Friday, October 30, 2020

Iptables DROP policy issue

Hi all, I have been trying to solve an iptables issue for sometime now. Basically I have wireguard VPN which uses port 51820. If I try changing the policy from ACCEPT to INPUT DROP, the VPN client can connect but cannot use the internet.

Here is my iptables:

-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 51820 -m comment --comment wireguard-input-rule -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -p tcp -m tcp --dport 4711:4720 -j ACCEPT -A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT -A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport redacted -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport redacted -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport redacted -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport redacted -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport redacted -j ACCEPT -A INPUT -p tcp -m tcp --dport redacted -j ACCEPT -A INPUT -i lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)