How to block internet connection when VPN fails?

[M51]

You mean get your real (ISP assigned) IP address?
Yeah, that's tricky and not likely to be useful while connected to the vpn. What are you hoping to do?

I'm glad it's working for you. I prefer the simplicity of iptables over what I see as complicated and error-prone alternatives. Trying to detect the vpn dropping and disabling the ethernet adapter or killing specific applications or connections is more complicated and provides no guarantee that a small number of packets won't get through. This does.

[Danielorum]

I mean the ip assigned by my vpn provider.. I have just used This before to make sure that i was connected through openvpn. (Like a visible proof of Being protected) But i guess This isnt neceessary when the ip tabels rules out the possibility of Being vulnerabel to the "outside" without going through the vpn first.

I have assigned 8.8.8.8 (Googles dns) to my ethernet configuration. (/etc/network/devices This Wont have and influence on the Security Will it?

[M51]

Then 'curl ifconfig.me' should work fine while connected to the vpn.

Using Google (or anything else) for DNS should have no impact on security. In fact, it's probably a better configuration than having your router listed because requests to your router will not be allowed by the rules. That way, if your vpn provider's DNS stops responding or is very slow, the queries can be directed to Google (via the vpn of course).

[Danielorum]

So, finally i settled for a Debian install.. ubuntu was too confusing for me.

But, the persistens package version is: 0.0.20100801
so i have to apply the rules to a file, and i was wondering if the rules should look like this:


-P INPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
-A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp --sport 67 -j ACCEPT
-h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
-A OUTPUT -o eth0 -j REJECT

Thanks a bunch.. almost done with my server, setup!

[M51]

You can generate the file automatically. After you have run your script to create the rules, just run iptables-save and redirect the output into whatever file the iptables-persistent script needs.

[Danielorum]

Ahh.. as always, very helpful!

Now i'm really close, in finishing up my server setup. But one little problem remains. About 3-4 hours after the iptable rules have been added, i cant access the samba share on my server. I just isn't visible from any computer. When i restart the server "without re-adding the rules, everything works perfectly again. There must be something in these rules, blocking the samba server, or something similar?

What do you think this could be? Should i post a log from some service?


Thanks again!!

[M51]

Windows based file sharing, and by extension Samba, relies on a 'browser' service to locate shares on the network. This means the machine doing the sharing must make periodic anouncements on the network to be visible to other machines. By locking down output, we're preventing that. The reason it works for a while is that machines cache this information for some time and exchange it with one another.

We need an additional rule to allow the server to broadcast it's presence, but I'm not completely sure which port is required. All the documentation I know of lists only the inbound ports required, as locked down input is a far more common scenario than locked down output. Input is not an issue in our case as we've already opened all inbound ports for machines on the local lan.

These are the ports typically associated with CIFS (once called SMB), Microsoft's file sharing protocol:
TCP 139
TCP 445
UDP 137
UDP 138
At least one of these ports should also be used for the browse announcements. I suspect UDP 138 is correct, but I don't use Windows sharing any longer so I can't test.

I would add the following four lines right before the line which parses the ovpn files (Disregard these - see Edit below):
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 138 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 137 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p tcp --sport 139 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p tcp --sport 445 -j ACCEPT

If the problem is resolved, I would then go back and remove lines until you narrow it down to one. Note, it is possible more than one is actually needed, but I think the chances of that are rather small. If the problem isn't resolved, we will add some logging to find out exactly what is being blocked.

Further somewhat useless musings: The browser service is not actually a part of the file sharing protocol itself. That means although you can't see the computer and shared folders when the browser service is being blocked, it should still be possible to connect to the shares if you know the correct name. Not exactly convenient, but I suppose it could be used as a sort of 'security through obscurity'.

Edit: I found some additional documentation ( http://ubiqx.org/cifs/Browsing.html) that suggests my hunch of UDP 138 is correct, except the browse announcements are sent TO udp 138, not FROM.
This means the rule added should be:
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
Note we specified --dport instead of --sport.

Let me know how it goes.

[Danielorum]

Alright.. You sir, have done your homework.. And i just said that without blinking.. Nice work..

However... (There is always a HOWEVER isn't there?)

I just applied the rule, above the line with /etc/openvpn in it.. I dont know if if was because of the new rule.. (I doubt it) but my raspberry pi was refused access to the server, when clicking on the server name, under samba shares.. When i think about it, it has happened before, so the new rule is not causing it. I cant rule out, that the new rule have solved the issue with the hostname dissapearing.. It wasnt running with the rule for so long before i restarted the server...!

