Jump to content
Not connected, Your IP: 18.216.42.122
Sign in to follow this  
Someone Else

Drop all traffic if VPN disconnects with iptables

Recommended Posts

Hello,

as it took me the better half of three days to finally figure this out, I wantet to share my iptables setup with you.

First off: This setup is not designed for servers. It is designed for end-user PCs only.

In my setup I'm connected to a 192.168.0.XXX network. I wanted to allow traffic to this network always working, so I could print files over a network printer and so on. I also have a MediaServer running (MediaTomb) which sould be able to be discovered by any device on my local network. This explains the rules for UPNP.

I do not provide any warranty, that this setup will work, but i tried it out pretty intensively now.

Please be also aware, that I connect to the AirVPN servers via UDP 443, you have to change that in the setup, if you connecting via TCP and/or through another port. You should also check out the servers right at the beginning, and exchange that with the servers you use.

I hope I saved some of you some hassel with their iptables setup. Cheers.

#!/bin/sh

# iptables setup on a local pc
# dropping all traffic not going trough vpn
# allowes traffic in local area network
# special rules for UPNP and Multicast discovery

FW="/sbin/iptables"
LCL="192.168.0.0/24"
VPN="10.0.0.0/12"
local_interface="eth0"
virtual_interface="tun0"
#AirVPN Server
servers=(
31.193.12.98      #Cassiopeia (GB)
95.211.191.33     #Leopris (NL)
89.149.226.185    #Omicron (DE)
178.248.30.131    #Serpentis (SE)
46.165.208.65     #Tauri (DE)
69.163.36.66      #Vega (USA)
)


#---------------------------------------------------------------
# Remove old rules and tables
#---------------------------------------------------------------
echo "Deleting old iptables rules..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

echo "Setting up new rules..."
#---------------------------------------------------------------
# Default Policy - Drop anything!
#---------------------------------------------------------------
$FW -P INPUT DROP
$FW -P FORWARD DROP
$FW -P OUTPUT DROP

#---------------------------------------------------------------
# Allow all local connections via loopback.
#---------------------------------------------------------------
$FW -A INPUT  -i lo  -j ACCEPT
$FW -A OUTPUT -o lo  -j ACCEPT

#---------------------------------------------------------------
# Allow Multicast for local network.
#---------------------------------------------------------------
$FW -A INPUT  -j ACCEPT -p igmp -s $LCL -d 224.0.0.0/4 -i $local_interface
$FW -A OUTPUT -j ACCEPT -p igmp -s $LCL -d 224.0.0.0/4 -o $local_interface

#---------------------------------------------------------------
# UPnP uses IGMP multicast to find media servers.
# Accept IGMP broadcast packets.
# Send SSDP Packets.
#---------------------------------------------------------------
$FW -A INPUT  -j ACCEPT -p igmp -s $LCL -d 239.0.0.0/8  -i $local_interface
$FW -A OUTPUT -j ACCEPT -p udp  -s $LCL -d 239.255.255.250 --dport 1900  -o $local_interface

#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the
# local area network
#---------------------------------------------------------------
$FW -A INPUT  -j ACCEPT -s $LCL -i $local_interface
$FW -A OUTPUT -j ACCEPT -d $LCL -o $local_interface

#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the
# virtual privat network
#---------------------------------------------------------------
$FW -A INPUT  -j ACCEPT -i $virtual_interface
$FW -A OUTPUT -j ACCEPT -o $virtual_interface

#---------------------------------------------------------------
# Connection to AirVPN servers (UDP 443)
#---------------------------------------------------------------
server_count=${#servers[@]}
for (( c = 0; c < $server_count; c++ ))
do
    $FW -A INPUT  -j ACCEPT -p udp -s ${servers[c]} --sport 443 -i $local_interface
    $FW -A OUTPUT -j ACCEPT -p udp -d ${servers[c]} --dport 443 -o $local_interface
done

#---------------------------------------------------------------
# Log all dropped packages, debug only.
# View in /var/log/syslog or /var/log/messages
#---------------------------------------------------------------
#iptables -N logging
#iptables -A INPUT -j logging
#iptables -A OUTPUT -j logging
#iptables -A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables general: " --log-level 7
#iptables -A logging -j DROP

Share this post


Link to post

Newbie question here:

Couldn't entering "netsh interface IPv4 set dnsserver "Wireless Network Connection" static 0.0.0.0 both" into the command prompt also work in not allowing traffic out when not connecting to a VPN?

As per the DNSleaktest.com code, I enter this into my command prompt after connecting to VPN (before it's set to DHCP) and my DNS is secured. If I disconnect from AirVPN without changing 0.0.0.0 back to DCHP, the internet remains totally inaccessible.

Thoughts?

Share this post


Link to post

Forgive my ignorance... is this used with a DD-WRT router?

Hello!

