xyz 3 Posted ... Hello, I'm new to VPNs and after reading some tutorials about VPNs and iptables I tried to build my own simple set of rules. I post this to ask for your opinion if this setup is safe enough (I want to block all outgoing traffic except through VPN tunnel and except initial connection to VPN server from any interface). This setup is for an average desktop computer behind a router with DHCP enabled. Here it is: ### first thing - flush all rules & delete user's chains iptables -F iptables -X ################################################## ############### INPUT ############### ################################################## ### default policy is to drop all incoming packets: iptables -P INPUT DROP ### EXCEPTIONS: ### allow loopback access: iptables -A INPUT -i lo - j ACCEPT ### allow all incoming connections related or already established: iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ### allow incoming connections on several ports: iptables -A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT #torrent iptables -A INPUT -p udp -m udp --dport 7777 -j ACCEPT #torrent iptables -A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT #ed2k iptables -A INPUT -p udp -m udp --dport 8888 -j ACCEPT #ed2k ### allow all incoming connections from local network (not desired for me, so commented): #iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT ### allow DHCP: iptables -A INPUT -s 255.255.255.255 -j ACCEPT ### log the rest (and then drop it by default policy): iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: " ################################################## ############### OUTPUT ############### ################################################## ### default policy is to drop all outgoing packets: iptables -P OUTPUT DROP ### EXCEPTIONS: ### allow loopback access: iptables -A OUTPUT -o lo -j ACCEPT ### allow all outgoing connections from tun0 interface: iptables -A OUTPUT -o tun0 -j ACCEPT ### allow all outgoing connections to VPN server from any interface (eth, wlan, tun): iptables -A OUTPUT -d 95.211.169.3 -j ACCEPT ### allow all outgoing connections to local network: iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT ### allow DHCP: iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT ### log the rest (and then drop it by default policy): iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: " ################################################## ############### FORWARD ############## ################################################## ### default policy is not to forward packets: iptables -P FORWARD DROP ### EXCEPTIONS: ### accept forwarding from tun0 to eth0/wlan0 and vice versa: iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT iptables -A FORWARD -i tun0 -o wlan0 -j ACCEPT ################################################## ############### POSTROUTING ############## ################################################## iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE ### OTHER THINGS TO CONSIDER: ### allow UPNP (probably not needed with VPN): #iptables -A INPUT -p udp -m udp --dport 1900 -j ACCEPT #iptables -A INPUT -p udp -m udp --sport 1900 -j ACCEPT ### allow Local Peer Discovery: #ptables -A INPUT -p udp -d 239.192.152.143 -m udp --dport 6771 -j ACCEPT ### allow MDNS: #iptables -A INPUT -p udp -d 224.0.0.251 -m udp --dport 5353 -j ACCEPT ### allow SMB: #iptables -A INPUT -p udp -m udp --sport 137:139 -j ACCEPT I have also a few questions:1) Do I need to use this rule? I am behind router with DHCP. iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE Everything seems to work fine without it. When iptables are switch off this rule doesn't work as well so I don't know if I need it. 2) When I start connection from my computer with openvpn running,does it go [eth0 => tun0 => vpn_server => internet]or it's [tun0 => eth0 => vpn_server => internet] ? 3) I hope that when I login to my router, this connection doesn't go through VPN server (tun interface)? 4) How can I get an address of eg. germany.airvpn.org or europe.airvpn.org so I can use it instead of a single server address? Quote Share this post Link to post
dickles 0 Posted ... Very useful post. Thanks. I used many lines of it on my Asus RT-N56U BusyBox custom firmware w/ OpenVPN. I still haven't figured out how to route wired traffic over the VPN but wireless over the unencrypted connection but I'm getting there. Quote Share this post Link to post
Royee 11 Posted ... Hi thanks for the post, can I ask is this iptable setup used to prevent DNS leaks? Ie your iptable blocks any other connection revealing your real IP ? I did at one point have Airvpn dns servers in my setup which only allowed connections to work via air dns servers, but this sadly stopped working after a few days and I had to use opennic servers to gain internet access..... would it not be easier to use airvpn dns servers to prevent leaks then a ip table? am seeing only guides for preventing DNS leaks more on windows and comodo setups... but not sure if they would work for our Router VPN setups. Quote Share this post Link to post