And thanks for the "totally nerdy info" actually it is nice to know what is actually going on, behind the monitor
However, some days go, when the sharename dissapeared i couldent connect to it, even if i entered its name... Just to let you know. Tomorrow i will try and run the rules, without he new rule added, and see if my raspberry gets "refused access".

[M51]

If it still doesn't work, you can add logging to the rules to see what is being blocked.

Add this line just above the very last line:
sbin/iptables -A OUTPUT -o eth0 -j LOG
Logging rules will log whenever a packet matches its criteria, but the packet will continue to be matched against later rules. This rule will log any outbound packets on eth0 that are about to be dropped by the last rule.

Once the new rule has been added to the script and run, open a terminal and run 'tail -F /var/log/syslog'
This will monitor the syslog for new entries. Wait at least 15 minutes to make sure the browsing service tries to send a broadcast. Any dropped packets should show up on the terminal. Press CTRL-C to exit when you are done monitoring.

Make a note of the protocol (TCP or UDP) and the SPT (source) and DPT (destination) port numbers. That will give us enough information to create appropriate rules.

Edit: I just noticed the original script I listed contains a small typo.

This line:
/sbin/iptables -A OUTPUT -p udp --sport 67 -j ACCEPT
should instead be
/sbin/iptables -A OUTPUT -p udp --sport 68 -j ACCEPT

The wrong port number means the machine can't renew its IP address via DHCP. If you have a DHCP reservation for your server it will have no impact since the machine will continue using its current address if it can't renew as long as no other machine takes it.

An even better version of the rule would be:
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
This is a little more restrictive than the one above, and matches what I have in use.

[Danielorum]

Sure enough, the access to the samba server is blocked, but still visible. Right now my script looks like this:

#!/bin/sh
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j LOG
/sbin/iptables -A OUTPUT -o eth0 -j REJECT


And the output, from: "tail -F /var/log/syslog" when filtering the SPT - DPT and TCP and UDP outputs:

Code: Select all

Nov 22 15:54:10 openmediavault kernel: [ 1130.756419] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 15:55:17 openmediavault kernel: [ 1197.524105] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 15:55:38 openmediavault kernel: [ 1218.582672] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 15:55:42 openmediavault kernel: [ 1222.580239] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46641 DF PROTO=TCP SPT=60244 DPT=49153 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 22 15:55:45 openmediavault kernel: [ 1225.580601] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46642 DF PROTO=TCP SPT=60244 DPT=49153 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 22 15:55:45 openmediavault kernel: [ 1225.580798] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7994 DF PROTO=TCP SPT=60255 DPT=49153 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 22 15:55:48 openmediavault kernel: [ 1228.580102] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7995 DF PROTO=TCP SPT=60255 DPT=49153 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 22 15:56:07 openmediavault kernel: [ 1247.094359] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 22 15:57:10 openmediavault kernel: [ 1310.020561] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 15:57:26 openmediavault kernel: [ 1326.076124] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 15:59:28 openmediavault kernel: [ 1448.712577] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:00:01 openmediavault /USR/SBIN/CRON[3698]: (root) CMD (/usr/sbin/omv-mkgraph >/dev/null 2>&1)
Nov 22 16:01:07 openmediavault kernel: [ 1547.355216] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 22 16:03:25 openmediavault kernel: [ 1685.848098] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:03:35 openmediavault kernel: [ 1695.840564] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:06:07 openmediavault kernel: [ 1847.013211] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 22 16:06:22 openmediavault kernel: [ 1862.552104] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:09:01 openmediavault /USR/SBIN/CRON[4314]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete)
Nov 22 16:09:36 openmediavault kernel: [ 2055.940097] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:11:15 openmediavault kernel: [ 2154.940496] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 22 16:15:01 openmediavault /USR/SBIN/CRON[4709]: (root) CMD (/usr/sbin/omv-mkgraph >/dev/null 2>&1)
Nov 22 16:15:47 openmediavault kernel: [ 2427.587502] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 16:15:48 openmediavault kernel: [ 2428.585561] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 16:15:53 openmediavault kernel: [ 2433.583759] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 16:15:56 openmediavault kernel: [ 2436.676571] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:15:58 openmediavault kernel: [ 2438.578138] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 16:16:03 openmediavault kernel: [ 2443.569787] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 16:16:14 openmediavault kernel: [ 2454.820572] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:16:15 openmediavault kernel: [ 2455.216689] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 22 16:16:16 openmediavault kernel: [ 2456.180113] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:17:01 openmediavault /USR/SBIN/CRON[4873]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Nov 22 16:17:38 openmediavault kernel: [ 2538.570793] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=5351 DPT=5351 LEN=20
Nov 22 16:17:38 openmediavault kernel: [ 2538.570846] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=5351 DPT=5351 LEN=10

I have made a paste here: http://pastebin.com/Esf3CAY1 if its easier to read

Actually this was most of the output, from the 15 minutes logging. Hope its okay, i didn't want to leave anything out that could be important.

