which ports to open

[isener]

Hello,
about ports:

I disabled firewalld (systemctl disable firewalld) and I use CSF (Config Server Firewall)

which ports I have to open
now my csf.conf is like this:


Allow incoming TCP ports
TCP_IN = "22,80,443,993,1194,5555,992,8080,5228,5938,40000:65000"

# Allow outgoing TCP ports
TCP_OUT = "22,80,443,993,1194,5555,992,8080,5228,40000:65000"


# Allow incoming UDP ports
UDP_IN = "53,67,68,123,500, 4500,1701,40000:65000"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "53,67,68,123,500, 4500,1701,40000:65000"

but every time i get error 13, than when I look at:
/usr/local/vpnserver/server_log/vpn_20220421.log
I see that a new port is blocked, so I have to add this yo my cnfig file to open.

is better to work with linux iptables ?
How to configure in iptables with all the forward rules etc

[eddiewu]

Firewall should only block certain incoming ports. What is the point blocking outgoing ports?

[Chromix]

Security reasons maybe?

Depends if you follow an allow-all strategy or a block-all strategy.
I follow the latter and would like to know which ports I have to open for outgoing traffic (on the server side) to be able to establish a connection to the VPN server. Is there an overview about the ports that the VPN server uses?
Source or destination port, whatever is best reproducable.

I saw a UDP connection to port 5004 first and I allowed that but now I see UDP connection attempts from port 32920 to different ports in the 40000 range.

I can connect when I allow all traffic but this is not what I want to do.

[shakibamoshiri]

Security reasons maybe?

Depends if you follow an allow-all strategy or a block-all strategy.
I follow the latter and would like to know which ports I have to open for outgoing traffic (on the server side) to be able to establish a connection to the VPN server. Is there an overview about the ports that the VPN server uses?
Source or destination port, whatever is best reproducable.

I saw a UDP connection to port 5004 first and I allowed that but now I see UDP connection attempts from port 32920 to different ports in the 40000 range.

I can connect when I allow all traffic but this is not what I want to do.

first fix
In TCP or UDP (layer 4) when a connection is established, source port from the client side is random e.g 45679 and destination port will be the service you connect to which is SE server ports 443, 992, 1194, 500, 4500, 1701.
Since transmission is bidirectional ( client to server and server to client ) and SE server is considered as local process if you block OUTPUT ports which used for clients source port (of TCP or UDP) then you actually blocked clients from getting a reply.

second fix
For security reason if you want to limit your VPN users to access only specific ports you can apply it at nat table to POSTROUTING chain.
nat table deals with NAT and POSTROUTING changes source address (Layer 3 ip address)
At this point you can specify ports as well , so VPN clients could not have access to any extra ports.

sample

Code: Select all

iptables -t nat -A POSTROUTING -s 192.168.30.0/24  ! -d 192.168.0.0/16 -p tcp -m multiport --dports 53,80,443,5222,8443 -o eth0 -j MASQUERADE

> -s : source address
> -d destination address + negate it with !
> -p protocol which is tcp
> -m load module mulitport
> --dports
> -o interface which has access to WAN (the Internet)
> -j target is MASQUERADE (= source NATing)

So for this VPN users only these ports are allowed
- 53 : DNS
- 80 : http (web)
- 443 : https (web)
- 5222 : whatsapp messenger
- 8443 : telegram messenger