Staff 10014 Posted ... @Royee You don't see anything outside Windows because DNS leaks occur on Windows only. In the "How-To" section of the forum you can find various guides to prevent any leak on systems running iptables. Kind regards 1 Royee reacted to this Quote Share this post Link to post
xyz 3 Posted ... The previous version only allowed connection to the internet from tun0 interface, and from any interface to vpn servers. This should prevent DNS leaks, however I discovered that if my system is configured to use a default DNS server provided by my router (e.g. 192.168.1.1), then the rule to allow all outgoing traffic to local network would also allow the DNS queries to be sent to my router, which in turn would send them to my ISP. This would be a DNS leak. Here is an updated version which should prevent DNS leaks. Specifically this rules allow DNS queries only from tun0 interface (see comment in the full file): sudo iptables -A OUTPUT ! -o tun0 -p tcp --dport 53 -j DROP sudo iptables -A OUTPUT ! -o tun0 -p udp --dport 53 -j DROP Currently I also block IPv6 which you can disable. Also I now keep the list of whitelisted servers in a separate file called firewall-servers. This file is invoked from the main firewall script. sudo iptables -A OUTPUT -d x.x.x.x -j ACCEPT # insert address at x.x.x.x sudo iptables -A OUTPUT -d x.x.x.x -j ACCEPT sudo iptables -A OUTPUT -d x.x.x.x -j ACCEPT sudo iptables -A OUTPUT -d x.x.x.x -j ACCEPT Full file: ################################################## ############### BLOCK IPv6 ############### ################################################## sudo ip6tables -F -t filter sudo ip6tables -F -t nat sudo ip6tables -X sudo ip6tables -P INPUT DROP sudo ip6tables -P OUTPUT DROP sudo ip6tables -P FORWARD DROP ################################################## ############### RESET IPv4 ############### ################################################## ### first thing - flush all rules & delete user's chains ### sudo iptables -F -t filter sudo iptables -F -t nat sudo iptables -X ################################################## ############### INPUT IPv4 ############### ################################################## ### default policy is to drop all incoming packets ### sudo iptables -P INPUT DROP ### EXCEPTIONS ### ### allow loopback access ### sudo iptables -A INPUT -i lo -j ACCEPT ### allow all incoming connections related or already established ### sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ### allow incoming connections on several ports ### sudo iptables -A INPUT -p tcp -m tcp --dport 1234 -j ACCEPT #torrent sudo iptables -A INPUT -p udp -m udp --dport 1234 -j ACCEPT #torrent sudo iptables -A INPUT -p tcp -m tcp --dport 5678 -j ACCEPT #ed2k sudo iptables -A INPUT -p udp -m udp --dport 5678 -j ACCEPT #ed2k ### allow all incoming connections from local network ### # sudo iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT ### allow DHCP ### sudo iptables -A INPUT -s 255.255.255.255 -j ACCEPT ### VARIOUS OTHER THINGS TO CONSIDER ### ### allow UPNP ### # sudo iptables -A INPUT -p udp -m udp --dport 1900 -j ACCEPT # sudo iptables -A INPUT -p udp -m udp --sport 1900 -j ACCEPT ### allow Local Peer Discovery ### # sudo iptables -A INPUT -p udp -d 239.192.152.143 -m udp --dport 6771 -j ACCEPT ### allow MDNS ### # sudo iptables -A INPUT -p udp -d 224.0.0.251 -m udp --dport 5353 -j ACCEPT ### allow SMB ### # sudo iptables -A INPUT -p udp -m udp --sport 137:139 -j ACCEPT ### log the rest (and then drop it by default policy) ### # sudo iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: " ################################################## ############### OUTPUT IPv4 ############### ################################################## ### default policy is to drop all outgoing packets ### sudo iptables -P OUTPUT DROP ### Also drop any DNS requests from interfaces other than tun0. ### Otherwise, if the system is configured to use a default DNS server and this server is in local network (e.g. router), ### the rule that allows all outgoing traffic to local network will also allow DNS queries, which will then be sent ### by the router to the ISP provider. This would be a DNS leak. sudo iptables -A OUTPUT ! -o tun0 -p tcp --dport 53 -j DROP sudo iptables -A OUTPUT ! -o tun0 -p udp --dport 53 -j DROP ### EXCEPTIONS ### ### allow loopback access ### sudo iptables -A OUTPUT -o lo -j ACCEPT ### allow all outgoing connections from tun0 interface ### sudo iptables -A OUTPUT -o tun0 -j ACCEPT ### allow all outgoing connections to VPN servers from any interface (eth, wlan, tun) ### source firewall-servers ### allow all outgoing connections to local network ### sudo iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT ### allow DHCP ### sudo iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT ### allow MDNS ### # sudo iptables -A OUTPUT -p udp -d 224.0.0.251 -m udp --dport 5353 -j ACCEPT ### log the rest (and then drop it by default policy) ### # sudo iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: " ################################################## ############### FORWARD IPv4 ############## ################################################## ### default policy is not to forward packets ### sudo iptables -P FORWARD DROP Quote Share this post Link to post