r34lity23 0 Posted ... Hi all, I am trying to setup a VM to block all internet that is not tunnelled through the VPN. I have the following iptables rules: -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -N logging -A INPUT -i lo -j ACCEPT -A INPUT -s 255.255.255.255/32 -j ACCEPT -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -j DROP -A INPUT -j logging -A FORWARD -i tun+ -j ACCEPT -A FORWARD -o tun+ -j ACCEPT -A FORWARD -j DROP -A OUTPUT -p udp -m udp --dport 443 -m comment --comment "Allow VPN connection" -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -d 255.255.255.255/32 -j ACCEPT -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT -A OUTPUT -j DROP -A OUTPUT -j logging -A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables general: " --log-level 7 -A logging -j DROP This seems to work fine if enabled after the VPN has already connected but appears to block the VPN from connecting if it has dropped for some reason. I was hoping that someone more knowledgeable about iptables could see a reason for it being unable to connect. The output from bluetit is as follows: Jan 19 18:50:03 vpn1 bluetit[18500]: IPv6 is available in this system Jan 19 18:50:03 vpn1 bluetit[18500]: System country set to XX by Bluetit policy. Jan 19 18:50:03 vpn1 bluetit[18500]: Bluetit successfully initialized and ready Jan 19 18:50:03 vpn1 bluetit[18500]: Starting AirVPN boot connection Jan 19 18:50:03 vpn1 bluetit[18500]: Waiting for a valid AirVPN Manifest to be available Jan 19 18:50:03 vpn1 bluetit[18500]: AirVPN Manifest updater thread started Jan 19 18:50:03 vpn1 bluetit[18500]: AirVPN Manifest update interval is 15 minutes Jan 19 18:50:03 vpn1 bluetit[18500]: Updating AirVPN Manifest Jan 19 18:50:23 vpn1 bluetit[18500]: ERROR: Cannot start AirVPN Connection. AirVPN Manifest not available. Jan 19 18:51:03 vpn1 bluetit[18500]: AirVPN Manifest successfully retrieved from local instance Thanks for any help! Quote Share this post Link to post
Staff 10015 Posted ... @r34lity23 Hello! Please make sure to accept packets to and from the bootstrap servers. You can find their IP addresses in /etc/airvpn/bluetit.rc file - bootserver directives. Kind regards 1 r34lity23 reacted to this Quote Share this post Link to post