Need IPTABLES rules explanation about OpenVPN set up
by grigory from LinuxQuestions.org on (#4QNR2)
Hello!
I've got Ubuntu 16.04 and OpenVPN installed and seems to be working fine. But when I check firewall rules using "sudo ufw status", then I see this:
Code:Status: active
To Action From
-- ------ ----
80 ALLOW Anywhere
443 ALLOW Anywhere
53 ALLOW Anywhere
465 ALLOW Anywhere
25 ALLOW Anywhere
110 ALLOW Anywhere
995 ALLOW Anywhere
143 ALLOW Anywhere
993 ALLOW Anywhere
10025 ALLOW Anywhere
10024 ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
53 (v6) ALLOW Anywhere (v6)
465 (v6) ALLOW Anywhere (v6)
25 (v6) ALLOW Anywhere (v6)
110 (v6) ALLOW Anywhere (v6)
995 (v6) ALLOW Anywhere (v6)
143 (v6) ALLOW Anywhere (v6)
993 (v6) ALLOW Anywhere (v6)
10025 (v6) ALLOW Anywhere (v6)
10024 (v6) ALLOW Anywhere (v6) Port 1194 isn't mentioned at all! But I use netstat command "root@mail:~# netstat -anlp |grep 1194" I get this:
Code:udp 0 0 0.0.0.0:1194 0.0.0.0:* 1142/openvpnAlso I have this file, created by the OpenVPN script here /etc/systemd/system/openvpn-iptables.service and I see this in it:
Code:[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to xx.249.16.253
ExecStart=/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to xx.249.16.253
ExecStop=/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target So my question is... if port 1194 is open (is it?) with these IPTABLES rules, then why I don't see it in ufw status?
I've got Ubuntu 16.04 and OpenVPN installed and seems to be working fine. But when I check firewall rules using "sudo ufw status", then I see this:
Code:Status: active
To Action From
-- ------ ----
80 ALLOW Anywhere
443 ALLOW Anywhere
53 ALLOW Anywhere
465 ALLOW Anywhere
25 ALLOW Anywhere
110 ALLOW Anywhere
995 ALLOW Anywhere
143 ALLOW Anywhere
993 ALLOW Anywhere
10025 ALLOW Anywhere
10024 ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
53 (v6) ALLOW Anywhere (v6)
465 (v6) ALLOW Anywhere (v6)
25 (v6) ALLOW Anywhere (v6)
110 (v6) ALLOW Anywhere (v6)
995 (v6) ALLOW Anywhere (v6)
143 (v6) ALLOW Anywhere (v6)
993 (v6) ALLOW Anywhere (v6)
10025 (v6) ALLOW Anywhere (v6)
10024 (v6) ALLOW Anywhere (v6) Port 1194 isn't mentioned at all! But I use netstat command "root@mail:~# netstat -anlp |grep 1194" I get this:
Code:udp 0 0 0.0.0.0:1194 0.0.0.0:* 1142/openvpnAlso I have this file, created by the OpenVPN script here /etc/systemd/system/openvpn-iptables.service and I see this in it:
Code:[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to xx.249.16.253
ExecStart=/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to xx.249.16.253
ExecStop=/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target So my question is... if port 1194 is open (is it?) with these IPTABLES rules, then why I don't see it in ufw status?