gizurr 1 Posted ... (edited) Hi, I've been using ufw/gufw for a long time now to prevent leaks which works great after I followed worric's guide https://airvpn.org/topic/5586-prevent-leaks-with-linux-firestarter-also-stop-traffic-when-vpn-drops/?do=findComment&comment=5642However there's one drawback, which is that all IP's must be resolved prior to connecting because the DNS resolution doesn't get through the firewall. The problem with this is that you can't let it choose the best server for the area/region by resolving for instance gb.vpn.airdns.org. It seems that the best you can do is get a random selection from the list of servers. Is there a way around this? For example to only let that dns query through? or am I wrong somehow?Any clarification is greatly appreciated! Edit: Grammar Edited ... by gizurr Quote Share this post Link to post
InactiveUser 188 Posted ... It is possible, with a bit of iptables pattern-matching trickery.I have tried the following: ufw 0.34 (Mint 17) with an empty ruleset, all defaults set to "deny" (no connectivity whatsoever)a reachable DNS server in /etc/resolv.conf iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00 00 01|" --algo bm -j ACCEPT Then I tried DNS resolution:dig +short google.comas expected, no DNS resolutiondig +short airdns.orgas expected, no DNS resolutiondig +short gb.vpn.airdns.org94.229.74.90Voila! Pattern matched! I get an IP back! You can permanently add iptables rules to ufw by editing the file: /etc/ufw/before.rules Add the following line somewhere to the end of the file, but before the very last "COMMIT" line: -A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00 00 01|" --algo bm -j ACCEPT Finally, reload ufw: ufw reload Edit: Replaced the pattern "|03|vpn|06|airdns|03|org|" with "|03|vpn|06|airdns|03|org|00|" to rule out unwanted subdomain matchesEdit 2: Further improvement to the pattern, see gizurr's reply If you make any changes to your firewall setup, test them thoroughly before relying on your new configuration.You would probably want to make sure that openvpn, when connecting, replaces the original DNS server in /etc/resolv.conf and restores it when disconnecting. Credit goes to: Corey's answer on stackoverflow Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
gizurr 1 Posted ... (edited) Thanks for that great information! I was actually able to limit the matches as you suggested by adding a 0-byte at the end of the pattern: -A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00|" --algo bm -j ACCEPT We can even get stricter and only allow requests of type A (a host address):3.2.2. TYPE values TYPE fields are used in resource records. Note that these types are a subset of QTYPEs. TYPE value and meaning A 1 a host address NS 2 an authoritative name server MD 3 a mail destination (Obsolete - use MX) MF 4 a mail forwarder (Obsolete - use MX) CNAME 5 the canonical name for an alias SOA 6 marks the start of a zone of authority MB 7 a mailbox domain name (EXPERIMENTAL) MG 8 a mail group member (EXPERIMENTAL) MR 9 a mail rename domain name (EXPERIMENTAL) NULL 10 a null RR (EXPERIMENTAL) WKS 11 a well known service description PTR 12 a domain name pointer HINFO 13 host information MINFO 14 mailbox or mail list information MX 15 mail exchange TXT 16 text strings Source: http://www.ietf.org/rfc/rfc1035.txt By including those 2 bytes, which results in the following line for /etc/ufw/before.rules: -A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00 00 01|" --algo bm -j ACCEPT Edit: Format Edited ... by gizurr 1 InactiveUser reacted to this Quote Share this post Link to post
rickjames 106 Posted ... Just download the config files with advanced + Resolved hosts in .ovpn file checked. Then no resolution is needed at connection time. However It sounds like you're using the air client. If that's the case the network lock feature will make rules for you.I only briefly looked at that firestarter guide but I don't see connection tracking in there anywhere. The air client uses basic connection tracking / states ect. Even the basic version is better than nothing. I won't pretend to be familiar with these gui's as I'm a big believer in less is more. But after seeing the rules the air client makes, I wouldn't hesitate to run it. My network environment just won't work with it. If I could use it I would, if only for simplicity. 2 InactiveUser and NbK reacted to this Quote Share this post Link to post
zhang888 1066 Posted ... I am not really sure why to do all these workarounds, when you can call an easier solution.First, {country}.vpn.airdns.org does not just return a random server, it returns the best server in each300 seconds timeframe. I believe the DNS backend that Air uses, has some sort of load balancing thatqueries the API in the backend. Now let's get to the API.iptables allows custom scripts to be executed, which means you can query the API directly to find the bestserver. Under some circumstances, it might even find a better server for you than the dns resolution.Those circumstances are when you are quering some ISP DNS servers that might cache records and so on. 2 InactiveUser and rickjames reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
InactiveUser 188 Posted ... All valid points, especially if OP already uses Eddie. One note about ufw/gufw and conntrack: even if you don't see it in the GUI(s), ufw does use conntrack by default: iptables-save | grep conntr-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny-A ufw-before-input -m conntrack --ctstate INVALID -j DROP-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN 2 NbK and rickjames reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
rickjames 106 Posted ... All valid points, especially if OP already uses Eddie. One note about ufw/gufw and conntrack: even if you don't see it in the GUI(s), ufw does use conntrack by default: iptables-save | grep conntr-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny-A ufw-before-input -m conntrack --ctstate INVALID -j DROP-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN Thank you.I was unaware it had that capability. Does it install conntrack conntrackd libnetfilter-conntrack3 by default? I don't have any machines running ufw atm. Sorry for being lazy lol. Its just easier to ask than setup a vm. 2 NbK and InactiveUser reacted to this Quote Share this post Link to post
InactiveUser 188 Posted ... rickjames, thanks, that's a valuable hint: libnetfilter-conntrack3 is installed in my Mint VM (the package is part of a default Ubuntu 14.04, according to .manifest), but not in one of my minimal Arch installs - thus, no conntrack enabled there.conntrackd, contrack-tools are not part of any default Mint/Ubuntu/Fedora install. To my understanding, you only need those for interfering with or monitoring tracked connections, but not for the actual conntracking. Edit:ufw uses state-tracking as a fallback. On my conntrack-less Arch:iptables-save | grep state-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT-A ufw-before-input -m state --state INVALID -j ufw-logging-deny-A ufw-before-input -m state --state INVALID -j DROP-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN 2 rickjames and NbK reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
rickjames 106 Posted ... rickjames, thanks, that's a valuable hint: libnetfilter-conntrack3 is installed in my Mint VM (the package is part of a default Ubuntu 14.04, according to .manifest), but not in one of my minimal Arch installs - thus, no conntrack enabled there.conntrackd, contrack-tools are not part of any default Mint/Ubuntu/Fedora install. To my understanding, you only need those for interfering with or monitoring tracked connections, but not for the actual conntracking.Thanks for the info @ ubuntu. I never really run it but its good to know at least someone's including it by default lol. I mostly run minimal setups myself and none ever have it installed. You're 100% correct about conntrackd/tools. I've just become used to running/installing conntrackd /tools for running conntrack -E and -F and friends. Its helpful for tuning the state timings in conjunction with table logging. When doing local 'smash' testing very low timeouts are a necessity. Then stacking conntrack + rp_filter, martians and a few others = win Quote Share this post Link to post