Need help with iptables for OpenVPN on CentOS 6.9

[natong]

I installed OpenVPN 2.4.3 x86_64-redhat-linux-gnu.
But the firewall block incoming the TCP port 1194.
Which command to unblock these port ?

------------------------------

When I add my current IP to the allow lists, I can connect to OpenVPN but can't go outside.
I already did:

nano -w /etc/sysctl.conf
       net.ipv4.ip_forward = 1
sysctl -p

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
service iptables restart

I google and found many commands. I don't sure what are the exact commands. Please help.

iptables -A FORWARD -s 10.8.0.0/24 -m state --state NEW                 -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24                                      -j ACCEPT
iptables -A FORWARD                -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD                                                     -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source Your.Server.IP.Address
iptables -t nat -A POSTROUTING                -j SNAT --to-source Your.Server.IP.Address

 

[cPanelMichael]

Hello,

I recommend installing a firewall management utility such as CSF to make managing your custom firewall rules easier:

ConfigServer Security & Firewall (csf)

Thank you.

 

[natong]

After read all 20+ webs, I use the human language learning technical to find which one would be possible and valid. And finally I tested by myself and it work very well. These are the exact commands:

# Check the main interface name (eth0 or veth0).
ifconfig

# Allow incoming UDP traffic to port 1194
iptables -A INPUT -i eth0 -p udp --dport 1194 -m state --state NEW -j ACCEPT

# Allow traffic initiated from VPN to access the world
iptables -A FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -m state --state NEW -j ACCEPT

# Allow established traffic to pass back and forth
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Masquerade traffic from VPN to the world
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

service iptables save

These web is best place to read (not falsify erroneous): community.openvpn.net/openvpn/wiki/BridgingAndRouting

 

[natong]

Use -I is better ?

iptables -I INPUT -i eth0 -p udp --dport 1194 -m state --state NEW -j ACCEPT

 

[cPanelMichael]

Use -I is better ?

Hello,

This URL may help:

Difference between iptables -A and -I option

Thank you.

 

[natong]

I have more informations. If we add these rules using iptables command directly from shell, they will erased on next CSF restart or upgrade.

CSF provides pre and post scripts which executes before or after CSF rules setup.

/etc/csf/csfpre.sh : To run external commands before csf configures iptables
/etc/csf/csfpost.sh : To run external commands after csf configures iptables

Well, add these 4 rules to the /etc/csf/csfpost.sh
Don't forget to add full path to the iptables command!!!

touch /etc/csf/csfpost.sh
chmod +x /etc/csf/csfpost.sh
nano -w /etc/csf/csfpost.sh

# Allow incoming UDP traffic to port 1194. Don't use -A.
/sbin/iptables -I INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT

# Allow traffic initiated from VPN to access the world
/sbin/iptables -A FORWARD -s 10.8.0.0/24 -i tun0 -o eth0 -m state --state NEW -j ACCEPT

# Allow established traffic to pass back and forth
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Masquerade traffic from VPN to the world
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# Restart CSF
csf -r