Jump to content
Not connected, Your IP: 35.173.233.176

Recommended Posts

Hello,
 
can someone explain how the iptables need to be changed for me in order to get the desired network lock working?

 

$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:f0:ea:1a
          inet addr:10.0.3.226  Bcast:10.0.3.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fef0:ea1a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14427656 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9119526 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:20539458438 (20.5 GB)  TX bytes:2946926836 (2.9 GB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:510367 errors:0 dropped:0 overruns:0 frame:0
          TX packets:510367 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:109371859 (109.3 MB)  TX bytes:109371859 (109.3 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.4.7.67  P-t-P:10.4.7.67  Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:965 (965.0   TX bytes:2086 (2.0 KB)

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.4.0.1        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.0.3.1        0.0.0.0         UG    0      0        0 eth0
10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.4.0.0        0.0.0.0         255.255.0.0     U     0      0        0 tun0
128.0.0.0       10.4.0.1        128.0.0.0       UG    0      0        0 tun0
178.162.198.103 10.0.3.1        255.255.255.255 UGH   0      0        0 eth0

From https://airvpn.org/faq/software_lock/:

# Flush
iptables -F
iptables -t nat -F
iptables -t mangle -F

# Flush V6
ip6tables -F
ip6tables -t nat -F
ip6tables -t mangle -F

# Local
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Local V6
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Make sure you can communicate with any DHCP server
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -s 255.255.255.255 -j ACCEPT

# Make sure that you can communicate within your own network if Private Network option is enabled
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
iptables -A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT

# Allow incoming pings if Ping option is enabled
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow established sessions to receive traffic:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow TUN
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT

# Block All
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

# Block All V6
ip6tables -A OUTPUT -j DROP
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -j DROP

Share this post


Link to post

First of all, I think it's better to avoid the term "kill switch" as it describes a (bad) idea that's completely different from a firewall setup such as AirVPN's network lock feature.

Now to address your question, please clarify what you are trying to do:

  • a. use the AirVPN client and its network lock feature
  • b. don't use the client (instead, connect through NetworkManager, or use openvpn directly) and configure iptables yourself, in a way that resembles AirVPN's network lock feature

In case of option a, you don't need to touch iptables yourself! The AirVPN ("Eddie") client will do that each time you run it. If you want to use Eddie, there's no need at all to read the rest of my answer.

In case of option b, your iptables rules must contain the following:

  1. a general rule set (allow local traffic, allow tunnel forwarding, block traffic by default, ...)
  2. exceptions for all of the VPN servers you want to connect to

The rules you quoted from Air's website would serve just fine as your general rule set. Now you only need to manually create exceptions for the servers' entry IPs.

There are two ways to get a hold of these entry IPs:

  • DNS lookup, very convenient, as explained by AirVPN staff here
  • use the Config Generator, tick all the servers you want to use, enable both "Advanced Mode" and "Resolved hosts in .ovpn file", then check the config file for the "remote " IPs

Here's an example: Let's pretend you wanted to use the servers Nihal, Pavonis and Rastaban. You would issue the following commands to get the entry IPs
 

dig +short nihal.airvpn.org
dig +short pavonis.airvpn.org
dig +short rastaban.airvpn.org

to get back the following IPs

 

46.182.35.14
149.255.33.154
62.102.148.135

You would then create iptables rules to allow outgoing connections to these IPs:
 

iptables -A OUTPUT -d 46.182.35.14 -j ACCEPT
iptables -A OUTPUT -d 149.255.33.154 -j ACCEPT
iptables -A OUTPUT -d 62.102.148.135 -j ACCEPT

That's basically it.

If you decide to roll your own firewall configuration, be sure to test it properly! It's usually better to use Eddie's network lock. The biggest difference (and reason why some people prefer their own setup over Eddie): Eddie's network lock gets activated when you launch the program (and deactivated when you quit the program) whereas your own iptables configuration would be activated as part of your system's boot process.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...