ANSWERED Block all non-VPN traffic in Fedora 21 (Firewalld)

[dwright 25]

Hi

 

I've tried to heed the advice given in the how-to thread for this, but I haven't been able to alter it to work for Firewalld. Programs mentioned in the thread like Firestarter and gufw don't seem to be in the repos.

 

My best development so far has been using the "Panic mode" function to block all traffic, and then allowing only certain programs. However I'm not sure what to allow in order to get OpenVPN to work (other than OpenVPN obviously).

 

Can anyone please help with this?

[rickjames 106]

This is probably not the solution you're looking for but completely disabling firewalld and using/installing iptables works.

​

Via terminal:

​yum -y install iptables-services

systemctl mask firewalld

systemctl enable iptables

systemctl stop firewalld   OR  systemctl stop firewalld.service

systemctl start iptables

​

​If you need to filter ipv6 traffic:

systemctl enable ip6tables

systemctl start ip6tables

​

​Then just setup your iptables firewall rules ect.

[InactiveUser 188]

I'll be honest, when i first encountered firewalld I had the same reflex, trying to go back to iptables. But it's not that different if you make use of the "direct configuration" mode.
You can either use the "Firewall" GUI to write/edit your rules...

 

 

 

... or use the command line. I will list the commands / rules that I personally use.
I should add that I don't use the Eddie client, I connect directly via NetworkManager.
The following content is not a step by step guide. I am merely presenting a few rule examples and some general tips and tricks that I personally make use of. I achieve blocking non-VPN traffic by whitelisting AirVPN's entry servers and blocking all other direct traffic.

- firewalld commands to directly alter permanent rules -

 

#allow loopback

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT

#allow lan (out) and broadcasting/dhcp
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT

# allow tun device to communicate

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT


# optional masquerade rule (NAT/ports)
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE

# finally, drop outgoing ipv4 (if not specifically allowed by other rules)
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 999 -j DROP
# optionally, block incoming ipv4
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 999 -j DROP

# drop all ipv6
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -j DROP  
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -j DROP


# example: allow outgoing ipv4 to a specific AirVPN entry server
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -d 82.118.16.175 -j ACCEPT

# alternatively, lock it down to specific port and protocol:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport=443 -d 82.118.16.175 -j ACCEPT

# add such a rule for every AirVPN entry server you need to connect to
 

Don't forget to restart firewalld to apply the new permanent rules:

 

systemctl restart firewalld
 

 

 

 

- tips and tricks -

 

If you intend to use most / all AirVPN servers, it would be tedious to add rules one by one. Here are some hints on how to automate the process.

 

1. Generate .ovpn file containing all servers:

 

 

 

 

2. bash one-liner to generate firewall rules for all IPs

 

grep "remote " AirVPN_All-servers_UDP-443.ovpn | awk {'print $2'} | tr '\n' '\0' | xargs -0 -L1 -I '$' echo 'firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport=443 -d $ -j ACCEPT' > firewalld-commands
 

Breaking down all parts of this one-liner:

 

grep "remote " AirVPN_All-servers_UDP-443.ovpn
 

 

...find all lines that contain an entry IP
 

 

awk {'print $2'}
 

 

...only print the 2nd column of the lines to get the IPs by themselves
 

 

tr '\n' '\0'
 

 

...translate the newline character so that xargs can parse the lines correctly
 

 

xargs -0 -L1 -I '$' echo 'firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport=443 -d $ -j ACCEPT'
 

 

...for each line, xargs will echo a string (the firewall command) and replace each "$" with the IP we pipe into xargs    
 

 

> firewalld-commands
 

 

...finally, save the output (the generated firewall rules) as a file called "firewalld-commands


You can then run this file (as root) to execute the generated rules all at once:

 

bash firewalld-commands
 

 

Don't forget to restart firewalld for the new permanent rules to take effect:

 

systemctl restart firewall
 

 

You can print all permanent rules using:

 

firewall-cmd --direct --get-all-rules
 

 

 

General advice

 

- Don't forget to test your firewall rules!

