Jump to content
Not connected, Your IP: 3.238.174.50
xyz

My first IPTABLES setup

Recommended Posts

Hello, I'm new to VPNs and after reading some tutorials about VPNs and  iptables I tried to build my own simple set of rules. I post this to ask for your opinion if this setup is safe enough (I want to block all outgoing traffic except through VPN tunnel and except initial connection to VPN server from any interface). This setup is for an average desktop computer behind a router with DHCP enabled.

 

Here it is:

### first thing - flush all rules & delete user's chains
iptables -F
iptables -X

##################################################
###############       INPUT        ###############
##################################################

 ### default policy is to drop all incoming packets: 
iptables -P INPUT DROP
### EXCEPTIONS:
### allow loopback access:
iptables -A INPUT -i lo - j ACCEPT
### allow all incoming connections related or already established:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
### allow incoming connections on several ports:
iptables -A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT #torrent
iptables -A INPUT -p udp -m udp --dport 7777 -j ACCEPT #torrent
iptables -A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT #ed2k
iptables -A INPUT -p udp -m udp --dport 8888 -j ACCEPT #ed2k
### allow all incoming connections from local network (not desired for me, so commented):
#iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
### allow DHCP:
iptables -A INPUT -s 255.255.255.255 -j ACCEPT
### log the rest (and then drop it by default policy):
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "

##################################################
###############       OUTPUT       ###############
##################################################

### default policy is to drop all outgoing packets:
iptables -P OUTPUT DROP
### EXCEPTIONS:
### allow loopback access:
iptables -A OUTPUT -o lo -j ACCEPT
### allow all outgoing connections from tun0 interface:
iptables -A OUTPUT -o tun0 -j ACCEPT
### allow all outgoing connections to VPN server from any interface (eth, wlan, tun):
iptables -A OUTPUT -d 95.211.169.3 -j ACCEPT
### allow all outgoing connections to local network:
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
### allow DHCP:
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
### log the rest (and then drop it by default policy):
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "

##################################################
###############       FORWARD       ##############
##################################################

### default policy is not to forward packets:
iptables -P FORWARD DROP
### EXCEPTIONS:
### accept forwarding from tun0 to eth0/wlan0 and vice versa:
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wlan0 -j ACCEPT

##################################################
###############     POSTROUTING     ##############
##################################################

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

### OTHER THINGS TO CONSIDER:
### allow UPNP (probably not needed with VPN):
#iptables -A INPUT -p udp -m udp --dport 1900 -j ACCEPT
#iptables -A INPUT -p udp -m udp --sport 1900 -j ACCEPT
### allow Local Peer Discovery:
#ptables -A INPUT -p udp -d 239.192.152.143 -m udp --dport 6771 -j ACCEPT
### allow MDNS:
#iptables -A INPUT -p udp -d 224.0.0.251 -m udp --dport 5353 -j ACCEPT
### allow SMB:
#iptables -A INPUT -p udp -m udp --sport 137:139 -j ACCEPT

 

I have also a few questions:

1) Do I need to use this rule? I am behind router with DHCP.

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Everything seems to work fine without it. When iptables are switch off this rule doesn't work as well so I don't know if I need it.

 

2) When I start connection from my computer with openvpn running,

does it go [eth0 => tun0 => vpn_server => internet]

or it's [tun0 => eth0 => vpn_server => internet] ?

 

3) I hope that when I login to my router, this connection doesn't go through VPN server (tun interface)?

 

4) How can I get an address of eg. germany.airvpn.org or europe.airvpn.org so I can use it instead of a single server address?

Share this post


Link to post

Very useful post. Thanks.

 

I used many lines of it on my Asus RT-N56U BusyBox custom firmware w/ OpenVPN. I still haven't figured out how to route wired traffic over the VPN but wireless over the unencrypted connection but I'm getting there.

Share this post


Link to post

Hi thanks for the post,  can I ask is this iptable setup used to prevent DNS leaks?  Ie your iptable blocks any other connection revealing your real IP ?

 

I did at one point have Airvpn dns servers in my setup which only allowed connections to work via air dns servers,  but this sadly stopped working after a few days and I had to use opennic servers to gain internet access..... would it not be easier to use airvpn dns servers to prevent leaks then a ip table?

 

am seeing only guides for preventing DNS leaks more on windows and comodo setups... but not sure if they would work for our Router VPN setups.

Share this post


Link to post

@Royee

 

You don't see anything outside Windows because DNS leaks occur on Windows only. In the "How-To" section of the forum you can find various guides to prevent any leak on systems running iptables.

