### Setup OpenVPN PKI Directory Structure Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Copies the easy-rsa tools to the OpenVPN directory and creates the necessary PKI directory structure. It also copies the example variables file for customization. ```bash # Copy easy-rsa tools sudo cp -r /usr/share/easy-rsa/ /etc/openvpn/ # Create PKI directory sudo mkdir /etc/openvpn/easy-rsa/pki# Setup environment variables sudo cp /etc/openvpn/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars ``` -------------------------------- ### Start and Enable OpenVPN Server Service Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Manages the OpenVPN server service, including starting it, enabling it to start automatically on boot, and checking its current status. Ensures the VPN server is running and persistent. ```bash # Start OpenVPN server sudo systemctl start openvpn@server sudo systemctl enable openvpn@server # Check status sudo systemctl status openvpn@server# Enable auto-start sudo systemctl enable openvpn-server@server.service ``` -------------------------------- ### Make Client Setup Script Executable Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This command grants execute permissions to the OpenVPN client setup script, allowing it to be run directly from the terminal. This is a necessary step after creating or modifying the script. ```bash sudo chmod +x /usr/local/bin/create-ovpn-client.sh ``` -------------------------------- ### Install and Configure macchanger (Debian/Ubuntu) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Installs the macchanger utility and configures it to run automatically at boot by modifying the system's default configuration file and setting up a systemd unit. ```bash sudo apt update sudo apt install macchanger -y sudo nano /etc/default/macchanger # set ENABLE_MACCHANGER=true ``` -------------------------------- ### Install wondershaper for Basic Traffic Control Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This command installs the 'wondershaper' utility, a simple script for shaping, creating priorities, and getting Quality of Service (QoS) on a Linux system. It's a prerequisite for implementing basic bandwidth control. ```bash sudo apt install wondershaper -y ``` -------------------------------- ### Create New OpenVPN Client Configurations Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This section provides examples of using a script to generate client configuration files for OpenVPN, suitable for different devices like Android phones, laptops, or home PCs. The script automates the process of creating necessary certificates and configuration files for new clients. ```bash sudo /usr/local/bin/create-ovpn-client.sh android-phone sudo /usr/local/bin/create-ovpn-client.sh laptop sudo /usr/local/bin/create-ovpn-client.sh home-pc ``` -------------------------------- ### Install OpenVPN and Dependencies on Debian/Ubuntu Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Installs OpenVPN and the easy-rsa utility, essential for managing PKI, on Debian-based systems. It also updates the system package list and upgrades existing packages. ```bash # Update system sudo apt update && sudo apt upgrade -y # Install OpenVPN and easy-rsa sudo apt install openvpn easy-rsa -y# Create necessary directories sudo mkdir -p /etc/openvpn/server sudo mkdir -p /etc/openvpn/client ``` -------------------------------- ### Install VLAN Support Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Installs the necessary `vlan` package and loads the `8021q` kernel module, which is required for creating and managing VLAN interfaces on Linux systems. It also ensures the module is loaded on boot. Requires root privileges. ```bash sudo apt install vlan -y sudo modprobe 8021q echo "8021q" | sudo tee -a /etc/modules ``` -------------------------------- ### Check iptables Installation and List Rules (Bash) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This command safely checks if iptables is installed and lists the current active rules. If the command is not found, it provides instructions to install iptables using apt. ```bash sudo iptables -L -n -v ``` ```bash sudo apt install iptables -y ``` -------------------------------- ### Install macchanger on Debian/Ubuntu Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Installs the `macchanger` utility on Debian-based systems using `apt`. This tool is used to change the MAC address of a network interface. Ensure you have the correct MAC address before proceeding. The `-y` flag automatically confirms the installation. ```bash sudo apt update sudo apt install macchanger -y ``` -------------------------------- ### Install DHCP Server (Debian/Ubuntu) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Installs the ISC DHCP server package on