Ubuntu10.04-iptablesHelp>in-case-of-VPN-Disconnection-From"AirVpn-over-Tor"-PleaseHelp!

[1earthlove 0]

I am a newb - please help me. I am new to the terminal - new to vpns - new to linux... [not new to Tor] and new to encryption - and - new to networking, After much daily effort - for almost 3 weeks - I am successfully doing AirVPN over Tor. My goal is to post freely and circumvent Tor discrimination for a non-profit-project- while having the partition-of-trust-thing happening.

I followed a few tutorials from this forum and an assortment of others, including ubuntu-forums, none of which worked on my plain ubuntu system - in spite of my meticulous care to focus on getting all the details right. My issue is that I'm a beginner, needing all the beginner-step instructions and most of the tutorials for this are written for an intermediate-level - or higher - user. For example... They say to "cd into" a directory and yet don't say how to do so or what that even means- My system was so borked that I JUST finished aNUTHer clean install. I use live distros on usb-sticks.

One page from this forum: https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=30&Itemid=142#2010

says: [ana.pofuk]

"Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo."

?#1->Can you tell me what the "/16" part means? ...I've also seen "/24" ? ? ?

?#2->How can I find out what my "tun*" device is? ? ?

My "eth*" is "eth0" - my network is little differant than 192.168.0.0 - and I'm wondering if it is safe for me to change it [TO 192.168.0.0] in the router admin panel... Is it??? And are there any long-term potential problems from changing the Router's Host Name? ? ? -NOT very inportant to me - mainly - I'm just - CRITICALLY - needing to have all traffic promptly BLOCKED in case of a DIS-CONNECT.

I found several tutorials for just-VPN and - I think - at least one for Tor-over-AirVPN but NOT one with details for AirVPN-over-Tor.

I'm overwelmed by the reading material for iptables - but I'm Good at following Good and Detailed Instructions.

Do YOU Know of Good - and Detailed - Instructions for an iptables firewall - that is specific to ubuntu 10.04 - AND - specific to AirVPN-OVER-TOR? ? ?

The next section - in this page that I've quoted - This:

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access

iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server

iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server

iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network

iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT

iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain

iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects

...is what borked my system - and gave error-info in response to a few of the terminal commands.

Please - for the Love of the humans - help me accomplish my goals - SAFELY!

Peas...

[1earthlove 0]

To be clear - I Am connected - now - to the Vega Server - over Tor - so that sites see only my AirVPN ip-address! yahoo-finally: SUCCESS! And THEN I borked my whole system [and spent more than a 100 hours in 3 weeks] following AirVPN-forum-and-ubuntu-forum-and-linux-iptables-tutorials that did not work for me. :sick: Apparently I failed to do something [very basic, I assume] that is supposed to understood by everyone following along. I'm new to most all of this- eccept using tor-

During this ordeal - that borked my system - I installed gufw - and the guides for BEGINNERS failed to work for me as purported by their authors - even the guides that said "Easy" and "Simple" in their titles. After about a dozen hours of that, I uninstalled gufw.

I flushed all iptable rules a few times and started from scratch and followed a video that seems GREAT - eccept it doesn't cover what I NEED [for vpn-over-tor-Disconnect-Protection rules] and I don't meet the requirements the guy mentions at the beginning. Just to document here - this is the video: "How to configure iptablesin ubuntu" at https://www.youtube.com/watch?v=E7rpCha1lTY - and the bulk of the commands [i did tham all - carefully] are in the last two minutes. I'm just documenting what I've done - stuff that I thot [while doing it] would get me at least part of the way to my goal...

My GOAL:

AirVPN-over-Tor-Accidental-Dis-Connection-PROTECTION-By-Blocking-ALL-Other-Traffic-Immediately

-Until-I've-Re-Established-Tor-Then-AirVPN-Over-Tor

-Again. :S

Anyone? Please help me - merci!

[1earthlove 0]

-needed in commands - AT ALL ? ? ?

AirVPNAdmin said this:

--------------------------------------------------

Adding the following simple rules will prevent leaks in case of [accidental] VPN disconnection. In this example, it is assumed that your network interface is eth+ (change it as appropriate; for example, you might have wlan0 for a WiFi connection).

a.b.c.d is the entry-IP address of the Air server you connect to. You can find out the address simply looking at the line "remote" of your air.ovpn configuration file. In case of doubts, just ask us. Some of the following rules might be redundant if you have already chains.

Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo.

---------------------------------------------------

And I just discovered that my "eth*" is ACTUALLY "eth1" - not "eth0" - as shown in numerous tutorials - so I'm sure THAT helped me screw things up. I was using "eth0" - is that particular instance of a mistake enough to bork your system? ? ?

I actually couldn't get tor-browser OR openvpn/airvpn to work - at all - so I really had to do a clean install.

So that subnet-part: "192.168.0.0/16" - MOST of the tutorials say "192.168.0.0/24" - or - "192.168.1.0/24" but in my router I cannot find anywhere that specifies which one mine is. Does it MATTER? ? ? And must that go into the terminal commands? ? ? Can you put in EITHER "/16" OR "/24" if you don't know? OR - just LEAVE it OUT? ? ?

This is part of another topic where I asked a few questions that noone responded to - [please-help] - Perhaps it was too much for one post.

[1earthlove 0]

No "How-To," with "newb-appropriate-details," can be easily found on this - I have spent a Few DOZEN Hours looking - and it just occured to me that perhaps I've been assuming - wrongly - that the iptable-rules [4 blocking ALL traffic immediately, in the event of an accidental disconnect] must be differant when doing vpn-over-tor - but perhaps they are not. Perhaps I've been looking at my answers all along - in an overwhelming-state-of-confusion sort of way.