 

Kind regards

Share this post


Link to post

The previous version only allowed connection to the internet from tun0 interface, and from any interface to vpn servers. This should prevent DNS leaks,
however I discovered that if my system is configured to use a default DNS server provided by my router (e.g. 192.168.1.1), then the rule to allow all outgoing traffic to local network would also allow the DNS queries to be sent to my router, which in turn would send them to my ISP. This would be a DNS leak.

Here is an updated version which should prevent DNS leaks. Specifically this rules allow DNS queries only from tun0 interface (see comment in the full file):

sudo iptables -A OUTPUT ! -o tun0 -p tcp --dport 53 -j DROP
sudo iptables -A OUTPUT ! -o tun0 -p udp --dport 53 -j DROP

Currently I also block IPv6 which you can disable.

Also I now keep the list of whitelisted servers in a separate file called firewall-servers. This file is invoked from the main firewall script.
sudo iptables -A OUTPUT -d x.x.x.x -j ACCEPT # insert address at x.x.x.x
sudo iptables -A OUTPUT -d x.x.x.x -j ACCEPT
sudo iptables -A OUTPUT -d x.x.x.x -j ACCEPT
sudo iptables -A OUTPUT -d x.x.x.x -j ACCEPT

Full file:
##################################################
###############     BLOCK IPv6     ###############
##################################################
sudo ip6tables -F -t filter
sudo ip6tables -F -t nat
sudo ip6tables -X 

sudo ip6tables -P INPUT DROP
sudo ip6tables -P OUTPUT DROP
sudo ip6tables -P FORWARD DROP


##################################################
###############     RESET IPv4     ###############
##################################################

### first thing - flush all rules & delete user's chains ###
sudo iptables -F -t filter
sudo iptables -F -t nat
sudo iptables -X


##################################################
###############     INPUT IPv4     ###############
##################################################

### default policy is to drop all incoming packets ###
sudo iptables -P INPUT DROP

### EXCEPTIONS ###

### allow loopback access ###
sudo iptables -A INPUT -i lo -j ACCEPT

### allow all incoming connections related or already established ###
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

### allow incoming connections on several ports ###
sudo iptables -A INPUT -p tcp -m tcp --dport 1234 -j ACCEPT #torrent
sudo iptables -A INPUT -p udp -m udp --dport 1234 -j ACCEPT #torrent
sudo iptables -A INPUT -p tcp -m tcp --dport 5678 -j ACCEPT #ed2k
sudo iptables -A INPUT -p udp -m udp --dport 5678 -j ACCEPT #ed2k

### allow all incoming connections from local network ###
# sudo iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

### allow DHCP ###
sudo iptables -A INPUT -s 255.255.255.255 -j ACCEPT

### VARIOUS OTHER THINGS TO CONSIDER ###

### allow UPNP ###
# sudo iptables -A INPUT -p udp -m udp --dport 1900 -j ACCEPT
# sudo iptables -A INPUT -p udp -m udp --sport 1900 -j ACCEPT

### allow Local Peer Discovery ###
# sudo iptables -A INPUT -p udp -d 239.192.152.143 -m udp --dport 6771 -j ACCEPT

### allow MDNS ###
# sudo iptables -A INPUT -p udp -d 224.0.0.251 -m udp --dport 5353 -j ACCEPT

### allow SMB ###
# sudo iptables -A INPUT -p udp -m udp --sport 137:139 -j ACCEPT

### log the rest (and then drop it by default policy) ###
# sudo iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "


##################################################
###############     OUTPUT IPv4    ###############
##################################################

### default policy is to drop all outgoing packets ###
sudo iptables -P OUTPUT DROP

### Also drop any DNS requests from interfaces other than tun0.
### Otherwise, if the system is configured to use a default DNS server and this server is in local network (e.g. router),
### the rule that allows all outgoing traffic to local network will also allow DNS queries, which will then be sent
### by the router to the ISP provider. This would be a DNS leak.
sudo iptables -A OUTPUT ! -o tun0 -p tcp --dport 53 -j DROP
sudo iptables -A OUTPUT ! -o tun0 -p udp --dport 53 -j DROP

### EXCEPTIONS ###

### allow loopback access ###
sudo iptables -A OUTPUT -o lo -j ACCEPT

### allow all outgoing connections from tun0 interface ###
sudo iptables -A OUTPUT -o tun0 -j ACCEPT

### allow all outgoing connections to VPN servers from any interface (eth, wlan, tun) ###
source firewall-servers

### allow all outgoing connections to local network ###
sudo iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

### allow DHCP ###
sudo iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT

### allow MDNS ###
# sudo iptables -A OUTPUT -p udp -d 224.0.0.251 -m udp --dport 5353 -j ACCEPT 

### log the rest (and then drop it by default policy) ###
# sudo iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "


##################################################
###############     FORWARD IPv4    ##############
##################################################

### default policy is not to forward packets ###
sudo iptables -P FORWARD DROP


 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...