Debian or Ubuntu-based systems. This package provides a robust DHCP service for automatically assigning IP addresses to clients on a local network. ```bash sudo apt install isc-dhcp-server -y ``` -------------------------------- ### Save and Persist iptables Rules Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Installs the iptables-persistent package and saves the current firewall rules. This ensures that the configured rules are reloaded automatically after a system reboot. ```bash sudo apt install iptables-persistent -y sudo netfilter-persistent save ``` -------------------------------- ### Configure OpenVPN Server Settings Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Sets up the main OpenVPN server configuration file. This includes defining the port, protocol, device, certificate paths, network settings, security parameters, and logging options. ```bash sudo nano /etc/openvpn/server/server.conf ``` ```ini # Basic Configuration port 1194 proto udp dev tun # Certificate Files ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0# Network Configuration server 10.8.0.0 255.255.255.0 push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 1.1.1.1"# Security cipher AES-256-GCM auth SHA512 tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384# Performance persist-key persist-tun keepalive 10 120# Logging verb 3 mute 20 status /var/log/openvpn-status.log log /var/log/openvpn.log# Client Management client-to-client duplicate-cn# Security Hardening remote-cert-tls client reneg-sec 3600 auth-nocache ``` -------------------------------- ### Apply Netplan Configuration and Show Interface Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Applies the network configuration defined in Netplan (which includes the VLAN interface) and then displays the IP address information for the newly created `eth1.30` VLAN interface. Requires root privileges. ```bash sudo netplan apply ip a show eth1.30 ``` -------------------------------- ### Generate OpenVPN CA, Server Certificates, and Keys Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Initializes the Public Key Infrastructure (PKI), builds the Certificate Authority (CA), generates server certificates and keys, and creates Diffie-Hellman parameters and an HMAC key for OpenVPN. ```bash # Navigate to easy-rsa directory cd /etc/openvpn/easy-rsa # Initialize PKI sudo ./easyrsa init-pki# Build CA (Certificate Authority) sudo ./easyrsa build-ca nopass# Generate server certificate sudo ./easyrsa gen-req server nopass sudo ./easyrsa sign-req server server# Generate Diffie-Hellman parameters sudo ./easyrsa gen-dh# Generate HMAC key sudo openvpn --genkey secret pki/ta.key ``` -------------------------------- ### Script to Create OpenVPN Client Configuration Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This bash script automates the creation of OpenVPN client configuration files. It takes a client name as an argument, generates the necessary client certificate and key using easy-rsa, and then constructs a .ovpn file embedding all required certificates and keys. It dynamically fetches the server's public IP. ```bash #!/bin/bash if [ -z "$1" ]; then echo "Usage: $0 " exit 1 fiCLIENT_NAME=$1 BASE_DIR="/etc/openvpn" EASYRSA_DIR="$BASE_DIR/easy-rsa"echo "🔐 Creating OpenVPN client: $CLIENT_NAME"# Generate client certificate cd $EASYRSA_DIR sudo ./easyrsa gen-req $CLIENT_NAME nopass sudo ./easyrsa sign-req client $CLIENT_NAME# Create client configuration file sudo cat > $BASE_DIR/client/$CLIENT_NAME.ovpn << EOF client dev tun proto udp remote $(curl -s ifconfig.me) 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA512 verb 3 $(sudo cat $EASYRSA_DIR/pki/ca.crt) $(sudo cat $EASYRSA_DIR/pki/issued/$CLIENT_NAME.crt) $(sudo cat $EASYRSA_DIR/pki/private/$CLIENT_NAME.key) $(sudo cat $EASYRSA_DIR/pki/ta.key) EOFecho "✅ Client configuration created: $BASE_DIR/client/$CLIENT_NAME.ovpn" echo "📱 Download and import this file to your OpenVPN client" ``` -------------------------------- ### Clear All iptables Rules (Bash) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index These commands flush all rules from the filter, NAT, and mangle tables, and delete any user-defined chains. This is useful for starting with a clean firewall configuration. Caution is advised when running remotely. ```bash sudo iptables -F ``` ```bash sudo iptables -t nat -F ``` ```bash sudo iptables -t mangle -F ``` ```bash sudo iptables -X ``` -------------------------------- ### Configure LAN Bridge (br-lan) (Linux) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Creates a network bridge interface named 'br-lan', brings it up, attaches a physical interface (e.g., eth1) to it, and assigns a static IP address to the bridge, establishing the LAN gateway. ```bash sudo ip link add name br-lan type