Search the Community
Showing results for tags 'Iptables'.
Found 29 results
-
Hi, I'm using Eddie version 2.21.8 on Arch with Bspwm with no problems. Iptables updated yesterday and when I went to start the client today, there was no button for network lock. I checked the update log and presumed that this was iptables. I had a previous problem with it, which I resolved by using nftables. I downgraded iptables to the most recent version and rebooted. All problems were resolved. Just a heads-up to anyone who encounters this.
-
I'm trying to accept incoming connections to port 12345 on my VPN connection tun0. Right now split tunneling is working correctly, sending all data from user vpn through tun0. I've configured the port in the Client Area but am not able to successfully accept connections. This is my OpenVPN up.sh file that runs after a successful connection is made. #! /bin/bash export INTERFACE="tun0" export NETIF="eno1" export VPNUSER="vpn" export LOCALIP="192.168.1.2" export LOCALSUB="192.168.1.0/24" # flushes all the iptables rules iptables -F -t nat iptables -F -t mangle iptables -F -t filter # setting default actions iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT iptables -I INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT ! -s $LOCALIP -o $NETIF -j REJECT --reject-with icmp-port-unreachable # block outgoing mail iptables -A OUTPUT -p tcp --dport 25 -j REJECT #SSH iptables -A INPUT -s $LOCALSUB -i $NETIF -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 22 -j ACCEPT # mark packets from $VPNUSER iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -j CONNMARK --save-mark # allow responses on VPN connection iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT # let $VPNUSER access lo and $INTERFACE iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT # all packets on $INTERFACE needs to be masqueraded iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE # allow forwarded ports on VPN connection (this part doesn't seem to work) iptables -A INPUT -i $INTERFACE -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 12345 -j ACCEPT iptables -A INPUT -i $INTERFACE -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 12345 -j ACCEPT # allow IPv4 forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Start routing script /etc/openvpn/routing.sh exit 0 This is the output of iptables -S. -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eno1 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -i tun0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 12345 -j ACCEPT -A INPUT -i tun0 -p udp -m conntrack --ctstate NEW,ESTABLISHED -m udp --dport 12345 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT ! -s 192.168.1.2/32 -o eno1 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT -A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-
Hi I use a custom bash script in Linux to enable leak protection using iptables. That is, the firewall blocks all the outgoing internet connections whose destination is a non-AirVPN IP address. I would like to keep the protection enabled always and automatically connect to the best current server in the Netherlands, for instance. This requires resolving the IP address of nl.vpn.airdns.org. However, if the leak protection is enabled and I have not connected to any AirVPN server, I cannot resolve the IP address. Neither I would like to enable temporarily access to some other DNS service, like Cloudflare's 1.1.1.1 or Google's 8.8.8.8 nor temporarily connecting to a random AirVPN server to just find out the best current server. I have not yet tested the AirVPN's Linux suite, which would likely do this automatically. I wonder, if there is a way to accomplish this DNS name resolution in a simple manner using just bash? What I know AirVPN does not have public DNS servers.
-
I'm running Eddie 2.16.3 installed from AUR on Manjaro with kernel 4.18.5 and I'm finding that network lock takes a long time to apply all the rules required. From the logs : 2018.09.05 11:46:39 - Shell(15) of '/usr/sbin/iptables', 1 args: '-P INPUT ACCEPT'; 2018.09.05 11:46:40 - Shell(15) done in 297 ms, exit: 0 2018.09.05 11:46:40 - Shell(16) of '/usr/sbin/iptables', 1 args: '-P FORWARD ACCEPT'; 2018.09.05 11:46:40 - Shell(16) done in 270 ms, exit: 0 ... 2018.09.05 11:52:32 - Shell(1336) of '/usr/sbin/ip6tables', 1 args: '-I OUTPUT 1 -d 2a0d:5600:2:5:5200:5517:2b3b:f9b6 -j ACCEPT'; 2018.09.05 11:52:32 - Shell(1336) done in 263 ms, exit: 0 2018.09.05 11:52:32 - Shell(1337) of '/usr/sbin/ip6tables', 1 args: '-I OUTPUT 1 -d 2a0d:5600:2:5:cf41:c8d8:2e78:17b2 -j ACCEPT'; 2018.09.05 11:52:32 - Shell(1337) done in 260 ms, exit: 0 As you can see this takes a long time (around 6 minutes) with iptables version 1.6.2. At the moment I've got a workaround by just backing up / restoring the iptables rules using iptables-save > iptables_rules_AirVPN.txt iptables-restore < iptables_rules_AirVPN.txt This change is immediate but I understand that this isn't great as things will change. Anyone else encountered similar?
-
Since yesterday I cant connect to any address without using Eddie. I deactivated network lock but I'm still not able to connect. IPtables state: sudo iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination sudo ip6tables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Content of /etc/resolv.conf: # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN # 127.0.0.53 is the systemd-resolved stub resolver. # run "systemd-resolve --status" to see details about the actual nameservers. nameserver 127.0.0.53 Also ping to any address isnt working: ping: google.com: Name or service not known The connection through Eddie in any server of airVPN works without any troubles. Any ideas what is wrong?
-
Hi everyone, I am neither able to lockdown the net nor connect to airvpn servers.this happens for the first time for me Both on the terminal and through the UI i get the same error "ip6tables no chain/target/match by that name" error. I ve got both an iptables and ip6tables firewall running . I am on Gentoo Linux x86_64 (4.14.8-gentoo-r1) . please let me know if you need any logs . Thanks in advance.
-
masterip.txt The first half mitigates ddos attacks. The second half is for tor and the vpn. I use ssh port 22. I disable the proxy in client and restart tor the proxy gets in the way sometimes. I install iptables-persistent and then ran a dpkg-reconfigure iptables-persistent and that save the rules to rules.v4 and rules.v6 files in /etc/iptables. I suggest wireshark to sniff packets if you are dedicated on debian just install ap install wireshark. on fedora you have to install the gnome package theres a tutorial on youtube. When loading iptables make sure your network is owned by you because you will block subnets from the outside world im using 192.168.0.0/16 and 127.0.0.0/8 for network so if this is true for you it should work if you see a subnet in there that you own under the drop commands I would delete it. you can add the other two that I just mentioned in the drop command if you are not using these.Also I am using tor through tor routing so I have isc-dhcp-server set up. If you mess up on these iptables -F and iptables -t nat -F then remove the rules files and reboot at least that was the only way I could get my network back. If you do lose connection you are blocking a subnet that you device communicates with. I'M STILL WORKING ON THIS IT SEEMS YOU NEED AIR RUNNING TO RUN IPCHAINS SO DON'T RUN THE DPKG COMMAND BECAUSE THEY WILL LOAD ON EVERY REBOOT. SAVE THEM AND RELOAD THEM AFTER YOU HAVE VPN RUNNING!!!!!! for onion routing tor through tor I have new ip chains for ubuntu see rolph tag my new ip chains revised
-
I have the VPN set up on my router. In the past I have successfully forwarded ports, using iptables, for a torrent client and a subsonic server that's running on a raspberry pi (my subsonic account uses a subdomain on subsonic.org). Now I've installed nextcloud on another raspberry. I can access it locally via the raspberry's ip, but I can't get to it externally. For external access, I'm hoping to use a subdomain on my own website. Here's what I've done: 1. Pointed the A Record of my subdomain (cloud.mysweetsite.com) to my DHCP ip address. 2. Forwarded a port on airvpn.com, using local port 443. 3. In my router (dd-wrt), I set up this iptable: iptables -I FORWARD -i tun1 -p udp -d 192.168.1.102 --dport 15119 -j ACCEPT iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.102 --dport 15119 -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 15119 -j DNAT --to-destination 192.168.1.102:443 iptables -t nat -I PREROUTING -i tun1 -p udp --dport 15119 -j DNAT --to-destination 192.168.1.102:443 15119 is the port I forwarded on airvpn. 4. in /etc/apache2/sites-available/nextcloud.conf I'm specifying ServerName cloud.mysweetsite.com What am I missing? What have I done wrong? Perhaps I should ask on the nextcloud forums instead of here! But it just seems like the vpn adds an extra layer...
-
I am having an issue with my computer (Peppermint 7 and LInux Mint 18 respectively). Whenever I boot up and connect to a VPN server it works fine and no DNS leaks, but when I switch to a different server, ther interner stops working and it says that I am connected to the VPN tunnel. The internet hangs but whenever I connect to an AirVPN server through the Eddie client, it works with no problems at all. (I accidentally turned on Network Lock and it messed up the IPTables, and I do not have a backup.) I did some looking around and Network Lock edits the Linux IpTables and I don't know how to erase the rules. Nothing helps at the moment. Question is, where do I go to fix the issues Network Lock makes? Thanks.
-
Hi there, I'm hoping someone may be able to assist me with a configuration for my router. My setup is that I'm running a DD-WRT based router with three wireless networks and four devices using a wired connection to the router. Half of my local network is allocated to my DHCP pool for most of these devices. I have my VPN up and running fine, however I would like to do something more advanced with my setup. I would like to split up my network somewhat so that two of the wireless networks as well as the wired computers that all get their IPs from the DHCP pool utilize the VPN for their internet traffic while the devices outside of the DHCP pool and on the third wireless network do not use the VPN. I have the Policy Based Routing setup with the subnet of the DHCP pool and I've been playing around with my IPTables configuration, but I'm hitting a wall trying to keep the traffic split. Any help for this would be greatly appreciated. Thanks in advance, Miko
-
Hello, I've recently installed OpenVPN for Android (the open-source recommended choice) but I'm concerned about different issues. For instance, this app doesn't autostart at boot / reboot but has to be manually started. BTW Android uses wifi's previous state after reboot : when Wifi was "on" our real IP is visible until OpenVPN is manually started. When it crashes (it happens with the latest version) our real IP gets exposed too. I wonder if it could be possible to configure a firewall (AfWall+ or Droidwall) to block all the traffic excepting the one which transits through OpenVPN for both Wifi and data (3G/4G) ? These two apps are using iptables but I don't know how to write the custom rules matching my requirements. The help and knowledge of some computer savvy members would be appreciated. If it works we could maybe create a tutorial for the "How to" section of this forum ? I've collected several articles regarding Android and iptables but I've no idea how I could adapt all this for AirVPN .ovpn default config file (Europe). https://android.stackexchange.com/questions/14455/how-can-i-block-the-traffic-outside-the-vpn-even-if-the-vpn-is-down https://github.com/ukanth/afwall/wiki/Apps-leak-private-user-data-during-boot https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy https://droidvpn.com/page/stopping-leaks-with-droidwall-when-using-droidvpn-8/ https://airvpn.org/faq/software_lock/ Any idea ? Thanks
-
Hello, I have a question that maybe someone more knowledgeable can answer. I have a computer at home that runs airvpn client and a remote computer. I want to be able to connect from either computer to another one with ssh. Without airvpn client, everything works (obviously). If I run airvpn without network lock, I can ssh from home to remote (it goes via the AirVPN server) but not from remote to home. I tried to start airvpn with the parameter "routes.custom=my.remote.ip.addr,255.255.255.255,out" but it didn't help - the required route was not added to the routing table. However, that problem was easily solved: I added the route separately with "route add -host my.remote.ip.address gw 192.168.1.1" and all was well: ssh works from home to remote and from remote to home bypassing AirVPN as I want it to do. Now, I enable network lock. This time I need to add "allowed IP" parameter to be able to ssh from home to remote: ./airvpn -cli -connect -netlock -login=**** password=**** netlock.allowed_ips=my.remote.ip.addr But ssh from remote to home is blocked by the firewall. I can't find any airvpn parameter that can be used to create custom firewall rules. So I ended up with adding the required rule myself. Before: # iptables -L -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 177 16717 ACCEPT all -- lo any anywhere anywhere 2 0 0 ACCEPT all -- any any 255.255.255.255 anywhere 3 93 8963 ACCEPT all -- any any 192.168.0.0/16 192.168.0.0/16 4 26 4651 ACCEPT all -- any any 10.0.0.0/8 10.0.0.0/8 5 0 0 ACCEPT all -- any any 172.16.0.0/12 172.16.0.0/12 6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 7 1890 460K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 8 0 0 ACCEPT all -- tun+ any anywhere anywhere 9 6 502 DROP all -- any any anywhere anywhere Add the rule: iptables -t filter -I INPUT 9 -i eth0 -p tcp -s my.remote.ip.addr --dport 22 -j ACCEPT After: # iptables -L -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 182 17197 ACCEPT all -- lo any anywhere anywhere 2 0 0 ACCEPT all -- any any 255.255.255.255 anywhere 3 107 10296 ACCEPT all -- any any 192.168.0.0/16 192.168.0.0/16 4 41 6945 ACCEPT all -- any any 10.0.0.0/8 10.0.0.0/8 5 0 0 ACCEPT all -- any any 172.16.0.0/12 172.16.0.0/12 6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 7 1981 480K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 8 0 0 ACCEPT all -- tun+ any anywhere anywhere 9 0 0 ACCEPT tcp -- eth0 any my.remote.ip.addr anywhere tcp dpt:22 10 6 502 DROP all -- any any anywhere anywhere Now everything works again, but the question remains: what is the best way to achieve that ? In the worst case scenario, I can just start airvpn in the background, wait a minute or so and then run iptables with my additional rule. But that looks ugly. Can anyone think of a better way ? Maybe some "event.session..." or "event.vpn..." parameter will do the trick ? Thanks for any help.
-
hey guys, with ufw enabled, vpn connects but wget and web pages don't resolve: $uname -a Linux 4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 2016 x86_64 x86_64 x86_64 GNU/Linux $ufw reset $ufw allow out on wlp1s0 to 213.152.161.180 port 443 proto udp $ufw allow out on tun0 $ufw status verbose Status: active Logging: on (low) Default: deny (incoming), deny (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 213.152.161.180 443/udp ALLOW OUT Anywhere on wlp1s0 # NL-Alblasserdam_Alchiba_UDP-443.ovpn Anywhere ALLOW OUT Anywhere on tun0 # tun0 $openvpn --config ~/VPN/NL-Alblasserdam_Alchiba_UDP-443.ovpn Mon Oct 3 2016 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 Mon Oct 3 2016 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Mon Oct 3 2016 Control Channel Authentication: tls-auth using INLINE static key file Mon Oct 3 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Oct 3 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Oct 3 2016 Socket Buffers: R=[212992->212992] S=[212992->212992] Mon Oct 3 2016 UDPv4 link local: [undef] Mon Oct 3 2016 UDPv4 link remote: [AF_INET]213.152.161.180:443 Mon Oct 3 2016 TLS: Initial packet from [AF_INET]213.152.161.180:443, sid=b2d0c912 4505e529 Mon Oct 3 2016 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Mon Oct 3 2016 Validating certificate key usage Mon Oct 3 2016 ++ Certificate has key usage 00a0, expects 00a0 Mon Oct 3 2016 VERIFY KU OK Mon Oct 3 2016 Validating certificate extended key usage Mon Oct 3 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Oct 3 2016 VERIFY EKU OK Mon Oct 3 2016 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org Mon Oct 3 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mon Oct 3 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Oct 3 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mon Oct 3 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Oct 3 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Mon Oct 3 2016 [server] Peer Connection Initiated with [AF_INET]213.152.161.180:443 Mon Oct 3 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Mon Oct 3 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.48.174 255.255.0.0' Mon Oct 3 2016 OPTIONS IMPORT: timers and/or timeouts modified Mon Oct 3 2016 OPTIONS IMPORT: LZO parms modified Mon Oct 3 2016 OPTIONS IMPORT: --ifconfig/up options modified Mon Oct 3 2016 OPTIONS IMPORT: route options modified Mon Oct 3 2016 OPTIONS IMPORT: route-related options modified Mon Oct 3 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Mon Oct 3 2016 ROUTE_GATEWAY 10.42.0.1/255.255.255.0 IFACE=wlp1s0 HWADDR=xx:xx:xx:xx:xx:xx Mon Oct 3 2016 TUN/TAP device tun0 opened Mon Oct 3 2016 TUN/TAP TX queue length set to 100 Mon Oct 3 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Oct 3 2016 /sbin/ip link set dev tun0 up mtu 1500 Mon Oct 3 2016 /sbin/ip addr add dev tun0 10.4.48.174/16 broadcast 10.4.255.255 Mon Oct 3 2016 /sbin/ip route add 213.152.161.180/32 via 10.42.0.1 Mon Oct 3 2016 /sbin/ip route add 0.0.0.0/1 via 10.4.0.1 Mon Oct 3 2016 /sbin/ip route add 128.0.0.0/1 via 10.4.0.1 Mon Oct 3 2016 Initialization Sequence Completed $route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.4.0.1 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 10.42.0.1 0.0.0.0 UG 600 0 0 wlp1s0 10.4.