Configuration with iptables and openvpn client

Hello,

I would like to secure my pi4 (Libreelec 10.0.2 + nas via samba)
For this I first installed vpn-manager, then I imported the .ovpn to connect to my own openvpn server (on the web) via the tun0 network interface.
It works very well

I would now like to configure iptables in order to restrict certain accesses from my local network.
For this I put in the Libreelec interface the "custom" choice (network menu in the config)
Then I typed these basic commands to test some rules:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m iprange --src-range 192.168.1.200-192.168.1.254 -j ACCEPT
iptables -A INPUT -p icmp -i eth0 -j ACCEPT
##VPN##
iptables -A INPUT -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

iptables -A INPUT -j DROP

Problem: vpn connection is no longer possible when i apply these rules..

I have a little trouble with iptables as soon as it becomes complicated...

Anyone have an idea of my error?

Hi,

Thank you for your reply, I may have misspoken. I am familiar with how rules.v4 and v.6 work. when I run an iptables command they go into these files.

(provided you have saved them with the command iptables-save >/storage/.config/iptables/rules.v4 and ip6tables-save >/storage/.config/iptables/rules.v6)

What I'm looking for is what rule to apply to allow my vpn client to connect to my server via tun0. The ones I put don't work.

Thank you in advance

Thank you very much for sharing your iptables configuration. Unfortunately it still doesn't work.
sniff

Well, I found a configuration that works!
Summary:
pi4 on local network in NAS + remote vpn:
1) Set kodi's network/firewall config to custom
2) Reboot
3) iptables -L to check if all strings are empty and rm /storage/.config/iptables/rules.v4 (if exist)
4)iptables-save >/storage/.config/iptables/rules.v4
5) nano /storage/.config/iptables/rules.v4
6)Copy/Paste all of this:

ps:There is a local network protection: iprange >>>>>>> don't forget to configure this.. for me is: 192.168.1.200-192.168.1.254

*filter
:INPUT DROP [11:696]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [188:11218]
#Port ssh:
-A INPUT -p tcp --dport 22 -j ACCEPT
#Tout traffic Local Entrant entre 192.168.1.200-192.168.1.254
-A INPUT -m iprange --src-range 192.168.1.200-192.168.1.254 -j ACCEPT
#Port vpn:
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#loopback:
-A INPUT -i lo -j ACCEPT
#openvpn:
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [11:696]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [7:510]
:POSTROUTING ACCEPT [7:510]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/32 -o eth0 -j MASQUERADE
COMMIT

7)optional:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

8)Reboot

For ipv6 i have bloqued all traffics

I hope I'm not making too many security mistakes with this, if someone more experienced in iptables can take a look!
For me, that's enough! (local restriction with iprange)

long live Libreelec!