bridge sudo ip link set dev br-lan up sudo ip link set dev eth1 master br-lan sudo ip addr add 192.168.1.1/24 dev br-lan ``` -------------------------------- ### Create OpenVPN Client Configuration (client1.ovpn) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This snippet details the creation of a client configuration file for OpenVPN, named client1.ovpn. It includes essential client directives, server details, security protocols, and embeds the necessary CA, certificate, key, and TLS-auth data directly into the file. ```ini # Client Configuration for client1 client dev tun proto udp remote YOUR_SERVER_IP 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA512 verb 3 $(cat /etc/openvpn/easy-rsa/pki/ca.crt) $(cat /etc/openvpn/easy-rsa/pki/issued/client1.crt) $(cat /etc/openvpn/easy-rsa/pki/private/client1.key) $(cat /etc/openvpn/easy-rsa/pki/ta.key) ``` -------------------------------- ### Create and configure a systemd service for MAC address spoofing Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Sets up a systemd service to automatically spoof a MAC address on boot using `macchanger`. This involves creating a `.service` file in `/etc/systemd/system/` and then reloading the systemd daemon and enabling the service. This ensures the MAC address is set early in the boot process. ```bash sudo nano /etc/systemd/system/macclone.service [Unit] Description=MAC Clone for WAN Before=network-pre.target Wants=network-pre.target [Service] ExecStart=/usr/bin/macchanger -m AA:BB:CC:DD:EE:FF Type=oneshot [Install] WantedBy=multi-user.target sudo systemctl daemon-reload sudo systemctl enable --now macclone.service ``` -------------------------------- ### Create Production Firewall Script Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This bash script, designed for '/usr/local/bin/firewall-production.sh', deploys a secure production firewall configuration. It drops all incoming and forwarded traffic by default, allows loopback and established connections, permits SSH with basic brute-force protection, opens ports 80 and 443 for web services, allows DNS responses, limits ICMP, and configures NAT for the LAN. Finally, it enables forwarding from LAN to the internet and drops any remaining traffic. ```bash #!/bin/bash echo "🔥 Deploying production firewall..." # Clear everything iptables -F iptables -t nat -F iptables -X # Default policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Allow loopback iptables -A INPUT -i lo -j ACCEPT # Allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH (with brute force protection) iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Web services iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # DNS responses iptables -A INPUT -p udp --sport 53 -j ACCEPT iptables -A INPUT -p tcp --sport 53 -j ACCEPT # Ping (limited) iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT # NAT for LAN iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # LAN → Internet forwarding iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # Block everything else iptables -A INPUT -j DROP iptables -A FORWARD -j DROP echo "✅ Production firewall deployed" ``` -------------------------------- ### Manage OpenVPN Service Status and Clients Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This snippet illustrates commands for managing the OpenVPN service. It includes checking the service status, viewing currently connected clients, and restarting the service. These commands are essential for monitoring and maintaining the OpenVPN server's operational state. ```bash # Check status sudo /usr/local/bin/ovpn-manage.sh status ``` ```bash # View connected clients sudo /usr/local/bin/ovpn-manage.sh clients ``` ```bash # Restart service sudo /usr/local/bin/ovpn-manage.sh restart ``` -------------------------------- ### Create OpenVPN Client Certificates Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Generates unique client certificates and keys for OpenVPN connections. This process should be repeated for each client that needs VPN access. ```bash # Generate client certificate (repeat for each client) sudo ./easyrsa gen-req client1 nopass sudo ./easyrsa sign-req client client1 # Generate additional clients sudo ./easyrsa gen-req client2 nopass sudo ./easyrsa sign-req client client2 ``` -------------------------------- ### Create Real-time Firewall Monitoring Script Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This bash script, '/usr/local/bin/firewall-monitor.sh', provides a live view of the firewall's current state. It uses the 'watch' command to repeatedly execute 'iptables -L -n -v' and 'iptables -t nat -L -n -v', displaying the main and NAT rules with packet counts and details every 2 seconds. This is useful for observing traffic patterns and rule activity in real-time. ```bash #!