Firewalling OpenVPN with IPTables

Back to OpenVPN main

Back to extension section

Preventing access to the webinterface through the VPN

Unless you want to prevent that the VPN tunnel partners have access to the web interface, the following iptables rules in /etc/sysconfig/firewall.local can be adjusted.

For example with a /24 subnet Mask (255.255.255.0):

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
start)
      ## add your 'start' rules here
      # Prohibit WUI access via VPN / WUI Zugriff über VPN verbieten
      /sbin/iptables -A CUSTOMINPUT -s OpenVPN net/24 -p tcp -d green-IP-IPFire --dport 444 -j DROP
      ;;
stop)
      ## add your 'stop' rules here
      # Prohibit WUI access via VPN / WUI Zugriff über VPN verbieten
      /sbin/iptables -D CUSTOMINPUT -s OpenVPN net/24 -p tcp -d green-IP-IPFire --dport 444 -j DROP
      ;;
reload)
      $0 stop
      $0 start
      ## add your 'reload' rules here
      ;;
  *)
      echo "Usage: $0 {start|stop|reload}"
      ;;
esac

After a:

/etc/sysconfig/firewall.local reload

the rules should then also be active.

Block ICMP for OpenVPN

In case ICMP should be blocked by the firewall, some things needs to be regarded. ICMP types 0, 3, 8 and 11 should be opened, otherwise connection problems can appear.

Back to extension section

Back to OpenVPN main

Edit Page ‐ Yes, you can edit!

Older Revisions • December 9 at 11:35 pm • Jon