First, you are missing an important rule which governs traffic sent in reply to TCP requests. As it stands now, you could send a request to a website but not see the page. In addition, if you adopt INPUT DROP as the policy, you're going to need more rules. Traffic originating on the localhost (127.0.0.1) interface, for instance, will be blocked. You'll also be blocking ICMP traffic so pings won't work. To fix these, add these three lines at the top of the ruleset, right after the policies:
Code:
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
You can either drop by default or drop by rule. If you want to log all the nonconforming traffic, you are better off with ACCEPT as the policy and dropping by rule. Use these rules at the end of the ruleset:
Code:
/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j DROP
And, yes, you want both an INPUT and an OUTPUT rule for the tun interfaces. I don't know what you mean by eth0 being forwarded to tun0. That doesn't happen by default, and frankly, I don't know why you would want to do that.
Bookmarks