technicallyrural.ca
Open in
urlscan Pro
192.0.78.25
Public Scan
URL:
https://technicallyrural.ca/2018/05/10/ufw-and-openvpn-and-not-breaking-everything/
Submission: On November 28 via api from US — Scanned from CA
Submission: On November 28 via api from US — Scanned from CA
Form analysis 3 forms found in the DOM
POST https://technicallyrural.ca/wp-comments-post.php
<form action="https://technicallyrural.ca/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div id="comment-form__verbum" class="transparent"></div>
<div class="verbum-form-meta"><input type="hidden" name="comment_post_ID" value="5905" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
<input type="hidden" name="highlander_comment_nonce" id="highlander_comment_nonce" value="191facf180">
</div>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="6406a0d7c8"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1701177632959">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST https://subscribe.wordpress.com
<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
<div>
<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address">
</div>
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="67381495">
<input type="hidden" name="source" value="https://technicallyrural.ca/2018/05/10/ufw-and-openvpn-and-not-breaking-everything/">
<input type="hidden" name="sub-type" value="actionbar-follow">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="4c382e0e41">
<div class="actnbr-button-wrap">
<button type="submit" value="Sign me up"> Sign me up </button>
</div>
</form>POST
<form method="post">
<input type="submit" value="Close and accept" class="accept"> Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. <br> To find out more, including how to control cookies, see here: <a href="https://automattic.com/cookies/" rel="nofollow">
Cookie Policy </a>
</form>Text Content
TECHNICALLY RURAL
FORAYS INTO TECHNOLOGY, LOVE, AND FARMING
Menu Skip to content
* Home
* About
* Shopify app in Rust
* Prius Battery Replacement
* Incubator project
* Archive
UFW, OPENVPN, FORWARDING TRAFFIC AND NOT BREAKING EVERYTHING
Leave a reply
I’ve previously written about using OpenVPN to escape Xplornet’s double NAT.
Every now and then I’ll set up a new server (following the steps there) and
inevitably run into some firewall configuration problem. I’ve really never taken
the time to understand how to use iptables. I understand that they’re
theoretically simple, but amazingly I always have a hard time with them. To that
end, I’ve used ufw to try and help.
The number one piece of advice for securing anything connected to the internet
is to reduce the attack surface. Great:
sudo ufw default deny incoming
sudo ufw allow ssh
and now nothing works. Attack surface minimized!
Before going to far, I use the nuclear option for new or new-ish servers to
ensure I know what I’m dealing with (NOTE: this leaves your server WIDE open,
don’t stop here!):
// Reset ufw and disable
sudo ufw reset
// Flush all iptables rules
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
This leaves me with:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ sudo ufw status verbose
Status: inactive
Awesome. Clean slate! Starting from the beginning again:
$ sudo ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
$ sudo ufw allow ssh
Rules updated
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
For the whole OpenVPN set up to work, the VPN client needs to actually be able
to connect to the server. We’ll need to allow traffic on 1194 (or whatever port
you’ve configured OpenVPN to use).
$ sudo ufw allow 1194
Rule added
You’ll also need to allow traffic to whatever port it is you’re forwarding. For
example, if I want port 3000 to be what I’m exposing to the public:
$ sudo ufw allow 3000
Rule added
Leaving us with:
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194 ALLOW IN Anywhere
3000 ALLOW IN Anywhere
That’s about it for the more intuitive parts. The server is relatively locked
down, although if you are using a fixed VPN client it may be worthwhile to
white-list that single address. To allow the forwarding that the OpenVPN set up
relies on, we’ll need to change the ufw default forward policy. Edit
/etc/default/ufw and change the value of DEFAULT_OUTPUT_POLICY from DROP to
ACCEPT:
$ sudo nano /etc/default/ufw
...
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"
Then disable and re-enable ufw to update it:
$ sudo ufw disable && sudo ufw enable
Finally, adding the iptables rules used in the previous post (I’m sure there’s a
way to do this with ufw, I just don’t know it):
$ sudo iptables -t nat -A PREROUTING -d 183.214.158.198 -p tcp --dport 3000 -j DNAT --to-dest 10.8.0.2:3000
$ sudo iptables -t nat -A POSTROUTING -d 10.8.0.2 -p tcp --dport 3000 -j SNAT --to-source 10.8.0.1
Et voilà! A relatively locked down server that plays nicely with OpenVPN and
forwarding traffic.
Sponsored Content
Skip
Ads by
Montreal Residents Should Claim This Benefit financialhackz.com | Sponsored
Forget The Blue Pill, Use This Household Food To Fight ED trkmeded.com |
Sponsored
Doctors Can’t Explain But This Can Vanish Toenail Fungus healthyfeet.me |
Sponsored
Forget Furosemide, Use This Household Item To Help Drain Edema Fluid
healthlabnews.com | Sponsored
25 Of The Most Inappropriate Dress on The Red Carpet YourDIY | Sponsored
[Gallery] 8 Actors Who Took Their Roles Too Far DailyStuff | Sponsored
Montreal Residents Are Due A Large Surprise thesavingsmaestro.com | Sponsored
[Gallery] Everybody Wanted to Date Her in The 2000's & This is Her Recently
DailyStuff | Sponsored
[Gallery] 25 Hilarious Camping Photos That Captured Too Much DailyStuff |
Sponsored
SHARE THIS:
* Twitter
* Facebook
*
LIKE THIS:
Like Loading...
RELATED
Xplornet double NAT: VPN editionNovember 5, 2017With 24 comments
NordVPN with OpenVPN on Raspberry PiMay 26, 2017
Xplornet and its confounded double NATFebruary 15, 2017Liked by 1 person
This entry was posted in Uncategorized on May 10, 2018 by tobymurray.
POST NAVIGATION
← Replacing middle baffle support in Osburn 1600 Dell 9550 battery replacement →
LEAVE A REPLY CANCEL REPLY
Δ
Blog at WordPress.com.
* Comment
* Follow Following
* Technically Rural
Sign me up
* Already have a WordPress.com account? Log in now.
* * Technically Rural
* Customize
* Follow Following
* Sign up
* Log in
* Copy shortlink
* Report this content
* View post in Reader
* Manage subscriptions
* Collapse this bar
Privacy & Cookies: This site uses cookies. By continuing to use this website,
you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
%d bloggers like this: