Jump to content
Not connected, Your IP: 18.217.4.250
Sign in to follow this  
v67C5un4

Bind all outgoing traffic via iptables, but still allow ssh access

Recommended Posts

Hi,

 

I read the following posts:

https://airvpn.org/topic/8248-solved-transmission-bittorrent-not-working/?do=findComment&comment=8259

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=30&Itemid=142#2010

 

With this guides I setup my iptables so that all traffic, which is not going through my tun0/vpn interface is blocked.

Logically, when the openvpn connection drops, there is no connection allowed out anymore. Well I haven't tested it, but I assume. ?

 

Here comes my question:
I still need an ssh access to my linux machine, so that I can restart the openvpn in the event it had dropped the connection.

But how can I access my system, when everything is blocked?

My network setup:

ISP<->Router<->linux.system

 

Without the iptable rules and an without an active vpn connection I have a port forwarding on the router to access my linux system via ssh.

With vpn actice I have setup a port forwarding under airvpn, too so my system is accessible.

 

As I'm relatively new to iptables and the openvpn topic, I'm not quite sure how to ensure, that I have a ssh connection to my system in the event openvpn drops.

 

My iptable rules:

iptables -L -n -v
Chain INPUT (policy ACCEPT 24935 packets, 10M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  310 18407 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       255.255.255.255      0.0.0.0/0           
  466 65595 ACCEPT     all  --  *      *       192.168.0.0/16       192.168.0.0/16      

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth+   tun+    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun+   eth+    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 22849 packets, 5585K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  310 18407 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
   99 15147 ACCEPT     all  --  *      *       0.0.0.0/0            255.255.255.255     
  344 33491 ACCEPT     all  --  *      *       192.168.0.0/16       192.168.0.0/16      
  338  118K DROP       all  --  *      eth+    0.0.0.0/0           !95.211.138.19

My route:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.4.48.197     128.0.0.0       UG    0      0        0 tun0
default         fritz.box       0.0.0.0         UG    0      0        0 eth0
10.4.0.1        10.4.48.197     255.255.255.255 UGH   0      0        0 tun0
10.4.48.197     *               255.255.255.255 UH    0      0        0 tun0
95.211.XXX.XX   fritz.box       255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.4.48.197     128.0.0.0       UG    0      0        0 tun0
192.168.178.0   *               255.255.255.0   U     0      0        0 eth0

 

 

It would be great if someone with experience in this topic, could help me. Thanks!

Share this post


Link to post

Hello!

 

A possible solution is allowing total access to inbound port 22, protocol TCP:

 

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

 

In this case make sure to harden sshd security!

 

Kind regards

Share this post


Link to post

I looked again into my problem and came to the following solution.

I'd like to share it with you, so that nobody has to do the same work again.

 

my vpn setup:

/etc/openvpn # ll -Gg
total 100
-rw-r--r-- 1  604 Aug 29 11:04 AirVPN_America_UDP-443.ovpn
-rw-r--r-- 1  602 Aug 29 11:04 AirVPN_Europe_UDP-443.ovpn
-rw-r--r-- 1  599 Aug 29 11:04 AirVPN_NL-Castor_UDP-443.ovpn
-rw-r--r-- 1  599 Aug 29 11:10 AirVPN_NL-Corvi_UDP-443.ovpn
-rw-r--r-- 1  601 Aug 29 11:10 AirVPN_NL-Leporis_UDP-443.ovpn
-rw-r--r-- 1  601 Aug 29 11:11 AirVPN_NL-Lyncis_UDP-443.ovpn
-rw-r--r-- 1  602 Aug 29 11:11 AirVPN_NL-Ophiuchi_UDP-443.ovpn
-rw-r--r-- 1  603 Aug 29 11:11 AirVPN_US-Andromedae_UDP-443.ovpn
-rw-r--r-- 1  601 Aug 29 11:11 AirVPN_US-Arrakis_UDP-443.ovpn
-rw-r--r-- 1  598 Aug 29 11:11 AirVPN_US-Heze_UDP-443.ovpn
-rw-r--r-- 1  600 Aug 29 11:12 AirVPN_US-Librae_UDP-443.ovpn
-rw-r--r-- 1  602 Aug 29 11:12 AirVPN_US-Pavonis_UDP-443.ovpn
-rw-r--r-- 1  600 Aug 29 11:12 AirVPN_US-Persei_UDP-443.ovpn
-rw-r--r-- 1  600 Aug 29 11:13 AirVPN_US-Pollux_UDP-443.ovpn
-rw-r--r-- 1  599 Aug 29 11:13 AirVPN_US-Sirius_UDP-443.ovpn
-rw-r--r-- 1 1562 Aug 22 16:51 ca.crt
lrwxrwxrwx 1   29 Aug 29 11:04 default.conf -> AirVPN_NL-Castor_UDP-443.ovpn
drwxr-xr-x 2 4096 Aug 26 21:51 log/
-rwxr-xr-x 1 2766 Aug 29 11:09 setupIPtables.sh*
-rwxr-xr-x 1 3139 Aug 29 11:06 switch.AirVPN.sh*
-rwxr-xr-x 1 1357 Jun 16  2011 update-resolv-conf*
-rw-r--r-- 1 5127 Aug 22 16:51 user.crt
-rw------- 1 1675 Aug 22 16:51 user.key

I saved the VPN servers I'd like to use from airvpn.org under /etc/openvpn.

I added the following lines on each ovpn file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
status log/openvpn.status.log

So here one example how it looks like. I blackenend the remote line.

cat AirVPN_NL-Castor_UDP-443.ovpn
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Tuesday 27th of August 2013 02:48:58 PM
# OpenVPN Client Configuration
# AirVPN_NL-Castor_UDP-443
# --------------------------------------------------------

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
status log/openvpn.status.log

client
dev tun
proto udp
remote IPADRESS PORT
resolv-retry infinite
nobind
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
explicit-exit-notify 5
ca "ca.crt"
cert "user.crt"
key "user.key"


 

I wrote a simple script, so I can switch between my selection of vpn servers:

cat switch.AirVPN.sh
#!/bin/bash

while :
do
clear
cat << EOF
  1) Switch to Europe VPN
  2) Switch to America VPN
  3) NL-Castor
  4) NL-Corvi
  5) NL-Leporis
  6) NL-Lyncis
  7) NL-Ophiuchi
  8) US-Andromedae
  9) US-Arrakis
  10) US-Heze
  11) US-Librae
  12) US-Pavonis
  13) US-Persei
  14) US-Pollux
  15) US-Sirius
  22) stop VPN
  31) show iptables
  32) show route
  33) show ifconfig
  44) exit
EOF

read input
case $input in
  1) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_Europe_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  2) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_America_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  3) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_NL-Castor_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  4) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_NL-Corvi_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  5) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_NL-Leporis_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  6) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_NL-Lyncis_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  7) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_NL-Ophiuchi_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  8) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_US-Andromedae_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  9) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_US-Arrakis_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  10) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_US-Heze_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  11) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_US-Librae_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  12) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_US-Pavonis_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  13) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_US-Persei_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  14) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_US-Pollux_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  15) /etc/init.d/openvpn stop; sleep 15s; rm default.conf; ln -s AirVPN_US-Sirius_UDP-443.ovpn default.conf; /etc/init.d/openvpn start ; /etc/openvpn/setupIPtables.sh ;;
  22) /etc/init.d/openvpn stop ;;
  31) iptables -L -v -n --line-numbers ;;
  32) route ;;
  33) ifconfig ;;
  44) exit ;;
  *) echo wrong insert;;
esac
read foo
done

 

I also setup my iptables with the following idea:

1) All traffic should go over the vpn tunnel tun0.

2) No traffic leak if the vpn tunnel drops.

3) SSH Access over my public IP, and only over my public IP, should always be allowed.

 

 

I blackenend the remote ip again. Copy the remote IP from  your ovpn files to XXX.XXX.XXX.XXX;

#!/bin/bash

### iptables

# flush existing rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

# allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow already established/accepted connections on all devices
# put in front for performance reasons
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# make sure that you can communicate within your own network
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

# disable ssh connections over vpn. You just need to disable it, if you have setup port forwarding to your ssh port
iptables -A INPUT -i tun0 -p tcp --dport ssh -j DROP

# allow outgoing connections to through VPN
iptables -A OUTPUT -o tun0 -m conntrack --ctstate NEW -j ACCEPT

# allow to establish vpn tunnel
americaIp=$(dig +short america.vpn.airdns.org)
europeIp=$(dig +short europe.vpn.airdns.org)
iptables -A OUTPUT -o eth0 -d $americaIp -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d $europeIp -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -d XXX.XXX.XXX.XXX -m conntrack --ctstate NEW -j ACCEPT

# ssh
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

# set default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

 

 

Run switch.AirVPN.sh on your linux system in a tmux/screen session. So you can connect per ssh and load a new vpn server if needed.

 

I hope this post can help others, too

Share this post


Link to post

I wrote a simple script, so I can switch between my selection of vpn servers:

cat switch.AirVPN.sh
#!/bin/bash

while :
do
clear
cat << EOF
  1) Switch to Europe VPN
  2) Switch to America VPN
  3) NL-Castor
  4) NL-Corvi
  5) NL-Leporis
  6) NL-Lyncis
  7) NL-Ophiuchi
  8) US-Andromedae
  9) US-Arrakis
  10) US-Heze
  11) US-Librae
  12) US-Pavonis
  13) US-Persei
  14) US-Pollux
  15) US-Sirius
  22) stop VPN
  31) show iptables
  32) show route
  33) show ifconfig
  44) exit
EOF
..................................................

 

Run switch.AirVPN.sh on your linux system in a tmux/screen sess

 

Hi,

 

Could you write a script to toggle between VPN and normal internet access, i.e. without VPN?

 

Sometimes I wish to just connect directly to the internet without the VPN.

Share this post


Link to post

andromeda,

 

If you stop the VPN server and flush your iptables you should have your normal internet setup again.

In my example, use 22) and add 23) Flush Iptables.

 

switch.AirVPN.sh

 

22) stop VPN

23) Flush IpTables

 

 

22) /etc/init.d/openvpn stop ;;

23) iptables -F ;;

 

 

 

Providing that you haven't setup other iptable chains/rules. Otherwise you would delete all rules with iptables -F.

 

Let me know if I could help you

Share this post


Link to post

It's the last code posted startet with:

 

#!/bin/bash

### iptables

 

 

One thing of caution:

I had sometimes the problem that I couldn't connect via ssh from the outside when the IP tables were active. And I have no clue why this is happening. So if you need ssh access from outside, be careful :/

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...