/bin/bash echo "🔍 Live Firewall Monitoring..." watch -n 2 'iptables -L -n -v && echo "--- NAT Rules ---" && iptables -t nat -L -n -v' ``` -------------------------------- ### Configure Client-Specific Routing Rules Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This configuration block demonstrates how to set up client-specific routing rules. It assigns a static IP to the client and pushes a specific route to the client's network, allowing it to access resources on a particular internal network segment. ```ini # Restrict client1 to only access specific resources ifconfig-push 10.8.0.100 255.255.255.0 push "route 192.168.1.100 255.255.255.255" iroute 192.168.1.100 255.255.255.255 ``` -------------------------------- ### Create and enable a bridge interface for WAN Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Steps to create a network bridge named `br-wan` and attach the physical WAN interface to it. This is a prerequisite for configuring WAN via DHCP, ensuring the bridge holds the public IP address. The bridge is brought up, and the physical interface is set as its master and then enabled. ```bash sudo ip link add name br-wan type bridge sudo ip link set dev br-wan up sudo ip link set dev master br-wan sudo ip link set dev up ``` -------------------------------- ### Test OpenVPN Server Status and Connectivity Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This section provides commands to verify the OpenVPN server's operational status and network accessibility. It includes checking if the OpenVPN process is listening on the configured port, examining the systemd service status for the OpenVPN server, and viewing real-time log entries. ```bash # Check if OpenVPN is listening sudo netstat -tulpn | grep 1194 ``` ```bash # Check OpenVPN status sudo systemctl status openvpn@server ``` ```bash # View OpenVPN logs sudo tail -f /var/log/openvpn.log ``` ```bash # Test client connection sudo openvpn --config /etc/openvpn/client/client1.ovpn ``` -------------------------------- ### Verify WAN Configuration (Linux) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Verifies the static IP configuration on the br-wan interface, checks the routing table, and tests network connectivity to an IP address and a domain name. ```bash ip addr show br-wan ip route show ping -c 3 8.8.8.8 ping -c 3 google.com ``` -------------------------------- ### Troubleshoot OpenVPN Client Connection Issues Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This section provides commands to diagnose why an OpenVPN client might not be able to connect to the server. It involves checking if the server process is running, verifying firewall rules that might be blocking the OpenVPN port, and confirming that the OpenVPN port is indeed open and listening. ```bash # Check server is running sudo systemctl status openvpn@server ``` ```bash # Check firewall rules sudo iptables -L -n | grep 1194 ``` ```bash # Check if port is open sudo netstat -tulpn | grep 1194 ``` -------------------------------- ### Limit Bandwidth per Interface with wondershaper Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index These bash commands demonstrate how to limit the download and upload bandwidth for a specific network interface (eth0) using the 'wondershaper' tool. The first command sets limits to 10Mbps download and 2Mbps upload, while the second command clears any applied limits. ```bash # Limit download to 10Mbps, upload to 2Mbps sudo wondershaper eth0 10240 2048 # Clear limits sudo wondershaper clear eth0 ``` -------------------------------- ### Configure Firewall Logging Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Configures the LOGGING chain to limit the rate of log entries to 2 per minute, prefixing them with 'FIREWALL BLOCKED: ' at log level 4, and then drops the traffic. This prevents excessive logging and ensures blocked traffic is dropped. Requires root privileges. ```bash sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "FIREWALL BLOCKED: " --log-level 4 sudo iptables -A LOGGING -j DROP ``` -------------------------------- ### Implement Advanced QoS with tc Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This series of bash commands utilizes the 'tc' (traffic control) utility for advanced Quality of Service (QoS) configuration. It sets up a Hierarchical Token Bucket (HTB) queuing discipline on the eth0 interface, defines classes for bandwidth allocation, and applies filters to direct traffic from a specific subnet (192.168.1.0/24) to a particular class. ```bash # Limit entire subnet upload sudo tc qdisc add dev eth0 root handle 1: htb default 10 sudo tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit sudo tc class add dev eth0 parent 1:1 classid 1:10 htb rate 10mbit # Apply to LAN subnet sudo tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.1.0/24 flowid 1:1 ``` -------------------------------- ### Test Network Connectivity with ping and nslookup Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index These bash commands are used for basic network troubleshooting. 