# Change this subnet to correspond to your private
9# ethernet subnet.  Home will use HOME_NET/24 and
10# Office will use OFFICE_NET/24.
11PRIVATE=10.0.0.0/24
12
13# Loopback address
14LOOP=127.0.0.1
15
16# Delete old iptables rules
17# and temporarily block all traffic.
18iptables -P OUTPUT DROP
19iptables -P INPUT DROP
20iptables -P FORWARD DROP
21iptables -F
22
23# Set default policies
24iptables -P OUTPUT ACCEPT
25iptables -P INPUT DROP
26iptables -P FORWARD DROP
27
28# Prevent external packets from using loopback addr
29iptables -A INPUT -i eth0 -s $LOOP -j DROP
30iptables -A FORWARD -i eth0 -s $LOOP -j DROP
31iptables -A INPUT -i eth0 -d $LOOP -j DROP
32iptables -A FORWARD -i eth0 -d $LOOP -j DROP
33
34# Anything coming from the Internet should have a real Internet address
35iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
36iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
37iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
38iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
39iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
40iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
41
42# Block outgoing NetBios (if you have windows machines running
43# on the private subnet).  This will not affect any NetBios
44# traffic that flows over the VPN tunnel, but it will stop
45# local windows machines from broadcasting themselves to
46# the internet.
47iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
48iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
49iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
50iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
51
52# Check source address validity on packets going out to internet
53iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
54
55# Allow local loopback
56iptables -A INPUT -s $LOOP -j ACCEPT
57iptables -A INPUT -d $LOOP -j ACCEPT
58
59# Allow incoming pings (can be disabled)
60iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
61
62# Allow services such as www and ssh (can be disabled)
63iptables -A INPUT -p tcp --dport http -j ACCEPT
64iptables -A INPUT -p tcp --dport ssh -j ACCEPT
65
66# Allow incoming OpenVPN packets
67# Duplicate the line below for each
68# OpenVPN tunnel, changing --dport n
69# to match the OpenVPN UDP port.
70#
71# In OpenVPN, the port number is
72# controlled by the --port n option.
73# If you put this option in the config
74# file, you can remove the leading '--'
75#
76# If you taking the stateful firewall
77# approach (see the OpenVPN HOWTO),
78# then comment out the line below.
79
80iptables -A INPUT -p udp --dport 1194 -j ACCEPT
81
82# Allow packets from TUN/TAP devices.
83# When OpenVPN is run in a secure mode,
84# it will authenticate packets prior
85# to their arriving on a tun or tap
86# interface.  Therefore, it is not
87# necessary to add any filters here,
88# unless you want to restrict the
89# type of packets which can flow over
90# the tunnel.
91
92iptables -A INPUT -i tun+ -j ACCEPT
93iptables -A FORWARD -i tun+ -j ACCEPT
94iptables -A INPUT -i tap+ -j ACCEPT
95iptables -A FORWARD -i tap+ -j ACCEPT
96
97# Allow packets from private subnets
98iptables -A INPUT -i eth1 -j ACCEPT
99iptables -A FORWARD -i eth1 -j ACCEPT
100
101# Keep state of connections from local machine and private subnets
102iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
103iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
104iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
105iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
106
107# Masquerade local subnet
108iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
109