Not exactly, but you can easily adapt them to DD-WRT, changing interface names and IP addresses if necessary. However, proceed with care. We recommend that you first read here, you can see directly the iptables rules for DD-WRT and an important warning when you apply those rules:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2377&Itemid=142#2377

Kind regards

Share this post


Link to post

Newbie question here:

Couldn't entering "netsh interface IPv4 set dnsserver "Wireless Network Connection" static 0.0.0.0 both" into the command prompt also work in not allowing traffic out when not connecting to a VPN?

As per the DNSleaktest.com code, I enter this into my command prompt after connecting to VPN (before it's set to DHCP) and my DNS is secured. If I disconnect from AirVPN without changing 0.0.0.0 back to DCHP, the internet remains totally inaccessible.

Thoughts?

Hello!

Unfortunately not, in general that will prevent only DNS leaks, not every leak. You may have the impression that the Internet is totally inaccessible because your system can't resolve anymore domain names. However, all the programs which do not need a DNS resolution (for example a torrent client) will start to exchange data, leaking the real IP address.

Kind regards

Share this post


Link to post

Newbie question here:

Couldn't entering "netsh interface IPv4 set dnsserver "Wireless Network Connection" static 0.0.0.0 both" into the command prompt also work in not allowing traffic out when not connecting to a VPN?

As per the DNSleaktest.com code, I enter this into my command prompt after connecting to VPN (before it's set to DHCP) and my DNS is secured. If I disconnect from AirVPN without changing 0.0.0.0 back to DCHP, the internet remains totally inaccessible.

Thoughts?

Hello!

Unfortunately not, in general that will prevent only DNS leaks, not every leak. You may have the impression that the Internet is totally inaccessible because your system can't resolve anymore domain names. However, all the programs which do need a DNS resolution (for example a torrent client) will start to exchange data, leaking the real IP address.

Kind regards

What about instant message programs such as Trillian and Skype?

Share this post


Link to post

Newbie question here:

Couldn't entering "netsh interface IPv4 set dnsserver "Wireless Network Connection" static 0.0.0.0 both" into the command prompt also work in not allowing traffic out when not connecting to a VPN?

As per the DNSleaktest.com code, I enter this into my command prompt after connecting to VPN (before it's set to DHCP) and my DNS is secured. If I disconnect from AirVPN without changing 0.0.0.0 back to DCHP, the internet remains totally inaccessible.

Thoughts?

Hello!

Unfortunately not, in general that will prevent only DNS leaks, not every leak. You may have the impression that the Internet is totally inaccessible because your system can't resolve anymore domain names. However, all the programs which do need a DNS resolution (for example a torrent client) will start to exchange data, leaking the real IP address.

Kind regards

What about instant message programs such as Trillian and Skype?

Hello!

Exactly.

Sorry for the typo, the sentence " all the programs which do need a DNS resolution (for example a torrent client) will start to exchange data, leaking the real IP address" must be read "all the programs which do NOT need a DNS resolution (for example a torrent client) will start to exchange data, leaking the real IP address"

Original message edited to correct the typo.

Kind regards

Share this post


Link to post

So programs such as Trillian and Skype do or don't need DNS resolution? Sorry, I'm a bit confused.

Nevertheless, if one wasn't downloading or torrenting and not exchanging sensitive issues over IM and VOIP protocols, couldn't the 0.0.0.0 fix be seen as a quick and easy way to *basically* half non-VPN traffic when the VPN is disconnected?

Share this post


Link to post

So programs such as Trillian and Skype do or don't need DNS resolution? Sorry, I'm a bit confused.

Hello!

You should check with their programmers. Anyway we observe that Skype is able to continue working without DNS resolution.

Nevertheless, if one wasn't downloading or torrenting and not exchanging sensitive issues over IM and VOIP protocols, couldn't the 0.0.0.0 fix be seen as a quick and easy way to *basically* half non-VPN traffic when the VPN is disconnected?

Generally speaking no, because there are very many possible leaks which do not require DNS resolution. It can't be and should not be considered a secure solution.

Kind regards

Share this post


Link to post

Hello,

 

some quick suggestions: you should allow also packets to/from 255.255.255.255 for those users who use DHCP. Comment "allow all on tun+" is not totally correct, FORWARD is dropped. But it should be accepted. Communication inside the local network is not allowed, which will bring big trouble at reboot (since rules are made persistent): no communication with a router etc.

 

Kind regards

Share this post


Link to post

Hello,

 

some quick suggestions: you should allow also packets to/from 255.255.255.255 for those users who use DHCP. Comment "allow all on tun+" is not totally correct, FORWARD is dropped. But it should be accepted. Communication inside the local network is not allowed, which will bring big trouble at reboot (since rules are made persistent): no communication with a router etc.

 

Kind regards

I made some changes to the script. Could you let me know what you think?

Share this post


Link to post

On AirVPN's official iptables tutorial, they have the command

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

Could someone explain to me exactly what this does and whether or not I need it in my iptables script above?

Also, the official tutorial doesn't deny IPv6 traffic which could cause leaks.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...