Comprehensive Analysis of iptables Rules
These five iptables rules configure the OpenVPN server to function as a router, enabling traffic to pass from the VPN subnet (10.8.0.0/24) to the local network (10.10.0.0/24) and the internet. This allows VPN clients to directly access local resources and to use the local network’s gateway (DSL router) for internet access.
To allow Internet routing the OpenVPN server configuration file, located at /etc/openvpn/server.conf, must include the directive:push "redirect-gateway def1 bypass-dhcp"
1. Rule: Network Address Translation (NAT/Masquerade)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp6s18 -j MASQUERADE
This rule enables IP Masquerading, allowing our VPN clients on network (10.8.0.0/24) to access to our internal network through a single IP address on the VPN server.
Component |
Description |
|---|---|
|
Specifies the NAT table, used for address translation. |
|
Appends the rule to the POSTROUTING chain, processed just before a packet leaves the interface. |
|
Matches packets originating from the source network |
|
Matches packets exiting through the outgoing interface |
|
The target action. It performs Source NAT (SNAT), replacing the private source IP address with the |
2. Rule: TCP Maximum Segment Size (MSS) Clamping
iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1392
This rule is a common fix for Maximum Transmission Unit (MTU) mismatches and fragmentation issues, when using a VPN tunnel interface (tun0).
Click on this link on how to calculate the –set-mss value for your OpenVPN server
Component |
Description |
|---|---|
|
Specifies the mangle table, used for modifying packet headers. |
|
Appends the rule to the POSTROUTING chain, processed before the packet leaves. |
|
Only applies to the TCP protocol. |
|
Matches packets exiting through the tunnel interface |
|
Matches only the initial SYN packet of a new TCP connection. |
|
The target action, used specifically to alter the TCP Maximum Segment Size. |
|
Forces the TCP segment size to 1392 bytes. This ensures that the total packet size |
3. Rule: Stateful Inspection for Local Traffic (INPUT Chain)
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
This rule is a fundamental security component that enables stateful inspection for traffic destined for the local machine itself.
Component |
Description |
|---|---|
|
Appends the rule to the INPUT chain, which handles traffic destined for the local system. |
|
Loads the |
|
Matches packets belonging to: |
|
Accepts the packet. This allows return traffic for connections initiated by the local system to |
4. Rule: Stateful Inspection for Routed Traffic (FORWARD Chain)
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
This rule provides stateful forwarding for traffic passing through the OpenVN server when, is acting as a router.
Component |
Description |
|---|---|
|
Appends the rule to the FORWARD chain, which handles traffic destined for a network other than |
|
Loads the |
|
Matches packets belonging to active or related connections. : |
|
Accepts the packet. This ensures that response packets and continuing traffic for connections between |
5. Rule: Specific Network-to-Network Forwarding
iptables -A FORWARD -s 10.8.0.0/24 -d 10.10.0.0/24 -j ACCEPT
This rule explicitly allows unrestricted traffic flow (allows ALL IP and ports to pass through) between two specific internal networks, provided the Linux machine is configured to route traffic between them (i.e., IP forwarding is enabled).
Component |
Description |
|---|---|
|
Appends the rule to the FORWARD chain, handling traffic passing through the machine. |
|
Matches traffic originating from the source network |
|
Matches traffic destined for the destination network |
|
Accepts the packet, allowing it to be routed from the source network to the destination network. |