That was my thinking. I've just done a first draft script which I've posted for feedback here:
http://ubuntuforums.org/showthread.p...31#post7386031
That was my thinking. I've just done a first draft script which I've posted for feedback here:
http://ubuntuforums.org/showthread.p...31#post7386031
Hey guys,
Was trying to do pretty much the same and figured it out without too much trouble. I had already modified before.rules to drop pings and stuck the OpenVPN stuff right after. Here's my changes:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
#-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# allow all traffic via our OpenVPN interface
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
#
# ufw-not-local
#
Found I was logging a ton of stuff I didn't care about since it was going out my tun0 interface.
# allow all traffic via our OpenVPN interface
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
The traffic was flowing but generating too much log chatter. Adding these RELATED,ESTABLISHED rules fixed that.
Useful bit of info! Use tun+ instead of tun# if you have multiple tun interfaces that should all be treated the same.
Hi there I have a openvpn here but I am using bridging as opposed to routing....
the IPTable rules look like this
How would i set up ufw to reflect that along with your chatter modifications.Code:iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT
Currently when I connect i can only ping the vpn server as the firewall on it (ufw) is blocking it from seeing anything behind.
Thanks.
Thank you Workingman for the rules. I used a slight modification of these in the file /etc/ufw/before.rules:
.
.
.
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# allow all traffic via our OpenVPN interface
-A ufw-before-input -i tun0 -j ACCEPT
-A ufw-before-forward -i tun0 -j ACCEPT
-A ufw-before-forward -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
.
.
.
Bookmarks