4.3.5. Firewall integration
4.3.5.1. iptables support
------------------------------------------------------------------------------
eurephia :: FIREWALL SUPPORT - iptables
------------------------------------------------------------------------------
Do you want to load the iptables module? [No] Yes
Full path to the efw-iptables.so library:
[/usr/lib/eurephia/efw-iptables.so]
Full path to the iptables command: [/sbin/iptables]
Type y or yes here to enable iptables support. All other input will be interpreted as 'no'.
The two paths being mentioned afterwards are usually the correct ones, but you might want to be sure that you can find those files on your file system. To make the firewall integration work, eurephia need access to these files.
Which iptables chain should eurephia use? [vpn_users]
When updating the firewall, eurephia will use a pre-defined firewall chain when granting VPN clients access to the network. This chain must exist in iptables, as eurephia will only update the rules inside this chain. Preparing iptables for eurephia will be covered later on.
Do NOT use the standard iptables chains like INPUT, OUTPUT or FORWARD. The designated chain will be cleared by the eurephia plug-in when OpenVPN is started.
4.3.5.1.1. Firewall based IP address blocking
Do you want you eurephia to block blacklisted IP addresses
in iptables too? [No] Yes
Which iptables chain should eurephia use for
blacklisted IP addresses? [vpn_blacklist]
When you enable firewall support in eurephia, IP addresses which gets blocked in the database can also be blocked completely in the firewall setup as well. This gives the advantage of completely disabling a remote client from accessing your OpenVPN server. It will be rejected even before the network traffic reaches the OpenVPN process.
For this to work, a separate chain must be pre-defined for this usage in iptables. This blacklist chain must be used in the INPUT and/or FORWARD chains, to deny the blocked IP addresses access to your infrastructure as early as possible.
Which iptables chain should eurephia send blacklisted IP addresses to (iptables '-j' argument) ? [DROP]
==============================================================================
This parameter defines where packets from blacklisted IP addresses should go. By default, such packages is sent to the DROP destination, but you might want to log such packages and a predefined chain, like log_and_drop. This parameter lets you decide what you want to do with these packages.
Let's explain this a little bit more in detail. If the IP address 198.109.14.243 will be blocked by eurephia, and eurephia is configured to use vpn_blacklist as the blacklist chain and destination is DROP, eurephia will issue an iptables command like this:
# iptables -t filter -A vpn_blacklist -s 198.109.14.243 -j DROP
