Configuration with iptables and openvpn client

  • Hello,

    I would like to secure my pi4 (Libreelec 10.0.2 + nas via samba)
    For this I first installed vpn-manager, then I imported the .ovpn to connect to my own openvpn server (on the web) via the tun0 network interface.
    It works very well 8)

    I would now like to configure iptables in order to restrict certain accesses from my local network.
    For this I put in the Libreelec interface the "custom" choice (network menu in the config)
    Then I typed these basic commands to test some rules:

    Problem: vpn connection is no longer possible when i apply these rules..

    I have a little trouble with iptables as soon as it becomes complicated... ;(

    Anyone have an idea of my error?

  • Look inside the /etc/iptables directory, there you can learn how LE builds the firewall. For testing, build your own firewall in /storage/.config/iptables/rules.v4 or rules.v6, and enable it in Settings:System:Network.

  • Hi,

    Thank you for your reply, I may have misspoken. I am familiar with how rules.v4 and v.6 work. when I run an iptables command they go into these files.

    (provided you have saved them with the command iptables-save >/storage/.config/iptables/rules.v4 and ip6tables-save >/storage/.config/iptables/rules.v6)

    What I'm looking for is what rule to apply to allow my vpn client to connect to my server via tun0. The ones I put don't work.

    Thank you in advance :)

  • I got this in my tinc setup

    Code
    iptables -A FORWARD -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
    sysctl -w net.ipv4.ip_forward=1

    connecting and have full access to my home devices 😉 works way faster than openvpn...

  • Well, I found a configuration that works!
    Summary:
    pi4 on local network in NAS + remote vpn:
    1) Set kodi's network/firewall config to custom
    2) Reboot
    3) iptables -L to check if all strings are empty and rm /storage/.config/iptables/rules.v4 (if exist)
    4)iptables-save >/storage/.config/iptables/rules.v4
    5) nano /storage/.config/iptables/rules.v4
    6)Copy/Paste all of this:

    ps:There is a local network protection: iprange >>>>>>> don't forget to configure this.. for me is: 192.168.1.200-192.168.1.254

    7)optional:

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT

    iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    8)Reboot

    For ipv6 i have bloqued all traffics


    I hope I'm not making too many security mistakes with this, if someone more experienced in iptables can take a look!
    For me, that's enough! (local restriction with iprange)

    long live Libreelec!

    Edited once, last by Dash2en1 (November 16, 2023 at 8:47 PM).