Network lock not active

[SeUbHS 3]

I set network lock under preferences>network lock to linux IP tables, and block all incoming/outgoing traffic and disallow lan/private. There's no IPs whitelisted. I'm still able to access the net when eddie isn't running. Is this normal behavior?

[OpenSourcerer 1435]

Well, of course not. Engage the lock, then in Logs tab click the lifebelt icon and paste or upload the output here to allow us to troubleshoot this.

[SeUbHS 3]

10 hours ago, OpenSourcerer said:

Well, of course not. Engage the lock, then in Logs tab click the lifebelt icon and paste or upload the output here to allow us to troubleshoot this.

OK thanks. Any info I should omit from the logs?

[OpenSourcerer 1435]

IPv6 addresses starting with 2xxx:…

[SeUbHS 3]

15 hours ago, OpenSourcerer said:

Well, of course not. Engage the lock, then in Logs tab click the lifebelt icon and paste or upload the output here to allow us to troubleshoot this.

edd.logs

[OpenSourcerer 1435]

Let's try the newest version of Eddie first. Current is 2.20.
Then see if it still does work. If yes, post the iptables configuration.

# iptables -L -t nat

.

[Staff 9972]

On 5/21/2021 at 12:38 AM, SeUbHS said:

I'm still able to access the net when eddie isn't running. Is this normal behavior?

Hello!

If you confirm that the sentence is correct ("when Eddie ISN'T running") then yes, it may be normal behavior. When Eddie is properly closed, it de-activates Network Lock. However, if Eddie isn't running because it crashed, then Network Lock remains enabled, because it's a set of firewall rules which are not modified.

Kind regards
 

[SeUbHS 3]

13 hours ago, Staff said:

Hello!

If you confirm that the sentence is correct ("when Eddie ISN'T running") then yes, it may be normal behavior. When Eddie is properly closed, it de-activates Network Lock. However, if Eddie isn't running because it crashed, then Network Lock remains enabled, because it's a set of firewall rules which are not modified.

Kind regards
 

Yep, eddie is not running when this occurs, so it'd be normal behavior according to what you said. Is there a way to persist the firewall rules even if eddie isn't running? That way I never have to worry about eddie failing to run on startup?

[Staff 9972]

@SeUbHS

Hello!

Yes, set your blocking rules as default rules while Eddie is not running and has just exited cleanly. Remember to allow local network, and special destinations such as 255.255.255.255 in order not to block DHCP (at bootstrap etc.). Since you run iptables you can simply enforce DROP policy to the OUTPUT and INPUT chains of the filter table, and then set a few rules jumping to ACCEPT for local subnet, localhost and 255.255.255.255.

A very simple startup script (it's only an example, you must modify it according to your needs and the features of your network, and you can also use iptables-save to make rules permanent - also specify the correct path to iptables):
 

iptables -F
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -I INPUT -s 255.255.255.255 -j ACCEPT
iptables -I OUTPUT -d 255.255.255.255 -j ACCEPT
iptables -I OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -I INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -I INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

When Eddie enables Network Lock, you can communicate with AirVPN infrastructure only. When Eddie disables Network Lock (including when it quits) it will restore your blocking rule, so your machine will be isolated from the Internet.

Kind regards