Hello, I'm trying to make the most secure and restrictive iptables possible for a simple VPN connection on Debian Live. Could you have a quick look if the rules for VPN at the bottom are OK?
Do I actually need any of the other DROP rules for security, when the default policy is already DROP? I feel like I only need ACCEPT rules here. Thanks so much! VPN Server Port:1194 VPN Server IP: 189.174.135.110 -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP #no fragmented packets -A INPUT -f -j DROP #Drop fake localhost packets -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP # first packet has to be TCP syn -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #drop sop icmp -A INPUT -p icmp --icmp-type address-mask-request -j DROP -A INPUT -p icmp --icmp-type timestamp-request -j DROP #drop broadcast, multicast anycast -A INPUT -m addrtype --dst-type BROADCAST -j DROP -A INPUT -m addrtype --dst-type MULTICAST -j DROP -A INPUT -m addrtype --dst-type ANYCAST -j DROP -A INPUT -d 224.0.0.0/4 -j DROP #drop invalid -A INPUT -m state --state INVALID -j DROP #drop spoofed packets -A INPUT -s 0.0.0.0/8 -j DROP -A INPUT -d 0.0.0.0/8 -j DROP -A INPUT -d 239.255.255.0/24 -j DROP -A INPUT -d 255.255.255.255 -j DROP # Drop RFC1918 PACKETS -A INPUT -s 10.0.0.0/8 -j DROP -A INPUT -s 172.16.0.0/12 -j DROP -A INPUT -s 192.168.0.0/16 -j DROP #Allow localhost -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Allow VPN - A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT #Allow Ping from inside to outside -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