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0 10.42.0.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp1s0 128.0.0.0 10.4.0.1 128.0.0.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlp1s0 213.152.161.180 10.42.0.1 255.255.255.255 UGH 0 0 0 wlp1s0 $ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet 10.42.0.9/24 brd 10.42.0.255 scope global wlp1s0 valid_lft forever preferred_lft forever inet6 <removed>/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.4.48.174/16 brd 10.4.255.255 scope global tun0 valid_lft forever preferred_lft forever inet6 <removed>/64 scope link flags 800 valid_lft forever preferred_lft forever i don't usually touch my iptables directly but here's the output: $iptables -L Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 ufw-user-input all -- anywhere anywhere Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-output (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ACCEPT udp -- anywhere 213.152.161.180 udp dpt:https ACCEPT all -- anywhere anywhere any help would be great. let me know if you need anymore info.
-
My hardward/firmware: Router ModelLinksys WRT 1200AC Firmware VersionDD-WRT v3.0-r28788 std (01/13/16)Kernel VersionLinux 3.18.25 #59 SMP Mon Jan 11 11:48:34 CET 2016 armv7l My goal: To open ports 8000 and 8001 on my router to allow shoutcast server to livestream from static ip 192.168.10.172 on the network. Hi, After reading https://airvpn.org/external_link/?url=https%3A%2F%2Fwww.dd-wrt.com%2Fwiki%2Findex.php%2FIptables_command%23Port_Forwarding_to_a_specific_LAN_IP and also being told that the GUI interface only forwards from WAN to LAN and not from TUN to LAN... it seems this is my last obstacle to streaming with Shoutcast. I still haven't been able to get IPTABLES to work for me yet. I tried different variations of the commands, but nothing worked for me... then I didn't know if I was putting the right information into the variables. Has anyone with this or similar dd-wrt set up successfully added open ports to your router firewall using IPTABLES? If so, can I see how your commands look? Currently, all I have for my firewall commands are, Firewall iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -I INPUT -i tun0 -j REJECT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE What else should be there to open port 8000 and 8001 to the static IP listed above? Thanks for any help and directions.
-
Currently, I divide my wireless SSID into two sets. I bridge WAN, LAN1, LAN2, LAN3, eth1 and eth2 as br0. br1 is set as wl1.1 and vlan3. If I want to force br0 to use OpenVPN, br1 uses outside tunnel network, how can I set it up? Right now I write iptables as following. #Enable NAT on the WAN (Correct a BUG) iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` #Restrict br1 from accessing br0 iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j logdrop iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j logdrop #Restrict br1 from accessing tun1 iptables -I FORWARD -i br1 -o tun1 -m state --state NEW -j logdrop #Restrict br1 from accessing the router #iptables -I INPUT -i br1 -m state --state NEW -j DROP #Allow br1 to access DHCP on the router iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT #Allow br1 to access DNS on the router iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT #Allow br0 to access DNS on the router iptables -I INPUT -i br0 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br0 -p tcp --dport 53 -j ACCEPT Device : R7000 using Firmware: DD-WRT v3.0-r29440M kongac (04/19/16) with YAMON
-
Does the term host address from AirVPN.xml serve as a synonym for front-end server from e.g. Windows & Comodo - Prevent leaks tutorial? AirVPN's front-end servers have been changed few times since I bought first subscription. Can I therefore use AirVPN.xml to update Comodo Firewall/iptables configuration?