'ping -c 4 8.8.8.8' tests internet connectivity by sending 4 ICMP echo requests to Google's public DNS server. 'nslookup google.com' queries the DNS system to resolve the domain name 'google.com' to an IP address. ```bash # Test internet connectivity ping -c 4 8.8.8.8 # Test DNS nslookup google.com ``` -------------------------------- ### Configure Static IP on br-wan (Linux) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Assigns a static IP address, gateway, and DNS servers to the br-wan interface for internet connectivity. This involves flushing existing addresses, adding the new IP, setting the default route, and configuring DNS resolution. ```bash sudo ip addr flush dev br-wan sudo ip addr add 189.45.88.10/24 dev br-wan sudo ip route replace default via 189.45.88.1 dev br-wan echo -e "nameserver 8.8.8.8\nnameserver 1.1.1.1" | sudo tee /etc/resolv.conf ``` -------------------------------- ### Configure OpenVPN PKI Variables Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Modifies the OpenVPN easy-rsa variables file to set essential parameters for certificate generation, including country, city, organization, algorithm, and digest settings. ```bash sudo nano /etc/openvpn/easy-rsa/vars ``` ```bash set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Your Organization" set_var EASYRSA_REQ_EMAIL "admin@yourdomain.com" set_var EASYRSA_REQ_OU "IT Department" set_var EASYRSA_ALGO "ec" set_var EASYRSA_DIGEST "sha512" ``` -------------------------------- ### Regenerate OpenVPN Certificates and Restart Service Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This snippet demonstrates how to renew server certificates for OpenVPN using the easy-rsa tool and then restart the OpenVPN service to apply the changes. Ensure you are in the correct directory before executing these commands. ```bash cd /etc/openvpn/easy-rsa sudo ./easyrsa renew server nopass sudo systemctl restart openvpn@server ``` -------------------------------- ### Base OpenVPN Client Configuration Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Defines the base configuration settings for OpenVPN clients. This file specifies connection parameters, security settings, and logging verbosity, serving as a template for individual client configurations. ```bash sudo nano /etc/openvpn/client/base.conf ``` ```ini client dev tun proto udp remote YOUR_SERVER_IP 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA512 verb 3 mute 20 ``` -------------------------------- ### Configure Firewall Rules for OpenVPN Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Sets up iptables rules to allow OpenVPN traffic on the specified port, permit traffic through the TUN interface, and enable Network Address Translation (NAT) for VPN clients to access the internet and the local network. Includes saving the rules. ```bash # Allow OpenVPN traffic sudo iptables -A INPUT -p udp --dport 1194 -j ACCEPT # Allow TUN interface sudo iptables -A INPUT -i tun+ -j ACCEPT sudo iptables -A FORWARD -i tun+ -j ACCEPT# NAT for VPN clients sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE# Allow VPN clients to access LAN sudo iptables -A FORWARD -s 10.8.0.0/24 -d 192.168.1.0/24 -j ACCEPT sudo iptables -A FORWARD -d 10.8.0.0/24 -s 192.168.1.0/24 -j ACCEPT# Save firewall rules sudo netfilter-persistent save ``` -------------------------------- ### View Firewall Logs Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Provides commands to monitor firewall log files in real-time. `tail -f /var/log/kern.log` shows kernel log messages, while `journalctl -f -k` uses systemd-journald for a similar purpose. Useful for observing blocked traffic. ```bash # Real-time monitoring sudo tail -f /var/log/kern.log # OR sudo journalctl -f -k ``` -------------------------------- ### Enable automatic MAC changing on boot with macchanger Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Configures `macchanger` to automatically apply a spoofed MAC address on system boot. This involves editing the `/etc/default/macchanger` file to set `ENABLE_MACCHANGER` to `true`. Note that distribution behavior for automatic startup may vary. ```bash sudo nano /etc/default/macchanger # set: ENABLE_MACCHANGER=true ``` -------------------------------- ### OpenVPN Management Script Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index A versatile bash script for managing the OpenVPN server and clients. It supports actions like checking server status, restarting the service, listing connected clients, and creating new client configurations by calling the separate client creation script. ```bash #!