How to block internet connection when VPN fails?

If none of the more specific forums is the right place to ask

Re: How to block internet connection when VPN fails?

Postby M51 » 2013-11-13 18:35

You mean get your real (ISP assigned) IP address?
Yeah, that's tricky and not likely to be useful while connected to the vpn. What are you hoping to do?

I'm glad it's working for you. I prefer the simplicity of iptables over what I see as complicated and error-prone alternatives. Trying to detect the vpn dropping and disabling the ethernet adapter or killing specific applications or connections is more complicated and provides no guarantee that a small number of packets won't get through. This does.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2013-11-15 01:30

I mean the ip assigned by my vpn provider.. I have just used This before to make sure that i was connected through openvpn. (Like a visible proof of Being protected) But i guess This isnt neceessary when the ip tabels rules out the possibility of Being vulnerabel to the "outside" without going through the vpn first.

I have assigned 8.8.8.8 (Googles dns) to my ethernet configuration. (/etc/network/devices This Wont have and influence on the Security Will it?
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2013-11-15 02:53

Then 'curl ifconfig.me' should work fine while connected to the vpn.

Using Google (or anything else) for DNS should have no impact on security. In fact, it's probably a better configuration than having your router listed because requests to your router will not be allowed by the rules. That way, if your vpn provider's DNS stops responding or is very slow, the queries can be directed to Google (via the vpn of course). :D
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2013-11-19 03:48

So, finally i settled for a Debian install.. ubuntu was too confusing for me.

But, the persistens package version is: 0.0.20100801
so i have to apply the rules to a file, and i was wondering if the rules should look like this:


-P INPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
-A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp --sport 67 -j ACCEPT
-h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
-A OUTPUT -o eth0 -j REJECT

Thanks a bunch.. almost done with my server, setup!
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2013-11-19 15:36

You can generate the file automatically. After you have run your script to create the rules, just run iptables-save and redirect the output into whatever file the iptables-persistent script needs.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2013-11-20 21:27

Ahh.. as always, very helpful!

Now i'm really close, in finishing up my server setup. But one little problem remains. About 3-4 hours after the iptable rules have been added, i cant access the samba share on my server. I just isn't visible from any computer. When i restart the server "without re-adding the rules, everything works perfectly again. There must be something in these rules, blocking the samba server, or something similar?

What do you think this could be? Should i post a log from some service?


Thanks again!!
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2013-11-21 01:11

Windows based file sharing, and by extension Samba, relies on a 'browser' service to locate shares on the network. This means the machine doing the sharing must make periodic anouncements on the network to be visible to other machines. By locking down output, we're preventing that. The reason it works for a while is that machines cache this information for some time and exchange it with one another.

We need an additional rule to allow the server to broadcast it's presence, but I'm not completely sure which port is required. All the documentation I know of lists only the inbound ports required, as locked down input is a far more common scenario than locked down output. Input is not an issue in our case as we've already opened all inbound ports for machines on the local lan.

These are the ports typically associated with CIFS (once called SMB), Microsoft's file sharing protocol:
TCP 139
TCP 445
UDP 137
UDP 138
At least one of these ports should also be used for the browse announcements. I suspect UDP 138 is correct, but I don't use Windows sharing any longer so I can't test.

I would add the following four lines right before the line which parses the ovpn files (Disregard these - see Edit below):
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 138 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 137 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p tcp --sport 139 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p tcp --sport 445 -j ACCEPT

If the problem is resolved, I would then go back and remove lines until you narrow it down to one. Note, it is possible more than one is actually needed, but I think the chances of that are rather small. If the problem isn't resolved, we will add some logging to find out exactly what is being blocked.

Further somewhat useless musings: The browser service is not actually a part of the file sharing protocol itself. That means although you can't see the computer and shared folders when the browser service is being blocked, it should still be possible to connect to the shares if you know the correct name. Not exactly convenient, but I suppose it could be used as a sort of 'security through obscurity'.

Edit: I found some additional documentation ( http://ubiqx.org/cifs/Browsing.html) that suggests my hunch of UDP 138 is correct, except the browse announcements are sent TO udp 138, not FROM.
This means the rule added should be:
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
Note we specified --dport instead of --sport.

Let me know how it goes.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2013-11-21 22:19

Alright.. You sir, have done your homework.. And i just said that without blinking.. Nice work..

However... (There is always a HOWEVER isn't there?)

I just applied the rule, above the line with /etc/openvpn in it.. I dont know if if was because of the new rule.. (I doubt it) but my raspberry pi was refused access to the server, when clicking on the server name, under samba shares.. When i think about it, it has happened before, so the new rule is not causing it. I cant rule out, that the new rule have solved the issue with the hostname dissapearing.. It wasnt running with the rule for so long before i restarted the server...!

And thanks for the "totally nerdy info" actually it is nice to know what is actually going on, behind the monitor :)
However, some days go, when the sharename dissapeared i couldent connect to it, even if i entered its name... Just to let you know. Tomorrow i will try and run the rules, without he new rule added, and see if my raspberry gets "refused access".
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2013-11-21 23:39

If it still doesn't work, you can add logging to the rules to see what is being blocked.

Add this line just above the very last line:
sbin/iptables -A OUTPUT -o eth0 -j LOG
Logging rules will log whenever a packet matches its criteria, but the packet will continue to be matched against later rules. This rule will log any outbound packets on eth0 that are about to be dropped by the last rule.

Once the new rule has been added to the script and run, open a terminal and run 'tail -F /var/log/syslog'
This will monitor the syslog for new entries. Wait at least 15 minutes to make sure the browsing service tries to send a broadcast. Any dropped packets should show up on the terminal. Press CTRL-C to exit when you are done monitoring.

Make a note of the protocol (TCP or UDP) and the SPT (source) and DPT (destination) port numbers. That will give us enough information to create appropriate rules.

Edit: I just noticed the original script I listed contains a small typo.

This line:
/sbin/iptables -A OUTPUT -p udp --sport 67 -j ACCEPT
should instead be
/sbin/iptables -A OUTPUT -p udp --sport 68 -j ACCEPT

The wrong port number means the machine can't renew its IP address via DHCP. If you have a DHCP reservation for your server it will have no impact since the machine will continue using its current address if it can't renew as long as no other machine takes it.

An even better version of the rule would be:
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
This is a little more restrictive than the one above, and matches what I have in use.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2013-11-22 19:48

Sure enough, the access to the samba server is blocked, but still visible. Right now my script looks like this:

#!/bin/sh
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j LOG
/sbin/iptables -A OUTPUT -o eth0 -j REJECT


And the output, from: "tail -F /var/log/syslog" when filtering the SPT - DPT and TCP and UDP outputs:

