Problem(s) solved. Here is my documentation of what I did. (Including stupid mistakes)
First the open port 22. It wasn't mine that was open. It was the vpn service provider who had an open port 22. I finally had the briliant Idea of ataching to the internet without the router in between and port scan myself that way. And low and behold it was not open.
But because of my stupidity in not doing that earlier I ended up learning iptables because firestarter, gufw and ufw where not working as expected. Of course they are not designed to configure a computer that they are not running on and so iptables also was not working as expected. But this was because I didn't have a full grasp of the problem.
In resurching iptables I found a very helpful posting with a firewall script (http://rhau.se/2009/02/10/simple-ipt...sfq-sceduling/) Now this script was way more than I needed but It helped out in searching through the man page and figureing out how things worked.
So heres what I ended up with as a setup. I chose to have as a policy to be restrictive on both inbound and outbound trafic and to only open the ports that I wanted open outbound leaving everything closed inbound. I'm sure I don't really need that level of restriction I think it's cool that I can do it so I will
Heres my script for when I'm running the vpn:
Code:
#! /bin/bash
# set inteface strings
# eth+ matches both eth0 (my wired) and eth1 (my wireless)
ETHERNET="eth+"
TUNNEL="tun0"
#clear current rules
iptables -F
#set default to drop (probobly redundent with final explicit section)
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
#accept anything that I already have an established connection with
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#open port 1194 on ETHERNET for TUNNLE to connect through.
iptables -A OUTPUT -o $ETHERNET -p udp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -o $ETHERNET -p udp --dport 67:68 -j ACCEPT #DHCP
iptables -A OUTPUT -o $ETHERNET -p udp --dport 1194 -j ACCEPT #openvpn
#open ports on TUNNEL that you want to use.
iptables -A OUTPUT -o $TUNNEL -p udp --dport 67:68 -j ACCEPT #DHCP
iptables -A OUTPUT -o $TUNNEL -p udp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -o $TUNNEL -p tcp --dport 80 -j ACCEPT #http
iptables -A OUTPUT -o $TUNNEL -p tcp --dport 443 -j ACCEPT #https
iptables -A OUTPUT -o $TUNNEL -p tcp --dport 110 -j ACCEPT #pop3
#iptables -A OUTPUT -o $TUNNEL -p tcp --dport 22 -j ACCEPT #ssh"
#iptables -A OUTPUT -o $TUNNEL -p tcp --dport 20:21 -j ACCEPT #ftp
#iptables -A OUTPUT -o $TUNNEL -p tcp --dport 6881:6889 -j ACCEPT #bit torrent
# explicitly drop everything that has not been previously allowed
iptables -A FORWARD -j DROP
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
here is the script I can run while at home on my trusted network:
Code:
#! /bin/bash
#clear current rules
iptables -F
#set default to drop (probobly redundent with final explicit section)
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
#accept anything that I already have an established connection with
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#open ports on TUNNEL that you want to use.
iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT #DHCP
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #http
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #https
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT #pop3
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT #ssh"
#iptables -A OUTPUT -p tcp --dport 20:21 -j ACCEPT #ftp
#iptables -A OUTPUT -p tcp --dport 6881:6889 -j ACCEPT #bit torrent
# explicitly drop everything that has not been previously allowed
iptables -A FORWARD -j DROP
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
Comments are defiantly welcome. This being my first endeavor at iptables I would love to have constructive criticism.
Bookmarks