herbgerg 0 Posted ... (edited) I'm trying to accept incoming connections to port 12345 on my VPN connection tun0. Right now split tunneling is working correctly, sending all data from user vpn through tun0. I've configured the port in the Client Area but am not able to successfully accept connections. This is my OpenVPN up.sh file that runs after a successful connection is made. #! /bin/bash export INTERFACE="tun0" export NETIF="eno1" export VPNUSER="vpn" export LOCALIP="192.168.1.2" export LOCALSUB="192.168.1.0/24" # flushes all the iptables rules iptables -F -t nat iptables -F -t mangle iptables -F -t filter # setting default actions iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT iptables -I INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT ! -s $LOCALIP -o $NETIF -j REJECT --reject-with icmp-port-unreachable # block outgoing mail iptables -A OUTPUT -p tcp --dport 25 -j REJECT #SSH iptables -A INPUT -s $LOCALSUB -i $NETIF -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 22 -j ACCEPT # mark packets from $VPNUSER iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -j CONNMARK --save-mark # allow responses on VPN connection iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT # let $VPNUSER access lo and $INTERFACE iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT # all packets on $INTERFACE needs to be masqueraded iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE # allow forwarded ports on VPN connection (this part doesn't seem to work) iptables -A INPUT -i $INTERFACE -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 12345 -j ACCEPT iptables -A INPUT -i $INTERFACE -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 12345 -j ACCEPT # allow IPv4 forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Start routing script /etc/openvpn/routing.sh exit 0 This is the output of iptables -S. -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eno1 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i tun0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 12345 -j ACCEPT -A INPUT -i tun0 -p udp -m conntrack --ctstate NEW,ESTABLISHED -m udp --dport 12345 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT ! -s 192.168.1.2/32 -o eno1 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT -A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT Edited ... by herbgerg Quote Share this post Link to post