ANSWERED Using iptables to block non-vpn traffic with multiple vpn servers

[yoyall 6]

I've been using AirVPN for a while - great service.    I run Arch Linux and use NetworkManager to make my connection. All works great.  But I had been searching for some iptables scripts to prevent leaks should the connection go down. I've seen some scripts here in the forums but they seem to be limited to having specified ONE vpn server. In the Arch forums, I came across this and thought I would share it as it seems pretty good - combining a simple stateful firewall with blocks should the vpn connection drop - and allowing you to specify multiple vpn servers.

 

I'm still finding my feet with iptables and wanted to ask the community what they think about this.  It seems to do the job - allowing access when the connection is up and blocking when it's down.

 

Any thoughts, comments, feedback on it?

 

Cheers!

 

 

#!/bin/bash

local_network="192.168.1.0/24"
wireless_interface="wlp3s0"
virtual_interface="tun0"

#VPN Servers
servers=(
1.1.1.1 #vpn server 1 *** CHANGE TO REAL IP ADDRESS OF SELECTED SERVER
2.2.2.2 #vpn server 2 *** CHANGE TO REAL IP ADDRESS OF SELECTED SERVER
3.3.3.3 #vpn server 3 *** CHANGE TO REAL IP ADDRESS OF SELECTED SERVER
)

iptables-restore < /etc/iptables/empty.rules #create default rules, overwriting any that may be present already
iptables -N TCP #TCP user-defined chain used open up ports in the firewall
iptables -N UDP #UDP user-defined chain used open up ports in the firewall
iptables -P FORWARD DROP #this is a single PC and not a NAT gateway     

#set up out rules
iptables -P OUTPUT DROP #block all outgoing traffic by default
iptables -A OUTPUT -d $local_network -o $wireless_interface -j ACCEPT #allow out to local network via wireless
iptables -A OUTPUT -o $virtual_interface -j ACCEPT #allow out to local network via virtual
iptables -A OUTPUT -o lo -j ACCEPT #allow out to loopback
server_count=${#servers[@]} #loop through VPN servers
for (( c = 0; c < $server_count; c++ ))
do
    #set up out rules for upd    
    iptables -A OUTPUT -p udp -d ${servers[c]} --dport 53  -o $wireless_interface -j ACCEPT
    iptables -A OUTPUT -p udp -d ${servers[c]} --dport 80  -o $wireless_interface -j ACCEPT
    iptables -A OUTPUT -p udp -d ${servers[c]} --dport 443 -o $wireless_interface -j ACCEPT

    #set up out rules for tcp
    iptables -A OUTPUT -p tcp -d ${servers[c]} --dport 53  -o $wireless_interface -j ACCEPT
    iptables -A OUTPUT -p tcp -d ${servers[c]} --dport 80  -o $wireless_interface -j ACCEPT
    iptables -A OUTPUT -p tcp -d ${servers[c]} --dport 443 -o $wireless_interface -j ACCEPT
done

#set up in rules
iptables -P INPUT DROP #block all incoming traffic by default
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT #set up rate-limiting block of ping requests
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP #set up rate-limiting block of ping requests
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #allow in established connections
iptables -A INPUT -i lo -j ACCEPT #allow in to loopback
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP #drop all traffic with an INVALID state match
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP #attach the UDP chain to the INPUT chain to handle all new incoming connections
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP #attach the TCP chain to the INPUT chain to handle all new incoming connections
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst #handle SYN scans
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst #handle SYN scans
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable #handle UDP scans
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable #handle UDP scans
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable #reject all remaining incoming traffic with icmp protocol unreachable messages

#use new rules
iptables-save > /etc/iptables/iptables.rules #save rules
systemctl start iptables.service && systemctl status iptables.service #check that the rules load correctly
 

 

[rickjames 106]

I think you're going to need to allow forwarding between the wlp3s0 and tun0.

 

Some info in this post:

https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/

 

I also see a few rules in there that look like they're server based.

iptables -A INPUT -p udp -m conntrack --ctstate NEW

 

If you're on a desktop there's no need for any ctstate NEW rules on inbound unless you're doing some sort of network file sharing or want to allow inbound ssh access or something.

 

gl

[yoyall 6]

Thanks for the reply. I see where the forwarding is in the post. But if I'm not leaking and it's working, do I still need it?  That's the kind of thing that I'm not sure of and would appreciate clarification on.  Thanks again.

[rickjames 106]

I haven't run arch in a really long time and tbh have no clue how its currently handling forwarding.

 

You could install something like jnettop and run it on tun0 and wlp3s0 in separate terminals. From there you should be able to see packet travel ect.

 

jnettop -n -i wlp3s0

^ wlp3s0 should only show your wlp3s0 ip connecting to the airvpn server/port.

jnettop -n -i tun0

^ will show the tun0 ip connecting to site ip's ect.

 

Other than that if you're not getting openvpn startup or connection errors and all the ip/dns test are clean, run it.

 

 

-The only other thing I might add to that script or a script is a resolv.conf rewrite. Just making sure the dns servers are the air dns servers while the vpn is connected.

[yoyall 6]

Thanks very much for this! 

[rickjames 106]

Thanks very much for this! 

Yup np. jnettop is good stuff.

 

If you toss it all in the terminator terminal its sexy time for linux lol.

 

-note my res and dpi are a bit wonky, downside to a large lcd.