/bin/bash case "$1" in status) sudo systemctl status openvpn@server ;; restart) sudo systemctl restart openvpn@server ;; clients) echo "Connected Clients:" sudo cat /var/log/openvpn-status.log | grep CLIENT_LIST ;; new-client) if [ -z "$2" ]; then echo "Usage: $0 new-client " exit 1 fi /usr/local/bin/create-ovpn-client.sh $2 ;; *) echo "Usage: $0 {status|restart|clients|new-client }" exit 1 ;; esac ``` -------------------------------- ### Verify LAN Bridge Configuration (Linux) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Verifies the configuration of the 'br-lan' bridge interface and checks the system's routing table after setting up the internal network. ```bash ip addr show br-lan ip route show ``` -------------------------------- ### Create VLAN Interface Configuration Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Defines a new VLAN interface (`eth1.30`) with VLAN ID 30, linked to the physical interface `eth1`, and assigns it a static IP address (192.168.30.1/24). This configuration is applied using `netplan`. Requires root privileges. ```yaml network: version: 2 ethernets: eth1: dhcp4: no vlans: eth1.30: id: 30 link: eth1 addresses: - 192.168.30.1/24 ``` -------------------------------- ### Allow LAN to Access DVR Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Creates a firewall rule that permits devices on the local LAN (192.168.1.0/24) to initiate connections to the DVR (192.168.1.200). This rule should be placed after the blocking rule to allow specific access. Requires root privileges. ```bash sudo iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.1.200 -j ACCEPT ``` -------------------------------- ### Port Forward HTTP for DVR Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Sets up port forwarding for the HTTP port (80) to the DVR's IP address (192.168.1.200). It uses NAT's `PREROUTING` chain to redirect incoming traffic on port 80 of the external interface (`eth0`) to the DVR, and the `FORWARD` chain to allow this traffic. Requires root privileges. ```bash # HTTP (Port 80) sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.200:80 sudo iptables -A FORWARD -p tcp -d 192.168.1.200 --dport 80 -j ACCEPT ``` -------------------------------- ### Allow DVR Internet Access Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Configures firewall rules to permit traffic originating from the DVR (192.168.1.200) to go out through the `eth0` interface (internet access) and allows established/related traffic coming back to the DVR from the internet. Requires root privileges. ```bash sudo iptables -A FORWARD -s 192.168.1.200 -o eth0 -j ACCEPT sudo iptables -A FORWARD -d 192.168.1.200 -i eth0 -j ACCEPT ``` -------------------------------- ### Configure DHCP Reservation for DVR Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Adds a DHCP reservation for a device (e.g., DVR) in the `dhcpd.conf` file, ensuring it always receives the same IP address (192.168.1.200) based on its MAC address. This requires editing the DHCP server configuration. Requires root privileges. ```bash sudo nano /etc/dhcp/dhcpd.conf ``` -------------------------------- ### Show Network Interface MAC Address (Linux) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index These commands retrieve the MAC (Media Access Control) address of a network interface on a Linux system. 'ip link show' lists all interfaces, while 'cat /sys/class/net//address' shows the address for a specific interface. ```bash ip link show # or for a specific interface: cat /sys/class/net//address ``` -------------------------------- ### Discover and Clone MAC Address (Linux) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Provides commands to discover the MAC address of a network interface and optionally change it using macchanger. This is useful when an ISP registers a specific MAC address. ```bash ip link show cat /sys/class/net/eth0/address macchanger -m AA:BB:CC:DD:EE:FF eth0 ``` -------------------------------- ### Troubleshoot OpenVPN No Internet Access Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This provides commands to diagnose issues where OpenVPN clients can connect but have no internet access. It involves checking if IP forwarding is enabled on the server, verifying that Network Address Translation (NAT) rules are correctly configured, and inspecting the server's routing table. ```bash # Check IP forwarding cat /proc/sys/net/ipv4/ip_forward ``` ```bash # Check NAT rules sudo iptables -t nat -L -n -v ``` ```bash # Check routing ip route show ``` -------------------------------- ### Configure Static IP for OpenVPN Client Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This snippet shows how to assign a static IP address to a specific OpenVPN client by adding