iptables VPN rules

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Maverickcdn

Senior Member
So Im having a noob moment and need some advice. This is likely unnecessary but is more for peace of mind knowing these door knockers are ignored

Looking to create a custom chain in iptables to list out some banned IPs probing my VPN port, can someone take a look and let me know if Im doing this properly. VPN server is on 31194/TCP and I want to ignore requests from my OBFS server on 10.1.1.11 (has fail2ban running monitoring OBFS port connections)

I have a script that checks the status of iptables rules and a script that looks for persistent door knockers and adds them to a ban list automatically so I cant go willy nilly adding IP's to the INPUT table without breaking the script that checks the rules status, I could code the checker script to be smarter but Id like to keep the INPUT chain cleaner in the long run.

Creating a chain called VPNBANNED that will contain some IP's/CIDR's to ban
Code:
iptables -N VPNBANNED   # create VPNBANNED chain
iptables -I INPUT ! -s 10.1.1.11 -p tcp --dport 31194 -j VPNBANNED   # forward anything not from 10.1.1.11 on 31194/TCP to VPNBANNED (will be first rule in INPUT chain)
iptables -I VPNBANNED -s 'badip/cidr here' -j logdrop   # jump banned hits to logging and drop

Code:
MavMAIN|>/jffs/scripts| iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
VPNBANNED  tcp  -- !10.1.1.11            0.0.0.0/0            tcp dpt:31194
LOG        tcp  -- !10.1.1.11            0.0.0.0/0            tcp dpt:31194 state NEW LOG flags 0 level 1 prefix "openvpn31194 "
ACCEPT     tcp  --  'workiphere'       0.0.0.0/0            tcp dpt:31194
           tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:31194 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
logdrop    tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:31194 state NEW recent: UPDATE seconds: 180 hit_count: 3 name: DEFAULT side: source mask: 255.255.255.255
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:31194

Really just want to ensure that any connection that doesnt hit a drop rule in VPNBANNED will continue down the INPUT chain to logging/throttling rules and eventually accept rules

Any input on this would be greatly appreciated.

TL/DR - Im too lazy to research this and learn to do it properly today!
 

Maverickcdn

Senior Member
Pretty sure I answered my own question


https://www.linuxtopia.org/Linux_Firewall_iptables/x4604.html

Code:
iptables -N VPNBANNED   # create VPNBANNED chain
iptables -I INPUT ! -s 10.1.1.11 -p tcp --dport 31194 -j VPNBANNED   # forward anything not from 10.1.1.11 on 31194/TCP to VPNBANNED (will be first rule in INPUT chain)
iptables -I VPNBANNED -j RETURN
iptables -I VPNBANNED -s 'badip/cidr here' -j logdrop   # jump banned hits to logging and drop
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top