Clearnet Leak During Eddie Iptables Lock

hoturekube

I have the following setup: a debian 9 virtual machine with eddie software. The goal is to make sure that the VM does NEVER contact the external internet outside of AirVPN and AirVPN servers. To ensure that, the VM has the following iptables rules enabled on boot (taken from official documentation: https://airvpn.org/faq/software_lock/):

# Flush
iptables -F
iptables -t nat -F
iptables -t mangle -F

# Flush V6
ip6tables -F
ip6tables -t nat -F
ip6tables -t mangle -F

# Local
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Local V6
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Make sure you can communicate with any DHCP server
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -s 255.255.255.255 -j ACCEPT

# Make sure that you can communicate within your own network if Private Network option is enabled
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
iptables -A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT

# Allow incoming pings if Ping option is enabled
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow established sessions to receive traffic:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow TUN
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT

# Block All
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

# Block All V6
ip6tables -A OUTPUT -j DROP
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -j DROP

I also have enabled the Activate Network Lock at Startup option in Eddie, in order to dynamically update the AirVPN servers list and whitelist them (otherwise, I obviously cannot connect to them).

The problem is that when I launch Eddie, it enables its own Network Lock iptables rules which flush my already active iptables rules. So there is a short window of time when the VM has no iptables rules activated and can freely talk to the external network in clearnet! I noticed that thanks to a conky script that retrieves the vm external ip and displays it on the desktop. If it retrieves it during this short window of time (and yes, it happened a few times), then it displays my real external IP!

Further proof is simply running ping 8.8.8.8 in a terminal before, during and after booting Eddie. By default, the operation is not permitted, but during the activation of Eddie iptables rules, pings often have the opportunity to reach their destination for a second or two... Proving there is a clearnet leak when Eddie flushes my rules.

My question is: how to avoid this behavior? How to make sure the VM is never able to talk to the outside world apart from AirVPN circuit and AirVPN servers? Is it possible for Eddie to update my already existing iptables rules to add its servers without actually flushing them?

hoturekube

Nothing? No idea?

corrado

Try setting secure defaults:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Sign In

Clearnet Leak During Eddie Iptables Lock

Recommended Posts

hoturekube 0

Share this post

Link to post

hoturekube 0

Share this post

Link to post

corrado 100

Share this post

Link to post

Join the conversation

Home

Community