an 'ifconfig-push' directive to its configuration file. This is useful for clients that require a predictable IP address within the VPN network. ```ini # Static IP for specific client ifconfig-push 10.8.0.10 255.255.255.0 ``` -------------------------------- ### Allow SSH Access (Basic and Secure) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Provides iptables rules to allow SSH connections. The basic rule allows SSH from any IP, while the secure rule restricts access to a specific IP address, enhancing security. ```bash sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT ``` ```bash sudo iptables -A INPUT -p tcp -s YOUR_IP --dport 22 -j ACCEPT ``` -------------------------------- ### Allow VPN Ports (OpenVPN and WireGuard) Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Sets up iptables rules to permit UDP traffic on ports 1194 for OpenVPN and 51820 for WireGuard. These rules are necessary for establishing VPN connections to the server. ```bash sudo iptables -A INPUT -p udp --dport 1194 -j ACCEPT ``` ```bash sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT ``` -------------------------------- ### Allow HTTP (Port 80) Incoming Traffic Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Opens the server to incoming TCP traffic on port 80, enabling it to host web servers and serve unencrypted web content. ```bash sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT ``` -------------------------------- ### Test Port Accessibility and Service Listening Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This section provides bash commands for testing network accessibility and service status. 'telnet YOUR_PUBLIC_IP 22' attempts to connect to port 22 (SSH) on your public IP address from an external location. 'netstat -tulpn | grep :22' checks if any process is listening on port 22 on the local machine. ```bash # Test port accessibility from outside telnet YOUR_PUBLIC_IP 22 # Check if service is listening netstat -tulpn | grep :22 ``` -------------------------------- ### SYN Flood Protection Configuration Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Implements SYN flood protection by accepting a limited rate of new TCP connections (10 per second with a burst of 20) and dropping others. This mitigates DoS attacks that exploit the TCP handshake. Requires root privileges. ```bash sudo iptables -A INPUT -p tcp --syn -m limit --limit 10/s --limit-burst 20 -j ACCEPT sudo iptables -A INPUT -p tcp --syn -j DROP ``` -------------------------------- ### Create Firewall Reset Script Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This bash script, intended to be saved as '/usr/local/bin/firewall-reset.sh', flushes all iptables rules, resets NAT and mangle tables, deletes user-defined chains, and sets default policies to ACCEPT for INPUT, FORWARD, and OUTPUT. It effectively resets the firewall to an open state, requiring immediate reconfiguration. The script also informs the user of the reset completion and the open state of all ports. ```bash #!/bin/bash echo "🔄 Resetting firewall to default..." # Flush all rules iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # Default policies iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT echo "✅ Firewall reset complete" echo "⚠️ ALL PORTS ARE NOW OPEN - Configure rules immediately!" ``` -------------------------------- ### Allow HTTPS (Port 443) Incoming Traffic Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Opens the server to incoming TCP traffic on port 443, allowing secure (SSL/TLS encrypted) web traffic. This is essential for websites using HTTPS. ```bash sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT ``` -------------------------------- ### DHCP Reservation Configuration Entry Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This is a configuration snippet to be added to `/etc/dhcp/dhcpd.conf` for reserving a static IP address for a device. It maps a hardware (MAC) address to a fixed IP address within the network. Replace XX:XX:XX:XX:XX:XX with the actual MAC address of the device. ```text host dvr01 { hardware ethernet XX:XX:XX:XX:XX:XX; # DVR MAC fixed-address 192.168.1.200; } ``` -------------------------------- ### Allow Established Connections Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Accepts incoming packets that are part of an already established or related connection. This rule is crucial for allowing replies to outgoing requests, ensuring services like web browsing and system updates function correctly by enabling response traffic. ```bash sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ``` -------------------------------- ### Create Firewall Alert Script for High Traffic Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This bash script, '/usr/local/bin/firewall-alerts.sh', is designed to detect potential port scanning activity by monitoring '/var/log/kern.log' for lines containing 'FIREWALL BLOCKED'. If the number of such entries exceeds 50, it echoes an alert message indicating high blocked attempt activity. The script includes a placeholder for adding email notifications. ```bash #!