A line, which caught my eye was this, from the log:

Nov 22 15:47:30 openmediavault ovpn-vpn_servicename[1859]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Nov 22 15:47:30 openmediavault ovpn-vpn_servicename[1859]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)

Should i be worried about this? I removed my vpn providers name, and inserted vpn_servicename instead...!

EDIT:

Are all ports through the vpn open? I was just wondering, because if the odd port number i have picked in my torrent application.

[M51]

Looks like you need to add a rule for UDP 137 as well. Just put it either above or below the one for UDP 138 and make it identical with the exception of the port number.

The other rows are related to either Multicast traffic (likely caused by having UPNP enabled) or bit torrent traffic. Those could be caused by the vpn going down and I would not add rules to allow them.

The message you mentioned also looks like something you might see if the vpn dropped. It could be caused by other things though. I wouldn't worry about it unless your vpn isn't working.

As for the ports being open through the vpn: Yes and no. The script will allow any outbound traffic over the vpn, but will only allow inbound traffic if your machine initiated the communication. This provides some firewall capability to protect your machine's services from potential hostiles on the vpn itself, but means a bittorrent client will see you as firewalled, meaning a sometimes slower connection. If this is a problem, you can add another rule allowing inbound traffic on whatever port you have your bittorrent software set to use. In my experience it makes no difference, because most (all?) anonymous vpn's NAT your connection anyway and do not open ports dynamically, meaning even if you open the port at your server, the vpn provider likely won't.

[Danielorum]

Okay, i'm pleased to inform you that after 24 hours, the connection to the samba share remains active.. So it seems that the problem have been solved, by adding the rule for UDP 137. So YAY!!

About the inbound port, for the bittorrent client, then it's a must, that i can become "connectable" with my connection. My VPN provider, offers the possibility to open individually ports. I can see that now and then i become connectable..for why i dont really understand.. i also tried opening the port in my router but i was told that the client (my servers ip address) denied this because of iptables.. ofcourse i cant to that if iptables have closed off this port.

So, how do i write a rule, allowing inbound traffic on a specific port, on only my servers ip address? And would you think i need to open the port in my router aswell?

How can it be, that i am connectable sometimes... but most of the time im not? I would think, that i would be either connectable or not connectable?

How, vulnerable to the outside would i be, if this port was opened?

[M51]

Add these two rules. Just place them with the other input rules. The order won't make any real difference here.

/sbin/iptables -A INPUT -p tcp --dport xxx -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport xxx -j ACCEPT

Where xxx = the port your torrent software is configured to use.

Most torrent client documentation seems vague regarding the need for both tcp and udp ports being opened. A lot of places on the net say to use both. I've never bothered to test if they're both actually needed.

Because the incoming torrent traffic is on the vpn, opening ports in your router will not help (in fact there's a good reason for leaving them closed...bear with me a bit). The traffic is being tunneled through the encrypted connection to the vpn server and the router can't read it. Now, the rules above don't specify an adapter, so technically your machine will also accept torrent traffic over the unencrypted lan connection, which we do not want. However this isn't typically a problem, as 1) your machine can't send any torrent traffic outbound unless a connection was already established, and 2) your router prevents incoming connections because we did not open a port on the router. If you are feeling especially paranoid, you can add '-o tun0' to the rules above to restrict incoming torrent traffic to the vpn.

What vpn provider allows dynamic port opening? If you don't mind me asking.

[Danielorum]

It did the trick.. i am now connectable..!

But i couldent figure out where i put the "-o tun0"

i did it like this:

/sbin/iptables -A INPUT -o tun0 -p tcp --dport xxx -j ACCEPT

But iptables tells me that its wrong...!
please dont laugh..!

[M51]

My bad. You put it in the rght place, but it should be '-i tun0'. '-o' is only used for OUTPUT rules.

[korilius]

Nice thread. I understand routing but never had the need to do it on Debian; good stuff.

[Danielorum]

Hello again!

Remember me?

