# OpenVPN - Firewall Configuration

## FirewallD

Use the following commands to open all ports required by OpenVPN:

```
firewall-cmd --list-services<br></br>firewall-cmd --permanent --add-service openvpn<br></br>firewall-cmd --permanent --add-masquerade<br></br>firewall-cmd --query-masquerade<br></br>firewall-cmd --reload
```

## IPTables

My IPTables configuration `/etc/iptables/iptables.rules` for OpenVPN:

```
*filter <br></br>:INPUT ACCEPT [0:0] <br></br>:FORWARD ACCEPT [0:0] <br></br>:OUTPUT ACCEPT [32:2712] <br></br>:LOGGING - [0:0] <br></br>-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <br></br>-A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-host-prohibited <br></br>-A INPUT -p icmp -m icmp --icmp-type 0 -j REJECT --reject-with icmp-host-prohibited <br></br>-A INPUT -p icmp -j ACCEPT <br></br>-A INPUT -i lo0 -m comment --comment "Allow loopback lo0" -j ACCEPT <br></br>-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT <br></br>-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT <br></br>-A INPUT -p udp -m udp --dport 1194 -j ACCEPT <br></br>-A INPUT -j LOGGING <br></br>-A INPUT -j REJECT --reject-with icmp-host-prohibited <br></br>-A FORWARD -i tun+ -j ACCEPT <br></br>-A FORWARD -j REJECT --reject-with icmp-host-prohibited <br></br>-A LOGGING -j LOG --log-prefix "DROPPED: " \--log-level 7 <br></br>-A LOGGING -j DROP <br></br>COMMIT <br></br># Completed on Mon Jun 30 06:48:44 2014 <br></br># Generated by iptables-save v1.4.7 on Mon Jun 30 06:48:44 2014 <br></br>*nat <br></br>:PREROUTING ACCEPT [0:0] <br></br>:POSTROUTING ACCEPT [2:165] <br></br>:OUTPUT ACCEPT [2:165] <br></br>-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE <br></br>COMMIT 
```