-
Hello, can someone explain how the iptables need to be changed for me in order to get the desired network lock working? $ ifconfig eth0 Link encap:Ethernet HWaddr 00:16:3e:f0:ea:1a inet addr:10.0.3.226 Bcast:10.0.3.255 Mask:255.255.255.0 inet6 addr: fe80::216:3eff:fef0:ea1a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14427656 errors:0 dropped:0 overruns:0 frame:0 TX packets:9119526 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20539458438 (20.5 GB) TX bytes:2946926836 (2.9 GB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:510367 errors:0 dropped:0 overruns:0 frame:0 TX packets:510367 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:109371859 (109.3 MB) TX bytes:109371859 (109.3 MB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.4.7.67 P-t-P:10.4.7.67 Mask:255.255.0.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:965 (965.0 TX bytes:2086 (2.0 KB) $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.4.0.1 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 10.0.3.1 0.0.0.0 UG 0 0 0 eth0 10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.4.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0 128.0.0.0 10.4.0.1 128.0.0.0 UG 0 0 0 tun0 178.162.198.103 10.0.3.1 255.255.255.255 UGH 0 0 0 eth0 From https://airvpn.org/faq/software_lock/: # Flush iptables -F iptables -t nat -F iptables -t mangle -F # Flush V6 ip6tables -F ip6tables -t nat -F ip6tables -t mangle -F # Local iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Local V6 ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # Make sure you can communicate with any DHCP server iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT iptables -A INPUT -s 255.255.255.255 -j ACCEPT # Make sure that you can communicate within your own network if Private Network option is enabled iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT iptables -A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT iptables -A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT iptables -A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT iptables -A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT # Allow incoming pings if Ping option is enabled iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow established sessions to receive traffic: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow TUN iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT # Block All iptables -A OUTPUT -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP # Block All V6 ip6tables -A OUTPUT -j DROP ip6tables -A INPUT -j DROP ip6tables -A FORWARD -j DROP
-
Hi @ all! Just need a little help, I'm not that knowledgeable in iptables etc. But I got a firewall rule for my DD-WRT, that drops traffic as soon the vpn connection is down iptables -I FORWARD -i br0 -o tun1 -j ACCEPT iptables -I FORWARD -i tun1 -o br0 -j ACCEPT iptables -I FORWARD -i br0 -o eth1 -j DROP iptables -I INPUT -i tun1 -j REJECT iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE Now I need an exception for my modem ip sometimes I need access so I can check if a tunnel goes down on my isp (I've two) Is it possible to add an exception to my modem ip 172.56.35.12? Thanks and take care
-
Dear community, Hoping someone can help with this.... I am trying to setup a firewall script for my router running Tomato Firmware 1.28.0000 -121 K26ARM USB AIO-64K by SHIBBY on a Netgear R7000 Nighthawk on mostly default settings apart from the VPN Client. The script is to block all non-VPN traffic even if the connection fails and i have tried several suggestions made in the forums without success. Below is the script most people have success with (except me): iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -I FORWARD -i br0 -o vlan2 -j DROP iptables -I INPUT -i tun0 -j REJECT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE (from https://airvpn.org/topic/4287-how-to-block-all-traffic-with-dd-wrt-if-vpn-connection-fails/) I think the problem lies in the assigned interface names. Below is my current routing table while VPN'd: In short can someone modify the script to suite my arrangement?? or let me know what direction I need to take to set this up.... using the script above lets traffic through even if I stop the VPN client and my attempts to modify usually blocks all traffic. Any help would me much appreciated, EWS
-
