The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help with iptables for OpenVPN on CentOS 6.9

Discussion in 'General Discussion' started by natong, Jun 30, 2017.

  1. natong

    natong Well-Known Member

    Joined:
    May 17, 2008
    Messages:
    89
    Likes Received:
    1
    Trophy Points:
    56
    I installed OpenVPN 2.4.3 x86_64-redhat-linux-gnu.
    But the firewall block incoming the TCP port 1194.
    Which command to unblock these port ?

    ------------------------------

    When I add my current IP to the allow lists, I can connect to OpenVPN but can't go outside.
    I already did:
    Code:
    nano -w /etc/sysctl.conf
           net.ipv4.ip_forward = 1
    sysctl -p
    
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    service iptables save
    service iptables restart
    
    I google and found many commands. I don't sure what are the exact commands. Please help.

    Code:
    iptables -A FORWARD -s 10.8.0.0/24 -m state --state NEW                 -j ACCEPT
    iptables -A FORWARD -s 10.8.0.0/24                                      -j ACCEPT
    iptables -A FORWARD                -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD                                                     -j REJECT
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source Your.Server.IP.Address
    iptables -t nat -A POSTROUTING                -j SNAT --to-source Your.Server.IP.Address
    
     
    #1 natong, Jun 30, 2017
    Last edited by a moderator: Jul 1, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,999
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. natong

    natong Well-Known Member

    Joined:
    May 17, 2008
    Messages:
    89
    Likes Received:
    1
    Trophy Points:
    56
    After read all 20+ webs, I use the human language learning technical to find which one would be possible and valid. And finally I tested by myself and it work very well. These are the exact commands:

    Code:
    # Check the main interface name (eth0 or veth0).
    ifconfig
    
    # Allow incoming UDP traffic to port 1194
    iptables -A INPUT -i eth0 -p udp --dport 1194 -m state --state NEW -j ACCEPT
    
    # Allow traffic initiated from VPN to access the world
    iptables -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
    
    # Allow established traffic to pass back and forth
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Masquerade traffic from VPN to the world
    iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
    
    service iptables save
    
    These web is best place to read (not falsify erroneous): community.openvpn.net/openvpn/wiki/BridgingAndRouting
     
    #3 natong, Jul 1, 2017
    Last edited by a moderator: Jul 1, 2017
  4. natong

    natong Well-Known Member

    Joined:
    May 17, 2008
    Messages:
    89
    Likes Received:
    1
    Trophy Points:
    56
    Use -I is better ?

    Code:
    iptables -I INPUT -i eth0 -p udp --dport 1194 -m state --state NEW -j ACCEPT
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,999
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    natong likes this.
  6. natong

    natong Well-Known Member

    Joined:
    May 17, 2008
    Messages:
    89
    Likes Received:
    1
    Trophy Points:
    56
    I have more informations. If we add these rules using iptables command directly from shell, they will erased on next CSF restart or upgrade.

    CSF provides pre and post scripts which executes before or after CSF rules setup.

    /etc/csf/csfpre.sh : To run external commands before csf configures iptables
    /etc/csf/csfpost.sh : To run external commands after csf configures iptables

    Well, add these 4 rules to the /etc/csf/csfpost.sh
    Don't forget to add full path to the iptables command!!!

    touch /etc/csf/csfpost.sh
    chmod +x /etc/csf/csfpost.sh
    nano -w /etc/csf/csfpost.sh

    Code:
    # Allow incoming UDP traffic to port 1194. Don't use -A.
    /sbin/iptables -I INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
    
    # Allow traffic initiated from VPN to access the world
    /sbin/iptables -A FORWARD -s 10.8.0.0/24 -i tun0 -o eth0 -m state --state NEW -j ACCEPT
    
    # Allow established traffic to pass back and forth
    /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Masquerade traffic from VPN to the world
    /sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    # Restart CSF
    csf -r
     
    cPanelMichael likes this.
Loading...

Share This Page