Jump to content
Not connected, Your IP: 216.73.216.40
AirVPN
Sign in to follow this  
Followers 0
raix

Eddie + Kubuntu 24.04 firewall

By raix, ... in Troubleshooting and Problems

Recommended Posts

raix    1

raix
Posted ...

Hello All,
I was wondering if anyone has experienced the following setup, issues and could provide me with solution suggestions. 

Goal: having a killswitch by all incoming and outgoing connections blocked by default via firewall (gufw) on Kubuntu 24. Opening Eddie and turning on Network lock which should turn off firewall and open rules needed for vpn connections. All data should go through vpn. In case of Eddie closure or crush, fw turns back on and no data should go out of vpn.

My case: firewall is set to Reject or Ignore for incoming and outgoing communication. Opening Eddie and activating Network lock creates needed rules. However, Eddie is not able to connect to any server. 
Seeing error in this part of a log:
OpenVPN > UDPv4 link local: (not bound)
OpenVPN > UDPv4 link remote: [AF_INET]<IP of server to connect to>:443
OpenVPN > write UDPv4 []: Operation not permitted(fd=7,code=1)
However, if fw is set to allow outgoing, there is "OpenVPN > TLS: Initial packet from..." in this step, connection to vpn server continues with further steps and is successful. 

I have been using the same setup on older version of Linux Mint, firewall set to Deny or Reject for incoming and outgoing, Eddie with Network lock turned on. Eddie can connect to any server without issues.
Is there any rule or setting that needs to be added to Kubuntu/Ubuntu 24 firewall settings in order for Eddie to be able to connect to servers? Any help or suggestions would be much appreciated. Thank you.

Share this post

Link to post

Staff    10303

Staff
Posted ...

Hello!

Please publish also a system report generated by Eddie (please do not edit the destination IP address as you did earlier) and also disable gufw completely. Set rules only through iptables-legacy, do not mix with any overlapping frontend during the tests (and do not create your own chains) in order to avoid that gufw custom chains in the filter table interfere. 

Kind regards
 

Share this post

Link to post

raix    1

raix
Posted ...

Hello, 
please find attached two system reports generated by Eddie:
SysRep-gufwOn.txt - gufw was kept on for this report so that is shows that error I referred to in the first post.
SysRep-gufwOff.txt - this report was generated with gufw disabled and without any manual setup done. Connections worked as expected.

Even though connections work with gufw turned off it does not solve my goal of having a killswitch in cases when Eddie has Network lock disabled or it is not running at all. Is there any recommended setup to achieve this, please? 
Thank you.

SysRep-gufwOff.txt SysRep-gufwOn.txt

Share this post

Link to post

Staff    10303

Staff
Posted ...
6 hours ago, raix said:

Even though connections work with gufw turned off

Hello!

Excellent.
Quote


it does not solve my goal of having a killswitch in cases when Eddie has Network lock disabled or it is not running at all. Is there any recommended setup to achieve this


Yes, but use iptables-legacy (in general, the same frontend used by Eddie too for Network Lock) and not gufw; also do not define custom chains.

Kind regards
 

Share this post

Link to post

raix    1

raix
Posted ...

Hello, 

3 hours ago, Staff said:
Yes, but use iptables-legacy (in general, the same frontend used by Eddie too for Network Lock) and not gufw; also do not define custom chains.

could you be more specific with iptables-legacy rules needed for a killswitch or direct me, please? I tried to set default INPUT, FORWARD and OUTPUT from accept to drop using iptables-legacy but Eddie won't even open with such settings.
Thank you.

Share this post

Link to post

Staff    10303

Staff
Posted ...
12 hours ago, raix said:

Hello, 


could you be more specific with iptables-legacy rules needed for a killswitch or direct me, please? I tried to set default INPUT, FORWARD and OUTPUT from accept to drop using iptables-legacy but Eddie won't even open with such settings.
Thank you.

Hello!

Consider to block any outbound packet except those directed to localhost, local network and those necessary for DHCP. Example (you will need to adjust your local network subnet): 
sudo iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 67 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 68-j ACCEPT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
sudo iptables -A OUTPUT -j DROP

sudo ip6tables -A OUTPUT -d ::1 -j ACCEPT
sudo ip6tables -A OUTPUT -p udp --dport 546 -j ACCEPT
sudo ip6tables -A OUTPUT -p udp --dport 547 -j ACCEPT
sudo ip6tables -A OUTPUT -d 2001:db8::/64 -j ACCEPT
sudo ip6tables -A OUTPUT -j DROP
Then you can make the rules persistent (check how to use iptables-save and ip6tables-save).

Kind regards


 

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...