config for iptables - dns-httpd-ntpd-openvpn-openvpnas-ssh

firewall.sh

# config for iptables - dns-httpd-ntpd-openvpn-openvpnas-ssh

# Flush tables for a clean start
sudo iptables -F

# Accept connectons that were established
sudo iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

# DNS
sudo iptables -A OUTPUT -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# Loopback network, accept all
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

# VPN adapter, accept all
sudo iptables -A INPUT -i as0t+ -j ACCEPT

# VPN
# sudo iptables -A INPUT -i eth0 -p tcp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT

# Webserver
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# OpenVPN-AS
sudo iptables -A INPUT -i eth0 -p tcp --dport 943 -m state --state NEW,ESTABLISHED -j ACCEPT

# ssh
sudo iptables -A INPUT -i eth0 -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT

# ntpd
iptables -A OUTPUT -o eth0 -p udp  --sport 123  --dport 123  -m state --state NEW -j ACCEPT

# Defaults if none of the above apply
sudo iptables -A INPUT -j DROP
sudo iptables -A OUTPUT -j DROP
sudo iptables -A FORWARD -j DROP

# Save for restart
sudo service iptables save

Be sure to restart the openvpnas server after this script is run or you won't be able to access the vpn connection.