Wednesday, January 30, 2019

firewall - Need IPTABLES rules explanation about OpenVPN set up



I've got Ubuntu 16.04 and OpenVPN installed and seems to be working fine. But when I check firewall rules using "sudo ufw status", then I see this:




Status: active


To Action From
-- ------ ----
80 ALLOW Anywhere
443 ALLOW Anywhere
53 ALLOW Anywhere
465 ALLOW Anywhere
25 ALLOW Anywhere
110 ALLOW Anywhere
995 ALLOW Anywhere
143 ALLOW Anywhere
993 ALLOW Anywhere
10025 ALLOW Anywhere
10024 ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
53 (v6) ALLOW Anywhere (v6)
465 (v6) ALLOW Anywhere (v6)
25 (v6) ALLOW Anywhere (v6)
110 (v6) ALLOW Anywhere (v6)
995 (v6) ALLOW Anywhere (v6)
143 (v6) ALLOW Anywhere (v6)
993 (v6) ALLOW Anywhere (v6)
10025 (v6) ALLOW Anywhere (v6)
10024 (v6) ALLOW Anywhere (v6)



Port 1194 isn't mentioned at all! But I use netstat command "root@mail:~# netstat -anlp |grep 1194" I get this:



udp        0      0 0.0.0.0:1194            0.0.0.0:*                           1142/openvpn



Also I have this file, created by the OpenVPN script here /etc/systemd/system/openvpn-iptables.service and I see this in it:




  [Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to xx.249.16.253

ExecStart=/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to xx.249.16.253
ExecStop=/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target




So my question is... if port 1194 is open (is it?) with these IPTABLES rules, then why I don't see it in ufw status?


Answer



I expect that the confusion is coming because you are using both UFW and IPTABLES. UFW is a front-end for iptables, but if you add rules outside it I expect that it can't recognises those rules.



Thus you are not seeing the iptables rules injected to handle your OpenVPN connection.



I expect if you list the iptables rules you will see them. Try




  /sbin/iptables -vnL


To show the IPTables and UFW rules (but in the IPTABLES form)


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...