Jump to content
Not connected, Your IP:

More detailed explanation of iptables configuration for preventing leaks when connection drops

Recommended Posts

On the page https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/ there is a guide to setting up rules for iptables to prevent any leaks if the VPN were to disconnect. There are some brief comments accompanying the commands, which is great, but I was wondering if anyone could offer a more in-depth explanation for those of us not familiar with iptables? I've been trying to decode everything through 'man iptables', but it's a little difficult.


For example, how do I know that the rules don't open up access to my machine or network through the tunnel?


Thanks to anyone who can help! 


Share this post

Link to post

iptables is extremely powerful, making it extremely complicated. manpages won't tell you much as they explain the parameters you can use.

​First of all: Look at how IP packets are handled using iptables (especially #6). Now let's say, you want to decode this one:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

We call iptables with parameters t (table), A (Append), o (output interface) and j (job). Note that parameters s(ource), d(estination), i(nput interface), o(utput interface) and p(rotocol) will always be set to ANY if you don't set them manually.

  • ​-t: Use table nat; that's the table giving you the power to "redirect" packages. The other existing table is filter.
  • ​-o: The output interface is tun0 since all traffic is going to be routed through the tunnel interface tun0 created by OpenVPN. Setting it to wlan0 for example will route all traffic through wlan0 (which is not logical at all )
  • ​-j: The job, the "task" to do: What should be done with the packets matching the characteristics a packet has to have?
  • ​-A: Imagine every packet going through "checkpoints" where it's checked whether a packet is authorised to pass or not ("filter") or where something is being done with the packet ("nat"). Yes, really, imagine the checkpoints are ID control entities. Every entity pays attention to one certain property of ID cards. Let's say, they let everyone pass if their birthday is in December, all the others are "filtered". Or imagine they redirect every passing human to a taxi number ("nat"). In this case let's say that there are two taxis: One will bring you to coolhotel.com, driving through ISP internet street, another will bring you to coolhotel.com driving through VPN street, dimming all the windows while driving through ISP street.  Same with packets.
    With -A y
    ou tell an entity to tell all passing humans to use taxi B which will drive through VPN street (and dim the windows while driving through ISP street).
    Now, the ID controlling entities are your chain rules, and the humans are the packets.
    Other options instead of A(ppend) are D(elete) and I(nsert).
  • There are six chains you can append rules to. MASQUERADEing all traffic is only useful in the last chain, the POSTROUTING chain, that's what you need to know for decoding the above thing.

​Always remember: You didn't set the s parameter! This is set to ANY if not set manually. Setting it masquerades only the traffic from the set IP.#

Trivial info: You can't use i(nput interface) and d(estination) parameters in the POSTROUTING chain; you also can't use o(utput interface) and s(ource) in the PREROUTING chain. They would be needless, and you will understand why if you refer to how IP packets are handled with iptables.


​iptables "redirects" (NAT) the traffic of all protocols (p = ANY) coming from ALL interfaces (i = ANY) and from ALL sources (s = ANY) (which is: ALL traffic) to output interface tun0 (o = tun0) and to ALL destinations (d = ANY), MASQUERADEing it (j = MASQUERADE).

​Maybe this helps a bit to understand the mechanics.

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.


» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image

  • Create New...