I tried the guide to plugging leaks from the "how to" section. It has taken a long time to get the various components to compile on Fedora. Now I ran the s/w I can't access the outside world, except for the local subnetwork. Here is the output of iptagles -L -v. Can someone spot the mistake? To test, I tried adding 8.8.8.8 (a DNS) to try to ping it. That doesn't work. Neither can I ping my router which is on 192.168.1.1. My NAS is 192.168.1.111. I can't ping that either. The s/w is running on Fedora 20 in a virtual box. This has IP 192.168.88.136 (static). The computer it is running on has IP 192.168.88.1 (through VMWare). I can ping 192.168.88.1 OK. Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 0 0 ACCEPT all -- any any 192.168.1.111 192.168.88.136 0 0 ACCEPT all -- any any 8.8.8.8 192.168.88.136 0 0 ACCEPT all -- any any 192.168.88.1 192.168.88.136 0 0 ACCEPT all -- any any 192.168.3.1 192.168.88.136 0 0 ACCEPT all -- tun+ any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- wlan+ any anywhere anywhere match-set airvpn src 0 0 ACCEPT all -- tun+ any anywhere anywhere match-set airvpn src Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- wlan+ tun+ anywhere anywhere 0 0 ACCEPT all -- tun+ wlan+ anywhere anywhere Chain OUTPUT (policy ACCEPT 4 packets, 232 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any lo anywhere anywhere 0 0 ACCEPT all -- any any 192.168.88.136 192.168.1.111 0 0 ACCEPT all -- any any 192.168.88.136 8.8.8.8 0 0 ACCEPT all -- any any 192.168.88.136 192.168.88.1 0 0 ACCEPT all -- any any 192.168.88.136 192.168.3.1 0 0 ACCEPT all -- any any 192.168.1.0/24 192.168.88.0/24 0 0 ACCEPT all -- any tun+ anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- any wlan+ anywhere anywhere match-set airvpn dst 0 0 ACCEPT all -- any tun+ anywhere anywhere match-set airvpn dst
-
Hello and thank you in advance for any help with this. I have never ran a Tor relay before, but I would like to try to enable a "middle-man" relay through my VPN connection if it is possible. I am trying to configure the Tor "middle-man" relay using my /etc/tor/torrc file and iptables.rules file. (I have not edited the TBB torrc) My torrc is configured like this below: AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit,.onion SocksPort 9050 TransPort 9040 DNSPort 9053 ##Tor-middleman Nickname ************(my secert name) ORPort 9001 DirPort 9030 BandwidthRate 256 KB # Throttle traffic to 20KB/s BandwidthBurst 4096 KB # But allow bursts up to 50KB/s ExitPolicy reject *:* and my current iptables.rules that work with AirVPN and TBB/Tor/Privoxy are: $ iptables -L -n --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 recent: SET name: ping_limiter side: source mask: 255.255.255.255 2 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 recent: UPDATE seconds: 4 hit_count: 6 name: ping_limiter side: source mask: 255.255.255.255 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 6 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 7 UDP udp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW 8 TCP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 ctstate NEW 9 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 10 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 11 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable Chain FORWARD (policy DROP) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain TCP (1 references) num target prot opt source destination Chain UDP (1 references) num target prot opt source destination ----------------------------------------------------------------------------- $ iptables -t nat -L -n --line-numbers Chain PREROUTING (policy ACCEPT) num target prot opt source destination Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination If there is an easy way to do this then please let me know what I should do with ports-forward, iptables.rules, and torrc. thanks. ------------------------------------------------------------------- EDITED: I decided to edit this cause I added too much confusing info. So to keep things simple, I don't know if I need ports forwarded or if I just need some new iptables rules to make things work. (or both) Currently my Tor Browser Bundle (TBB) works on port 9150 and 9151 over my VPN connection and so does my Tor/Privoxy connection using Socks4a for port 9050 and 8118. When running both tor instances I have 6 EntryGuards to start. When I configure the "middle-man" relay in my linux /etc/tor/torrc file I get about 20-80 more ESTABLISHED connection with the original 6 ESTABLISHED EntryGuards. But after a few minutes I only have the original 6 EntryGuards as ESTABLISHED connections when using the netstat command.
