OpenWRT: iptables-based Firewall Rules for PPTP and IPsec

Just a handy little reference for myself.
#Internal PPTP Server
iptables -N pptp
iptables -A pptp -p tcp –destination-port 1723 –dst $vpnserver -j ACCEPT
iptables -A pptp -p gre –dst $vpnserver -j ACCEPT
iptables -I FORWARD -j pptp
iptables -t nat -N pptp
iptables -t nat -A pptp -i $WAN -p tcp –dport 1723 -j DNAT –to $vpnserver
iptables -t nat -A pptp -i $WAN -p 47 -j DNAT –to $vpnserver
iptables -t nat -A PREROUTING -j pptp

### Gateway Router-based IPSEC VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp –dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp –dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Linux, Networking, Security