On Mon, Apr 28, 2014 at 12:36:07PM +0300, Dmitry Korzhevin wrote: > Guys, please advice, i use next debian iptables rules to allow > my udp services: > > (openvpn server works on port 6000) > > iptables -I OUTPUT 2 -p udp --dport 53 -j ACCEPT
rob0 Rule of Thumb: If you have to ask for help to make it work, you do not need OUTPUT filtering ... > iptables -I OUTPUT 2 -p udp --dport 1700:1750 -j ACCEPT > iptables -I OUTPUT 3 -p udp -m udp --dport 1812 -j ACCEPT > iptables -I OUTPUT 5 -p udp -m udp --dport 1813 -j ACCEPT > iptables -I OUTPUT 5 -p udp -m udp --dport 5950:6050 -j ACCEPT > iptables -I OUTPUT 5 -p udp -m udp --dport 499:510 -j ACCEPT > iptables -I OUTPUT 5 -p udp -m udp --dport 4490:4550 -j ACCEPT > iptables -I OUTPUT 20 -p udp -j DROP ... Just say "No" to DROP. What threat model does this filtering address? If you can't answer that, you have not adequately thought this through. Furthermore, this is not really the best place to ask iptables questions. There's nothing specific to openvpn in your question. > But after apply: ipsec, l2tp and openvpn upd on port 6000 stops > working.. i.e. i can't connect > > Here is my services: > > udp 0 0 0.0.0.0:500 0.0.0.0:* 3115/charon > udp 0 0 0.0.0.0:1701 0.0.0.0:* 2885/xl2tpd > udp 0 0 162.245.256.150:6000 0.0.0.0:* 2818/openvpn > udp 0 0 0.0.0.0:4500 0.0.0.0:* 3115/charon > udp6 0 0 :::500 :::* 3115/charon -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
