Some time ago I setup an OpenVPN server so we could securely logon to IT systems from outside the network. This worked really well until I rebooted it the other day. Then I discovered I could still successfully connect to the OpenVPN server, but I couldn’t route any traffic to internal hosts.
Turns out I’d forgotten to make my iptables firewall rules persistent.
When the server starts up it starts up with an empty set of firewall rules, so anyone can pretty much get to any open port. This in itself is not a big deal as the local firewall isn’t the only firewall in front of our system on the internet. But iptables doesn’t just block ports, it also handles the forwarding of packets between the tunnel interface and the internal interface. So no rules, means no forwarding.
There are a couple of ways to handle iptables persistence, the way I chose is to use the interface pre-up and post-down scripts.
First save your iptables rules:
$ sudo iptables-save -c > /etc/networking/iptables.up.rules
We can then start setting up scripts to load this saved rule set when the network interface comes up and saves again when it goes down.
Create a file /etc/network/if-pre-up.d/iptablesload
#!/bin/sh iptables-restore < /etc/network/iptables.up.rules exit 0
Make it executable:
$ sudo chmod +x /etc/network/if-pre-up.d/iptablesload
Create a file to handle the interface down event /etc/network/if-post-down.d/iptablessave:
#!/bin/sh iptables-save -c > /etc/network/iptables.up.rules if [ -f /etc/network/iptables.down.rules ]; then iptables-restore < /etc/network/iptables.down.rules fi exit 0
Make that executable too:
$ sudo chmod +x /etc/network/if-post-down.d/iptablessave
The iptablessave file is a bit more than we need really. In fact you may not want to save at all on the down event if you’re happy that your saved iptables are static and don’t required any automated persistence you can leave out the whole script.
Now when you reboot the iptables rules should be loaded as soon as the interface comes up.
Reminder of the Open VPN iptables rules
This is the ruleset we have to handle forwarding to our local LAN.
# Generated by iptables-save v1.4.21 on Fri Oct 21 10:57:59 2016 *mangle :PREROUTING ACCEPT [144914:137755244] :INPUT ACCEPT [59096:11720946] :FORWARD ACCEPT [85818:126034298] :OUTPUT ACCEPT [86582:121352196] :POSTROUTING ACCEPT [172400:247386494] COMMIT # Completed on Fri Oct 21 10:57:59 2016 # Generated by iptables-save v1.4.21 on Fri Oct 21 10:57:59 2016 *nat :PREROUTING ACCEPT [1895:157689] :INPUT ACCEPT [2:299] :OUTPUT ACCEPT [20:1298] :POSTROUTING ACCEPT [20:1298] [1164:67858] -A POSTROUTING -s 10.9.8.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Fri Oct 21 10:57:59 2016 # Generated by iptables-save v1.4.21 on Fri Oct 21 10:57:59 2016 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] [1:96] -A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT [1:203] -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable [58365:11631115] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [729:89532] -A INPUT -j DROP [57742:3832995] -A FORWARD -i tun+ -j ACCEPT [0:0] -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT [28076:122201303] -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A FORWARD -j DROP [86582:121352196] -A OUTPUT -j ACCEPT COMMIT # Completed on Fri Oct 21 10:57:59 2016
The NAT initially got created from the command line by:
$ sudo iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT $ sudo iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o eth0 -j MASQUERADE $ sudo iptables -A FORWARD -i tun+ -j ACCEPT $ sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT $ sudo iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
Which basically allows OpenVPN to listen on port 443, adds NAT, allows forwarding from any tun device and forwards in both directions.