More detailed explanation of iptables configuration for preventing leaks when connection drops

[ourvpn 0]

On the page https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/ there is a guide to setting up rules for iptables to prevent any leaks if the VPN were to disconnect. There are some brief comments accompanying the commands, which is great, but I was wondering if anyone could offer a more in-depth explanation for those of us not familiar with iptables? I've been trying to decode everything through 'man iptables', but it's a little difficult.

 

For example, how do I know that the rules don't open up access to my machine or network through the tunnel?

 

Thanks to anyone who can help! 

 

[OpenSourcerer 1359]

iptables is extremely powerful, making it extremely complicated. manpages won't tell you much as they explain the parameters you can use.

​

​First of all: Look at how IP packets are handled using iptables (especially #6). Now let's say, you want to decode this one:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

We call iptables with parameters t (table), A (Append), o (output interface) and j (job). Note that parameters s(ource), d(estination), i(nput interface), o(utput interface) and p(rotocol) will always be set to ANY if you don't set them manually.

• ​-t: Use table nat; that's the table giving you the power to "redirect" packages. The other existing table is filter.
• ​-o: The output interface is tun0 since all traffic is going to be routed through the tunnel interface tun0 created by OpenVPN. Setting it to wlan0 for example will route all traffic through wlan0 (which is not logical at all )
• ​-j: The job, the "task" to do: What should be done with the packets matching the characteristics a packet has to have?
• ​-A: Imagine every packet going through "checkpoints" where it's checked whether a packet is authorised to pass or not ("filter") or where something is being done with the packet ("nat"). Yes, really, imagine the checkpoints are ID control entities. Every entity pays attention to one certain property of ID cards. Let's say, they let everyone pass if their birthday is in December, all the others are "filtered". Or imagine they redirect every passing human to a taxi number ("nat"). In this case let's say that there are two taxis: One will bring you to coolhotel.com, driving through ISP internet street, another will bring you to coolhotel.com driving through VPN street, dimming all the windows while driving through ISP street.  Same with packets.
  With -A you tell an entity to tell all passing humans to use taxi B which will drive through VPN street (and dim the windows while driving through ISP street).
  Now, the ID controlling entities are your chain rules, and the humans are the packets.
  Other options instead of A(ppend) are D(elete) and I(nsert).
• There are six chains you can append rules to. MASQUERADEing all traffic is only useful in the last chain, the POSTROUTING chain, that's what you need to know for decoding the above thing.

​Always remember: You didn't set the s parameter! This is set to ANY if not set manually. Setting it masquerades only the traffic from the set IP.#

​

Trivial info: You can't use i(nput interface) and d(estination) parameters in the POSTROUTING chain; you also can't use o(utput interface) and s(ource) in the PREROUTING chain. They would be needless, and you will understand why if you refer to how IP packets are handled with iptables.

​

DECODE:
 

​iptables "redirects" (NAT) the traffic of all protocols (p = ANY) coming from ALL interfaces (i = ANY) and from ALL sources (s = ANY) (which is: ALL traffic) to output interface tun0 (o = tun0) and to ALL destinations (d = ANY), MASQUERADEing it (j = MASQUERADE).

​

​Maybe this helps a bit to understand the mechanics.