Allow OpenVPN through a specific port - CentOS 6.5

Question

I own a VPS (CentOS 6.5). I have installed OpenVPN on this server. Everything works fine, I can connect and surf, etc. Let's say my IP of the server is: 1.2.3.4. When I connect to my VPS my IP is 1.2.3.4.

I have also installed OpenERP (on the same VPS) which is running on port 8069.

What I am trying to achieve is to block all traffic on port 8069 except the VPN traffic. So, I have to connect to my VPS with OpenVPN to access http://1.2.3.4:8069.

I tried several iptables tutorials on the net, but none of them are working.

For example:

iptables -A INPUT -p tcp -s 1.2.3.4 --dport 8069 -j ACCEPT 
or 
iptables -A INPUT -p tcp -s  10.8.0.0/24 --dport 8069 -j ACCEPT
or
iptables -I INPUT \! --src 10.8.0.0/24 -m tcp -p tcp --dport 8069 -j DROP
or
iptables -I INPUT \! --src 1.2.3.4 -m tcp -p tcp --dport 8069 -j DROP

These are examples. I have tried even more rules. All tutorials I followed block all traffic on port 8069, even if I connect to my VPS with OpenVPN I can't access http://1.2.3.4:8069.

Does anyone have an idea how to block all traffic on port 8069 except my VPN connection? How do I achieve this?

My server.conf is:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
user nobody
group nobody
keepalive 5 30
cipher AES-256-CBC   
comp-lzo
persist-key
persist-tun
verb 5

My client conf is:

dev tun
client
proto udp
remote 1.2.3.4
port 1194
resolv-retry infinite
nobind
redirect-gateway def1
persist-key
persist-tun
ca ca.crt
cert nika-pc.crt
key nika-pc.key
cipher AES-256-CBC   
comp-lzo
ns-cert-type server
verb 5

Thanks in advance.

Edit:

Output: iptables -L -n -v

http://pastebin.com/RhzFBG8R

Output: iptables -L -n -v | head

http://pastebin.com/n6gLe68s

Hi Michael. Thanks for the reply. http://pastebin.com/LRwAjDfK — Nika452, Dec 27 '13 at 19:45
And if I run: vi /etc/sysconfig/iptables http://pastebin.com/urA9n7AD — Nika452, Dec 27 '13 at 19:49
The first pastebin is not helpful, because it lacks interface information. Could you **edit into your question** the output of `iptables -L -n -v`? Thanks! — MadHatter, Dec 27 '13 at 19:54
Thanks for the answer. I have updated my question. This is the new link: http://pastebin.com/RhzFBG8R — Nika452, Dec 27 '13 at 19:59
You're obviously using csf, so you should use csf to open the port. — Michael Hampton, Dec 27 '13 at 20:01
I have opened the port 8069 in csf (I had already access to it). The question now is, how do I block all traffic except my OpenVPN's traffic (local traffic?)? — Nika452, Dec 27 '13 at 20:15

MadHatter · Answer 1 · 2013-12-30T16:06:35.070

My word, that's a complex firewall setup (although an awful lot of the rules have zero packet counts, which makes me think there's a lot of historical cruft in there). Rather than poring through, trying to work out which existing rule is catching this traffic in error, I suggest we cut through and just put the relevant rules at the top:

iptables -I INPUT 1 -p tcp -i tun+ --dport 8069 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 8069 -j REJECT

Edit: I really do encourage you to edit the updates into your question, instead of leaving an endless series of pastebin links, which may or may not stay put over time. In any case, thanks for the new output. As you can see, the packet counts on the first rule are zero, which those on the second (blanket refusal) rule are most definitely not. The only conclusion left is that you are mistaken about this traffic using the OpenVPN connection; it's pretty clearly coming over the plaintext internet. If you want to be completely sure, add a third rule in between the two above, with

iptables -I INPUT 2 -p tcp --dport 8069 -j LOG --log-prefix "CARROT: "

Unless the word CARROT turns up in your logfiles a lot, it should be easy to find the output from those matches in your system logs (/var/log/messages, or as syslog/your distro deems appropriate), and they should confirm which interface the packets being refused are coming in on. I don't expect it to be tun0.

And what are the packet counts on those new rules after you do that? (Try `iptables -L -n -v | head`, and *editing the output into your question*.) — MadHatter, Dec 30 '13 at 06:23
Thanks for the reply MadHatter. This is the output: http://pastebin.com/n6gLe68s — Nika452, Dec 30 '13 at 15:41
I have checked the messages file. Here's an example: [link]Dec 30 17:20:15 thor kernel: CARROT: IN=eth0 OUT= MAC=00:16:3e:34:48:2b:00:04:80:df:6b:00:08:00 SRC=77.173.xxx.xx (home ip) DST=159.253.x.xxx (server ip) LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=26068 DF PROTO=TCP SPT=64211 DPT=8069 WINDOW=8192 RES=0x00 SYN URGP=0 [/link] So it reads my source IP and that's the reason why I'm blocked? PS: I'll update everything in my Q. — Nika452, Dec 30 '13 at 16:36

score 0 · Answer 2 · answered Dec 30 '13 at 16:02

0

I add a answer because I can't add a comment. I think that the protocol used is udp and not tcp so

iptables -I INPUT 1 -p udp -i tun+ --dport 8069 -j ACCEPT
iptables -I INPUT 2 -p udp --dport 8069 -j REJECT

answered Dec 30 '13 at 16:02

dwarf

21
3

Hi, no it's TCP. I have tried that rule just in case :p – Nika452 Dec 30 '13 at 16:38
But in your openvpn server configuration `server.conf` `port 1194` `proto udp` so it's listening on 1194/udp – dwarf Dec 30 '13 at 19:42
Yes, I am connecting to 1194/udp with OpenVPN, but connecting to port 8069/tcp. – Nika452 Dec 30 '13 at 20:49
how do you connect to openvpn port 1194? i don't see any iptables rules – c4f4t0r Jan 01 '14 at 23:55
I don't know, I have zero experience with iptables. I think it opened on default when I installed OpenVPN? – Nika452 Jan 02 '14 at 14:40

Allow OpenVPN through a specific port - CentOS 6.5

2 Answers2