/bin/bash # Check for port scanning SCAN_ATTEMPTS=$(grep "FIREWALL BLOCKED" /var/log/kern.log | wc -l) if [ $SCAN_ATTEMPTS -gt 50 ]; then echo "🚨 ALERT: High number of blocked attempts detected: $SCAN_ATTEMPTS" # Add email notification here fi ``` -------------------------------- ### Verify DHCP configuration on bridge interface Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Checks if the `br-wan` bridge interface has successfully obtained an IP address and default route from the ISP. `ip addr show br-wan` displays the assigned IP address, and `ip route show` confirms the default gateway. ```bash ip addr show br-wan ip route show ``` -------------------------------- ### Diagnose Firewall Rules and NAT Configuration Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index These bash commands are used for inspecting the current state of the iptables firewall. 'sudo iptables -L -n -v --line-numbers' displays all rules with details. 'sudo iptables -t nat -L -n -v' shows the NAT table rules. 'sudo iptables -L INPUT -n -v | grep ACCEPT' filters the INPUT chain to show only rules that ACCEPT traffic. ```bash # Check all rules with line numbers sudo iptables -L -n -v --line-numbers # Check NAT rules sudo iptables -t nat -L -n -v # Check specific rule hits sudo iptables -L INPUT -n -v | grep ACCEPT ``` -------------------------------- ### Send Blocked Traffic to Logs Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Appends a rule to the INPUT chain to log all incoming traffic before it's processed further. This is useful for monitoring and debugging firewall behavior. It requires root privileges. ```bash sudo iptables -A INPUT -j LOGGING ``` -------------------------------- ### OpenVPN Status Monitoring Script Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index This bash script provides a quick way to check the current status of the OpenVPN server. It displays information about connected clients by parsing the OpenVPN status log and shows the VPN's routing table entries related to the 10.8.0.0 network. ```bash #!/bin/bash echo "🔍 OpenVPN Status" echo "Connected Clients:" sudo cat /var/log/openvpn-status.log | grep CLIENT_LIST echo "" echo "Routing Table:" ip route show | grep 10.8.0.0 ``` -------------------------------- ### Basic DDoS Protection for TCP SYN Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Provides basic protection against TCP SYN flood attacks by limiting the rate of new TCP connections to 30 per second with a burst limit of 50. This helps maintain service availability during moderate DoS attacks. Requires root privileges. ```bash sudo iptables -A INPUT -p tcp --syn -m limit --limit 30/second --limit-burst 50 -j ACCEPT ``` -------------------------------- ### Allow Localhost (lo) Traffic Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Allows all traffic on the loopback interface ('lo'). This is essential for local services that communicate with themselves using addresses like 127.0.0.1, preventing breakage of local applications. ```bash sudo iptables -A INPUT -i lo -j ACCEPT ``` -------------------------------- ### Request DHCP lease on a bridge interface Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Uses the `dhclient` command to request an IP address, gateway, and DNS information from the ISP via DHCP for the `br-wan` bridge interface. The `-v` flag provides verbose output detailing the lease process. ```bash sudo dhclient -v br-wan ``` -------------------------------- ### Enable DHCP Server on VLAN Interface Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Configures the ISC DHCP server to listen for requests on the new VLAN interface (`eth1.30`) by updating the `INTERFACESv4` variable in `/etc/default/isc-dhcp-server` and then restarts the DHCP service. Requires root privileges. ```bash sudo nano /etc/default/isc-dhcp-server INTERFACESv4="eth1 eth1.30" sudo systemctl restart isc-dhcp-server ``` -------------------------------- ### Port Forward HTTP to VLAN DMZ Source: https://meetcyber.net/linux-firewall-mastery-from-basics-to-advanced-e280c0883e82/index Sets up port forwarding for HTTP traffic (port 80) from the external interface (`eth0`) to a specific device within the VLAN DMZ (192.168.30.10). It uses DNAT for redirection and allows the forwarded traffic through the FORWARD chain. Requires root privileges. ```bash # HTTP sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.30.10:80 sudo iptables -A FORWARD -p tcp -d 192.168.30.10 --dport 80 -j ACCEPT ```