What's new

iptables VPN rules

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Maverickcdn

Senior Member
So Im having a noob moment and need some advice. This is likely unnecessary but is more for peace of mind knowing these door knockers are ignored

Looking to create a custom chain in iptables to list out some banned IPs probing my VPN port, can someone take a look and let me know if Im doing this properly. VPN server is on 31194/TCP and I want to ignore requests from my OBFS server on 10.1.1.11 (has fail2ban running monitoring OBFS port connections)

I have a script that checks the status of iptables rules and a script that looks for persistent door knockers and adds them to a ban list automatically so I cant go willy nilly adding IP's to the INPUT table without breaking the script that checks the rules status, I could code the checker script to be smarter but Id like to keep the INPUT chain cleaner in the long run.

Creating a chain called VPNBANNED that will contain some IP's/CIDR's to ban
Code:
iptables -N VPNBANNED   # create VPNBANNED chain
iptables -I INPUT ! -s 10.1.1.11 -p tcp --dport 31194 -j VPNBANNED   # forward anything not from 10.1.1.11 on 31194/TCP to VPNBANNED (will be first rule in INPUT chain)
iptables -I VPNBANNED -s 'badip/cidr here' -j logdrop   # jump banned hits to logging and drop

Code:
MavMAIN|>/jffs/scripts| iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
VPNBANNED  tcp  -- !10.1.1.11            0.0.0.0/0            tcp dpt:31194
LOG        tcp  -- !10.1.1.11            0.0.0.0/0            tcp dpt:31194 state NEW LOG flags 0 level 1 prefix "openvpn31194 "
ACCEPT     tcp  --  'workiphere'       0.0.0.0/0            tcp dpt:31194
           tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:31194 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
logdrop    tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:31194 state NEW recent: UPDATE seconds: 180 hit_count: 3 name: DEFAULT side: source mask: 255.255.255.255
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:31194

Really just want to ensure that any connection that doesnt hit a drop rule in VPNBANNED will continue down the INPUT chain to logging/throttling rules and eventually accept rules

Any input on this would be greatly appreciated.

TL/DR - Im too lazy to research this and learn to do it properly today!
 
Pretty sure I answered my own question


https://www.linuxtopia.org/Linux_Firewall_iptables/x4604.html

Code:
iptables -N VPNBANNED   # create VPNBANNED chain
iptables -I INPUT ! -s 10.1.1.11 -p tcp --dport 31194 -j VPNBANNED   # forward anything not from 10.1.1.11 on 31194/TCP to VPNBANNED (will be first rule in INPUT chain)
iptables -I VPNBANNED -j RETURN
iptables -I VPNBANNED -s 'badip/cidr here' -j logdrop   # jump banned hits to logging and drop
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top