technicallyrural.ca
Open in
urlscan Pro
192.0.78.25
Public Scan
URL:
https://technicallyrural.ca/2018/05/10/ufw-and-openvpn-and-not-breaking-everything/
Submission: On November 28 via api from US — Scanned from CA
Submission: On November 28 via api from US — Scanned from CA
Form analysis
3 forms found in the DOMPOST https://technicallyrural.ca/wp-comments-post.php
<form action="https://technicallyrural.ca/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div id="comment-form__verbum" class="transparent"></div>
<div class="verbum-form-meta"><input type="hidden" name="comment_post_ID" value="5905" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
<input type="hidden" name="highlander_comment_nonce" id="highlander_comment_nonce" value="191facf180">
</div>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="6406a0d7c8"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1701177632959">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>
POST https://subscribe.wordpress.com
<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
<div>
<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address">
</div>
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="67381495">
<input type="hidden" name="source" value="https://technicallyrural.ca/2018/05/10/ufw-and-openvpn-and-not-breaking-everything/">
<input type="hidden" name="sub-type" value="actionbar-follow">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="4c382e0e41">
<div class="actnbr-button-wrap">
<button type="submit" value="Sign me up"> Sign me up </button>
</div>
</form>
POST
<form method="post">
<input type="submit" value="Close and accept" class="accept"> Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. <br> To find out more, including how to control cookies, see here: <a href="https://automattic.com/cookies/" rel="nofollow">
Cookie Policy </a>
</form>
Text Content
TECHNICALLY RURAL FORAYS INTO TECHNOLOGY, LOVE, AND FARMING Menu Skip to content * Home * About * Shopify app in Rust * Prius Battery Replacement * Incubator project * Archive UFW, OPENVPN, FORWARDING TRAFFIC AND NOT BREAKING EVERYTHING Leave a reply I’ve previously written about using OpenVPN to escape Xplornet’s double NAT. Every now and then I’ll set up a new server (following the steps there) and inevitably run into some firewall configuration problem. I’ve really never taken the time to understand how to use iptables. I understand that they’re theoretically simple, but amazingly I always have a hard time with them. To that end, I’ve used ufw to try and help. The number one piece of advice for securing anything connected to the internet is to reduce the attack surface. Great: sudo ufw default deny incoming sudo ufw allow ssh and now nothing works. Attack surface minimized! Before going to far, I use the nuclear option for new or new-ish servers to ensure I know what I’m dealing with (NOTE: this leaves your server WIDE open, don’t stop here!): // Reset ufw and disable sudo ufw reset // Flush all iptables rules sudo iptables -F sudo iptables -X sudo iptables -t nat -F sudo iptables -t nat -X sudo iptables -t mangle -F sudo iptables -t mangle -X sudo iptables -P INPUT ACCEPT sudo iptables -P FORWARD ACCEPT sudo iptables -P OUTPUT ACCEPT This leaves me with: $ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination $ sudo ufw status verbose Status: inactive Awesome. Clean slate! Starting from the beginning again: $ sudo ufw default deny incoming Default incoming policy changed to 'deny' (be sure to update your rules accordingly) $ sudo ufw allow ssh Rules updated $ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup $ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), allow (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere For the whole OpenVPN set up to work, the VPN client needs to actually be able to connect to the server. We’ll need to allow traffic on 1194 (or whatever port you’ve configured OpenVPN to use). $ sudo ufw allow 1194 Rule added You’ll also need to allow traffic to whatever port it is you’re forwarding. For example, if I want port 3000 to be what I’m exposing to the public: $ sudo ufw allow 3000 Rule added Leaving us with: $ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), allow (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 1194 ALLOW IN Anywhere 3000 ALLOW IN Anywhere That’s about it for the more intuitive parts. The server is relatively locked down, although if you are using a fixed VPN client it may be worthwhile to white-list that single address. To allow the forwarding that the OpenVPN set up relies on, we’ll need to change the ufw default forward policy. Edit /etc/default/ufw and change the value of DEFAULT_OUTPUT_POLICY from DROP to ACCEPT: $ sudo nano /etc/default/ufw ... # Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if # you change this you will most likely want to adjust your rules. DEFAULT_OUTPUT_POLICY="ACCEPT" Then disable and re-enable ufw to update it: $ sudo ufw disable && sudo ufw enable Finally, adding the iptables rules used in the previous post (I’m sure there’s a way to do this with ufw, I just don’t know it): $ sudo iptables -t nat -A PREROUTING -d 183.214.158.198 -p tcp --dport 3000 -j DNAT --to-dest 10.8.0.2:3000 $ sudo iptables -t nat -A POSTROUTING -d 10.8.0.2 -p tcp --dport 3000 -j SNAT --to-source 10.8.0.1 Et voilà! A relatively locked down server that plays nicely with OpenVPN and forwarding traffic. Sponsored Content Skip Ads by Montreal Residents Should Claim This Benefit financialhackz.com | Sponsored Forget The Blue Pill, Use This Household Food To Fight ED trkmeded.com | Sponsored Doctors Can’t Explain But This Can Vanish Toenail Fungus healthyfeet.me | Sponsored Forget Furosemide, Use This Household Item To Help Drain Edema Fluid healthlabnews.com | Sponsored 25 Of The Most Inappropriate Dress on The Red Carpet YourDIY | Sponsored [Gallery] 8 Actors Who Took Their Roles Too Far DailyStuff | Sponsored Montreal Residents Are Due A Large Surprise thesavingsmaestro.com | Sponsored [Gallery] Everybody Wanted to Date Her in The 2000's & This is Her Recently DailyStuff | Sponsored [Gallery] 25 Hilarious Camping Photos That Captured Too Much DailyStuff | Sponsored SHARE THIS: * Twitter * Facebook * LIKE THIS: Like Loading... RELATED Xplornet double NAT: VPN editionNovember 5, 2017With 24 comments NordVPN with OpenVPN on Raspberry PiMay 26, 2017 Xplornet and its confounded double NATFebruary 15, 2017Liked by 1 person This entry was posted in Uncategorized on May 10, 2018 by tobymurray. POST NAVIGATION ← Replacing middle baffle support in Osburn 1600 Dell 9550 battery replacement → LEAVE A REPLY CANCEL REPLY Δ Blog at WordPress.com. * Comment * Follow Following * Technically Rural Sign me up * Already have a WordPress.com account? Log in now. * * Technically Rural * Customize * Follow Following * Sign up * Log in * Copy shortlink * Report this content * View post in Reader * Manage subscriptions * Collapse this bar Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To find out more, including how to control cookies, see here: Cookie Policy %d bloggers like this: