I have OpenVPN running on a Linux machine. The VPN server has a public IP address (x.x.x.x) and the VPN clients are assigned addresses on the "tun" device in 10.8.0.0\24. I have an IPTables rule to NAT masquerade 10.8.0.0\24 onto the public IP address.
To get the VPN server running, I had to enable IP forwarding (so I set net.ipv4.conf.default.forwarding=1).
… In other words, it's exactly what the OpenVPN tutorial says to do, with no fancy tricks.
This all works, but I'm worried about the enabling forwarding part. I think the machine will now forward packets from any IP address to any IP address, which doesn't seem suitable. Since it has a publicly accessible IP, this is particularly bad.
Are there any firewall rule suggestions to restrict the unwanted forwarding behaviour? I think any answer will be one or more IPTables rules in the FORWARD chain, but this is where I've got stuck.
thanks!
Best Answer
If you use these rules for forwarding table, you should be fine.
You can put the rules in file /etc/sysconfig/iptables and restart firewall. For command line trial first do
to remove the default rejection of forwarding traffic and add 'iptables ' before each of the above three rules.