- Don't copy my rules! They're just an example! Adapt them to your situation!
- Remember that AirVPN occasionally withdraws and also adds servers. Maintain your rules to reflect changes.
- Don't forget to correctly configure DNS resolution in order to avoid DNS leaks. Especially when using NetworkManager.

[dwright 25]

rickjames, thank you for the iptables instructions!

 

sheivoko, thank you for the super thorough guide!

 

I'll give these methods a try tomorrow. I appreciate your help an awful lot!

[rickjames 106]

@dwright

np m8. I wasn't sure if you were using the client or not. And tbh I have no clue how the client works with fedora or if the network lock is using iptables or firewalld.

 

@sheivoko

I've actually heard some good things about firewalld however I haven't had the time to fire up a cent/fedora vm and see what it can handle.

[dwright 25]

I tried your method sheivoko and I'm having some problems. I'm trying to allow traffic only through one AirVPN server. It can connect to that server, but after that nothing else works. I need it to connect to Tor as well.

 

Additionally, my wifi icon (in Gnome 3) changes to a question mark. I don't know if that helps figure out the problem.

[InactiveUser 188]

The question mark is related to NetworkManager's connectivity check.
Periodically - and whenever a connection's status changes - NetworkManager tries to contacts a website. If it doesn't get an "OK" response, the question mark appears.
This means that there's either no connectivity at all or there is connectivity but DNS doesn't resolve.

On a side note, for F21, the config file for the connectivity check can be found at:

 

/etc/NetworkManager/conf.d/20-connectivity-fedora.conf

Steps you should take:
1. connect to VPN
2. run

ip addr | grep tun0

and see if your tun0 has been assigned an "inet" address (10.x.x.x)

3. run

ip route

the first line should be a default route pointing at the VPN device:

default via 10.x.x.x dev tun0 (..)

4. run

cat /etc/resolv.conf

to see what DNS servers you're using. For testing purposes, you can edit this file directly (changes take effect immediately). For persistent changes, you would need to edit the NetworkManager (Air)VPN connection profile to put in the correct AirVPN DNS server 10.x.0.1 - example: If your tun0 address is 10.4.x.x, the DNS IP would be 10.4.0.1, if it is 10.7.x.x, the DNS IP would be 10.7.0.1.)

5. check your firewall rules.

firewall-cmd --direct --get-all-rules

Compare them to my current rules:

ipv4 filter INPUT 1 -i lo -j ACCEPT
ipv4 filter INPUT 4 -s 255.255.255.255 -j ACCEPT
ipv4 filter INPUT 999 -j DROP
ipv4 filter OUTPUT 2 -o lo -j ACCEPT
ipv4 filter OUTPUT 3 -d 255.255.255.255 -j ACCEPT
ipv4 filter OUTPUT 6 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
ipv4 filter OUTPUT 999 -j DROP
ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT
ipv4 filter OUTPUT 1 -d 192.96.200.18 -j ACCEPT
ipv4 filter FORWARD 8 -o tun+ -j ACCEPT
ipv4 filter FORWARD 10 -i tun+ -j ACCEPT
ipv6 filter OUTPUT 999 -j DROP
ipv6 filter INPUT 999 -j DROP

I grayed out those rules that shouldn't be of any importance with regard to connectivity.

For the sake of brevity, I also deleted all but one AirVPN entry server rules. The one I left in there (192.96.200.18) would allow you to connect to Arrakis. The numbers you see after INPUT/OUTPUT indicate rule position/priority. I haven't actually tested if it makes a difference but AFAIK, DROP rules should be added last, that's why you see 999 in my rules. Read "man firewalld.direct", the "priority" section and the "EXAMPLE" a bit further down in that document.


6. Lastly, you can also investigate

 

journalctl -x -u NetworkManager --since=-10minutes

which will show you all NetworkManager logs (including the openvpn module) of the last 10 minutes.


Important note:
If you can't resolve the problem on your own, it would be helpful to see the output of all the commands I mentioned above BUT:
Inspect all output before posting it. Remove, if you find any, identifying info like: non-local/non-AirVPN IP addresses, host names, MAC addresses, ...

[dwright 25]

I changed my rules to be more like yours and it works perfectly now. Thanks so much for the patient and detailed help!