Well, i finally figured out how i wrote the ip table rules into the persistent package. However, i experience that in- and outgoing internet traffic gets blocked when i start the persistent package, or reboot the server. i Do this:

I load the script as always:

./script.sh

i then do:

iptables-save > /etc/iptables/rules

and the rules are wrote into /etc/iptables/rules

The file looks like this:

Code: Select all

# Generated by iptables-save v1.4.8 on Thu Jan 23 16:31:13 2014
*filter
:INPUT DROP [62:3471]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [354:36362]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT 
-A INPUT -i tun0 -p tcp -m tcp --dport 11633 -j ACCEPT 
-A INPUT -i tun0 -p udp -m udp --dport 11633 -j ACCEPT 
-A OUTPUT -d 192.168.1.0/24 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d 192.168.1.0/24 -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT 
-A OUTPUT -d 192.168.1.0/24 -o eth0 -p udp -m udp --dport 138 -j ACCEPT 
-A OUTPUT -d 192.168.1.0/24 -o eth0 -p udp -m udp --dport 137 -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -d xx.xx.xx.xx/xx -j ACCEPT 
-A OUTPUT -o eth0 -j LOG 
-A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable 
COMMIT
# Completed on Thu Jan 23 16:31:13 2014

if i reboot or do:

service iptables.persistent start

I get no connection to the outside. I can still access my server through LAN connnection.

when i do:

curl ifconfig.me

i get this:

curl: (6) Couldn't resolve host 'ifconfig.me'

If i clear out the rules and reboot, everything is working fine again. Also if i run the "script.sh" with the rules it works as it has always done.
The "rules" file have octal: 0644

What do you make if this?

Thanks a bunch once more!

[M51]

Do you mean you can't establish a vpn connection, or can't access anything after a vpn connection is made?

What's being blocked according to the log?

[Danielorum]

I mean that i cant access anything on the outside of my network, when the rules have been applied to the persistent-package, and started. This is either when the vpn service is running and if i have shut it down. i did this:

/etc/init.d/openvpn stop

and resetting the network card, but still i cant get internet access. It seems like the persistent-package somehow blocks access...

This command:

tail -F /var/log/syslog

gave me this output:

Code: Select all

Jan 24 12:30:50 my-vpn-service[1895]: RESOLVE: Cannot resolve host address: my-vpn-service.com: [HOST_NOT_FOUND] The specified host is unknown.
Jan 24 12:30:50 openmediavault kernel: [  120.347867] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=59693 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.347894] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=51779 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.347919] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=36195 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.347950] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=33922 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.347974] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=51281 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.347997] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=UDP SPT=50715 DPT=53 LEN=40
Jan 24 12:30:50 openmediavault kernel: [  120.348045] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20623 DF PROTO=UDP SPT=37967 DPT=53 LEN=40
Jan 24 12:30:55 my-vpn-service[1895]: RESOLVE: Cannot resolve host address: my-vpn-service.com: [HOST_NOT_FOUND] The specified host is unknown.
Jan 24 12:30:55 openmediavault kernel: [  125.348509] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=47752 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348566] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=34005 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348591] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=46351 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348615] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=48185 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348645] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=51412 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348673] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=50740 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348697] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=43808 DPT=53 LEN=40
Jan 24 12:30:55 openmediavault kernel: [  125.348720] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21873 DF PROTO=UDP SPT=59430 DPT=53 LEN=40
Jan 24 12:31:00 my-vpn-service[1895]: RESOLVE: Cannot resolve host address: my-vpn-service.com: [HOST_NOT_FOUND] The specified host is unknown.
Jan 24 12:31:00 openmediavault kernel: [  130.349109] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=58696 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349165] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=54109 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349190] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=38870 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349214] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=57717 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349245] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=56399 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349268] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=52345 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349292] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=51690 DPT=53 LEN=40
Jan 24 12:31:00 openmediavault kernel: [  130.349316] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23123 DF PROTO=UDP SPT=48422 DPT=53 LEN=40
Jan 24 12:31:05 my-vpn-service[1895]: RESOLVE: Cannot resolve host address: my-vpn-service.com: [HOST_NOT_FOUND] The specified host is unknown.
Jan 24 12:31:05 openmediavault kernel: [  135.349712] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=58964 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349771] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=44290 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349798] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=51494 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349823] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=60726 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349854] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=36489 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349878] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=55027 DPT=53 LEN=40
Jan 24 12:31:05 openmediavault kernel: [  135.349902] IN= OUT=eth0 SRC=192.168.1.52 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24373 DF PROTO=UDP SPT=60233 DPT=53 LEN=40

So this goes on and on.

I hope this answers your question...else please let me know!

[M51]

The log indicates outbound DNS queries are being blocked. The rules we put together are specifically designed to do just that, to prevent DNS leaks when the vpn drops. The rules will block all non-vpn outbound access except what we specifically allowed.

If you really need to access the outside world from that machine while not connected to a vpn, then you need to run iptables -F to flush the rules. All access will be restored until you either reboot or re-run the rules script.