For me, there is two things to block, that I am aware of, for my protection: the TorBrowser and also my standard ubuntu-firefox.

My GOAL:

AirVPN-over-Tor-Accidental-Dis-Connection-PROTECTION-By-Blocking-ALL-Other-Traffic-Immediately

-Until-I've-Re-Established-Tor-Then-AirVPN-Over-Tor

-Again. :S

Anyone? Please help me - merci!

[1earthlove 0]

- the last 3 characters - are they needed in ufw commands - AT ALL ? ? ?

airadmin? worric? anyone?

AirVPNAdmin said this:

Assumptions: you are in a 192.168.0.0/16 network and your router is a DHCP server. You have a a physical network interface named eth*. The tun adapter is tun* and the loopback interface is lo.

[end admin quote]

So that subnet-part: "192.168.0.0/16" - MOST of the tutorials say "192.168.0.0/24" - or - "192.168.1.0/24" but in my router I cannot find anywhere that specifies which one mine is: "/16" or "/24"

Does it MATTER? And must that info go into the terminal for ufw commands? ? Can you put in EITHER "/16" OR "/24" if you don't know? OR - just LEAVE it OUT? ? ?

Please - someone - help - mercie-

[Staff 9972]

Hello!

You can use the same rules with the addition of an unconditional "allow" rule toward port 443, in order to let the TOR proxy communicate in the TOR network. This adds a risk, i.e. letting communications toward port 443 TCP (so https, for example) in any case. In case of unexpected disconnection for example a browser will continue to be able to communicate with https web sites.

The "last 3 characters" you refer to are mandatory: they are an integral part of the routing prefix expressed in CIDR notation (accepted by ipfw):

http://en.wikipedia.org/wiki/Netmask

Kind regards

[1earthlove 0]

1-> so does this mean [your last sentance- in the 1st paragraph] that vpn-over-tor is really only safe to use with Non-https-sites, because of the ocassional vpn-drop???

I must be missing something. I'm establishing the torbrowser first - and then the vpn - and then initiating a very-vanilla firefox. I understand that when the vpn drops, that tor should keep running, but for my intended purpose, I'm not using the torbrowser for any activity that has "actually-serious safety-issues for humans" connected with it. That's what the vpn & 2nd browser is for. For this intended purpose, I'm Not [anytime in the near future] wishing to hide tor-usage from my local-ispu.

2-> so- did i misuderstand? There is Not a way to block All traffic - if doing air-over-vpn, when the vpn drops? But there IS a way to block Everything BUT Tor, when a drop happens, WHILE doing vpn-over-tor?

3-> so about that subnet issue. the wikipediaNetmask page you refd. looks overwelming to me - i was lost reading it- but just over half-way down the page, it says that the prefix /24 goes with the mask 255.255.255.0 - so i'm guessing when i get to figuring out the syntax, etc, for that rule in worric's setup - that i should use it [/24] - not the "/16" - I'm guessing this because the router I'm on, is set to 255.255.255.0 for the subnet mask. Am i getting this part?

4-> Also the LAN for the router i'm using is set to something odd - like "192.168.4.5" - so for the appropriate rule, I should use something like "192.168.4.5/24" - right?

5-> And since my system has that odd 192-168-address in Numerous files - and I'm a non-geek struggling to figure this all out - i should leave it set that way, right??? [an ounce of prevention]

7-> so i ALSO need, for my goals, an unconditional "allow" rule toward port 443, in order to let the TOR proxy communicate in the TOR network.? [per your quote] I'm guessing, from my 1st [confused] reading of the ufw manual, that it should go in at the END. I'm so scared of borking a new clean install - again - and i need to get this done and working - that i'd like to get the rules in properly - in the proper order to start - since i dont understand how to reverse or reorder rules. might you know the exact syntax and position relative to worric's setup-list of rules?

Thank You - mercie - for your help. Truely, Thank You.

[1earthlove 0]

I'm a New 2 Forums - as well as vpns - & I'm hoping that I didn't fail to adhere to some proper etiquette standard- My post from more than several hours ago has not been approved- Did I over-step an expectation of limiting the number of questions for a single post? I asked 7 [with 2 of them very related.] Should I have only asked 2 or 3 at a time - for the quickest response?

I'm sure people sometimes ask you for an unfeasible and ridiculous amount of information - and yet [please notice] I've been pushing thru this learning curve - as a paying customer - for more than 3 weeks and 2 days - literally - hours a day on this, for more than 23 days in a row now, and I still have not acheived my GOAL with AirVPN. I'm SO CLOSE & I've come so far-

So did my post get tossed? ? Of course I have no idea how many of you are there doing this - should i re-ask my ?s - with something closer to two questions at a time?

I really need this help & I Appreciate Your Time- merci-

[Staff 9972]

@1earthlove

Hello!

Please check, there are no unapproved posts from you.

Kind regards

[1earthlove 0]

See? ? ? I TOLD YOU: i'M NEW - I'm successfully doing vpn-over-Tor as we speak [tho' in a TRAGICALLY-FIREWALL-DEFICIENT-STATE] - AND YET - I FORGOT - that on the right-hand side - of this Foxy-Fire-Browser-Thing - There Is A SCROLL BAR! :laugh:

Gosh, I Love You Uber-Geeks - you've invented the coolest stuff.

Okay - please - please - please - @admin - @worric - @anyone - @someone - @noone - could some compassionate and generous soul - please read my recent desparate cries for help and then help me get a REAL Firewall in ubuntu-10.04-ufw & Gufw happening?

mercie-