I'd like to have the TCP port 1195 also open for the VPN but it just says tcp dpt:1195 instead of udp dpt:openvpn and gives an error message explicit-exit-notify can only be used with -proto udp
these are my rules:
ACCEPT tcp -- anywhere anywhere tcp dpt:1195 /* Allow VPN connection */ ACCEPT udp -- anywhere anywhere udp dpt:openvpn /* Allow VPN connection */ cat /etc/openvpn/iptables.sh #!/bin/bash # Flush iptables -t nat -F iptables -t mangle -F iptables -F iptables -X # Block All iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP # allow Localhost iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Make sure you can communicate with any DHCP server iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT iptables -A INPUT -s 255.255.255.255 -j ACCEPT # Make sure that you can communicate within your own network iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT iptables -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT # Allow established sessions to receive traffic: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow TUN iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -o tun+ -j ACCEPT iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE iptables -A OUTPUT -o tun+ -j ACCEPT # allow VPN connection iptables -I OUTPUT 1 -p tcp --destination-port 1195 -m comment --comment "Allow VPN connection" -j ACCEPT # iptables -I OUTPUT 1 -p udp --destination-port 1194 -m comment --comment "Allow VPN connection" -j ACCEPT # Block All iptables -A OUTPUT -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP # Log all dropped packages, debug only. iptables -N logging iptables -A INPUT -j logging iptables -A OUTPUT -j logging iptables -A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables general: " --log-level 7 iptables -A logging -j DROP echo "saving" iptables-save > /etc/iptables.rules echo "done" #echo 'openVPN - Rules successfully applied, we start "watch" to verify IPtables in realtime (you can cancel it as usual CTRL + c)' #sleep 3 #watch -n 0 "sudo iptables -nvL" iptables -L
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- 255.255.255.255 anywhere ACCEPT all -- 192.168.0.0/24 192.168.0.0/24 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere logging all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:1195 /* Allow VPN connection */ ACCEPT udp -- anywhere anywhere udp dpt:openvpn /* Allow VPN connection */ ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere 255.255.255.255 ACCEPT all -- 192.168.0.0/24 192.168.0.0/24 ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere logging all -- anywhere anywhere Chain logging (2 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "IPTables general: " DROP all -- anywhere anywhere 
iptables-save- no one really wants to understand how you create the rules.