Iptables on Client w/OpenVPN

Rashkae ubuntu at tigershaunt.com
Fri Feb 12 14:11:22 UTC 2010

Chris wrote:
> Greetings,
> Here's my situation:
> I want to deny all incoming on my PC but want to allow my OVPN client
> to access a remove OVPN server.
> My PC has just has the one nic and goes to a cable modem. Nothing real
> fancy.
> Any pointers or examples would be greatly appreciated!

Lots of choice, I present 3.

Firestarter has a great GUI for simple firewall configurations.  You 
have to install it.

Ubuntu comes with a pre-configured firewall, but is disabled by default.
To use it, sudo gedit /etc/ufw/ufw.conf and set Enable to yes.

And finally:  the masochist way (often my favorite)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP

This, of course, assumes that when you say you want to block all 
incoming connections, you actually mean to allow connections that your 
computer initiates...if you really want to prevent your computer from 
receiving any packets from the net whatsoever.....

iptables -A INPUT -p udp --dport ##### -s ipaddress -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP

The ###### needs to be set to a port number you configure your ovpn 
client to use all the time. and ipaddress is the address of the ovpn server.

Oh, I almost forgot, you'll also want to allow incoming connections from 
the ovpn connection, so you'll also need something like:
/sbin/iptables -A INPUT -i tun+ -j ACCEPT

And you'll also probably want to do something about ip6

/sbin/ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i tun+ -j ACCEPT
/sbin/ip6tables -P INPUT DROP

More information about the ubuntu-users mailing list