-
Hello, is it possible to use the iptables tutorial but allow two or more vpn servers? I think that this is the important line. Everything else than this destination is getting blocked by iptables. Can I just add another line of that with a different destination? I would assume that everything gets blocked then. iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP Thanks
-
On the page https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/ there is a guide to setting up rules for iptables to prevent any leaks if the VPN were to disconnect. There are some brief comments accompanying the commands, which is great, but I was wondering if anyone could offer a more in-depth explanation for those of us not familiar with iptables? I've been trying to decode everything through 'man iptables', but it's a little difficult. For example, how do I know that the rules don't open up access to my machine or network through the tunnel? Thanks to anyone who can help!
-
This guide shows how to set rules to prevent leaks in case of unexpected VPN disconnection and provides you with clear scripts ready to be used with basic modifications on Red Hat Enterprise Linux and RHEL rebuilds such as Oracle Linux, Scientific Linux, X/OS, CentOS etc. THANKS TO JESSEZ - ORIGINAL POST BY JESSEZ (minor editing & clean-up by Air staff) This method requires the ipset package: sudo yum install ipsetRHEL 6 and rebuilds (Oracle Linux, Scientific Linux and CentOS) do not have a kmod-ipset that I could find. The ip_set module has to be loaded manually as neither netfilter, iptables nor conntrack call the module themselves. As far as I know some Linux distros do have a kmod for ip_set so that would make usage of sysconfig/ipset.conf not necessary and also could cause a boot-time error (fatal nor not). The ip_set module has to be loaded and a script run to load the ip_set script (creates and contains the AirVPN server IP addresses) so that there is a table to be read by the time iptables_restore runs (otherwise iptables_restore throws the error that no ipset "airvpn" exists). So there are 3 files. The first and the second file can be found attached to this message. The last one is a system file that needs a modification. 1 /etc/sysconfig/ipset.conf This script tests whether the ip_set module is already loaded. If not it loads it into the kernel (modprobe). ipset.conf.txt 2 /etc/sysconfig/ipset-airvpn.sh This file creates and fills the ip_set table of AirVPN server addresses. I haven't listed the servers, so that no-one can just open the file and get the server IPs. Add the ones you want where the a.b.c.d 's are. Add or subtract lines as necessary. I think I added enough buffers so that all the servers should be able to go into the table (which lives in RAM while the system is up and is lost at shutdown/re-start). After running the script use: sudo ipset -L airvpn -to make sure all the servers you added to the script are there (It's easiest just to count the lines if you know how many servers you added in the first place), if not, change the part: hashsize 65536 to the next larger: hashsize 131072 (doing this obviously eats up RAM, so don't change it unless you need to) and note that the hashsize can start at 1024 and can only be a power of 2 (1024, 2048, 4096, ..., 131072...) If you're only using one or two servers and you need to save RAM, just change it down, re-run the script and issue the command sudo ipset -L airvpn again to check that all the desired servers are listed. Keep doubling the hashsize until they are. If anyone is wondering about the -exist option, it's there so that in case of accidental duplication of an IP address the script won't fail. iptables-airvpn_2013-01-19.txt 3 /etc/init.d/iptables This is the system file, so be careful; add 2 new lines that become line 55 and line 56: # Load /etc/sysconfig/ipset-airvpn.sh to make the airvpn table sh /etc/sysconfig/ipset-airvpn.sh Ok, that should be it, iptables and the "airvpn" ipset table should now survive a reboot with no errors. Test by rebooting, and trying Internet access of any and /or several kind(s) before starting a VPN connection when the desktop is up. If it's working you will have no Internet before starting a VPN connection, and you will be able to connect to any of the servers you added to ipset-airvpn.sh without OpenVPN throwing an error (probably: write UDPv4 []: Operation not permitted (code=1)). Note: rename the attached files according to the names given above. Put the files in the appropriate folders as listed above. Regards, jz