Code: Select all
Nov 22 15:54:10 openmediavault kernel: [ 1130.756419] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 15:55:17 openmediavault kernel: [ 1197.524105] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 15:55:38 openmediavault kernel: [ 1218.582672] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 15:55:42 openmediavault kernel: [ 1222.580239] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46641 DF PROTO=TCP SPT=60244 DPT=49153 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 22 15:55:45 openmediavault kernel: [ 1225.580601] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=46642 DF PROTO=TCP SPT=60244 DPT=49153 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 22 15:55:45 openmediavault kernel: [ 1225.580798] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7994 DF PROTO=TCP SPT=60255 DPT=49153 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 22 15:55:48 openmediavault kernel: [ 1228.580102] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7995 DF PROTO=TCP SPT=60255 DPT=49153 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 22 15:56:07 openmediavault kernel: [ 1247.094359] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 22 15:57:10 openmediavault kernel: [ 1310.020561] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 15:57:26 openmediavault kernel: [ 1326.076124] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 15:59:28 openmediavault kernel: [ 1448.712577] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:00:01 openmediavault /USR/SBIN/CRON[3698]: (root) CMD (/usr/sbin/omv-mkgraph >/dev/null 2>&1)
Nov 22 16:01:07 openmediavault kernel: [ 1547.355216] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 22 16:03:25 openmediavault kernel: [ 1685.848098] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:03:35 openmediavault kernel: [ 1695.840564] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:06:07 openmediavault kernel: [ 1847.013211] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 22 16:06:22 openmediavault kernel: [ 1862.552104] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:09:01 openmediavault /USR/SBIN/CRON[4314]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete)
Nov 22 16:09:36 openmediavault kernel: [ 2055.940097] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:11:15 openmediavault kernel: [ 2154.940496] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 22 16:15:01 openmediavault /USR/SBIN/CRON[4709]: (root) CMD (/usr/sbin/omv-mkgraph >/dev/null 2>&1)
Nov 22 16:15:47 openmediavault kernel: [ 2427.587502] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 16:15:48 openmediavault kernel: [ 2428.585561] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 16:15:53 openmediavault kernel: [ 2433.583759] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 16:15:56 openmediavault kernel: [ 2436.676571] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.22 LEN=48 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:15:58 openmediavault kernel: [ 2438.578138] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 16:16:03 openmediavault kernel: [ 2443.569787] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=126 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=38148 DPT=1900 LEN=106
Nov 22 16:16:14 openmediavault kernel: [ 2454.820572] IN= OUT=eth0 SRC=192.168.1.52 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:16:15 openmediavault kernel: [ 2455.216689] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Nov 22 16:16:16 openmediavault kernel: [ 2456.180113] IN= OUT=eth0 SRC=192.168.1.52 DST=239.255.255.250 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Nov 22 16:17:01 openmediavault /USR/SBIN/CRON[4873]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Nov 22 16:17:38 openmediavault kernel: [ 2538.570793] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=5351 DPT=5351 LEN=20
Nov 22 16:17:38 openmediavault kernel: [ 2538.570846] IN= OUT=eth0 SRC=192.168.1.52 DST=192.168.1.1 LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=5351 DPT=5351 LEN=10


I have made a paste here: http://pastebin.com/Esf3CAY1 if its easier to read

Actually this was most of the output, from the 15 minutes logging. Hope its okay, i didn't want to leave anything out that could be important.

A line, which caught my eye was this, from the log:

Nov 22 15:47:30 openmediavault ovpn-vpn_servicename[1859]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Nov 22 15:47:30 openmediavault ovpn-vpn_servicename[1859]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)

Should i be worried about this? I removed my vpn providers name, and inserted vpn_servicename instead...!

EDIT:

Are all ports through the vpn open? I was just wondering, because if the odd port number i have picked in my torrent application.
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2013-11-22 21:13

Looks like you need to add a rule for UDP 137 as well. Just put it either above or below the one for UDP 138 and make it identical with the exception of the port number.

The other rows are related to either Multicast traffic (likely caused by having UPNP enabled) or bit torrent traffic. Those could be caused by the vpn going down and I would not add rules to allow them.

The message you mentioned also looks like something you might see if the vpn dropped. It could be caused by other things though. I wouldn't worry about it unless your vpn isn't working.

As for the ports being open through the vpn: Yes and no. The script will allow any outbound traffic over the vpn, but will only allow inbound traffic if your machine initiated the communication. This provides some firewall capability to protect your machine's services from potential hostiles on the vpn itself, but means a bittorrent client will see you as firewalled, meaning a sometimes slower connection. If this is a problem, you can add another rule allowing inbound traffic on whatever port you have your bittorrent software set to use. In my experience it makes no difference, because most (all?) anonymous vpn's NAT your connection anyway and do not open ports dynamically, meaning even if you open the port at your server, the vpn provider likely won't.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2013-11-23 21:58

Okay, i'm pleased to inform you that after 24 hours, the connection to the samba share remains active.. So it seems that the problem have been solved, by adding the rule for UDP 137. So YAY!!

About the inbound port, for the bittorrent client, then it's a must, that i can become "connectable" with my connection. My VPN provider, offers the possibility to open individually ports. I can see that now and then i become connectable..for why i dont really understand.. i also tried opening the port in my router but i was told that the client (my servers ip address) denied this because of iptables.. ofcourse i cant to that if iptables have closed off this port.

So, how do i write a rule, allowing inbound traffic on a specific port, on only my servers ip address? And would you think i need to open the port in my router aswell?

How can it be, that i am connectable sometimes... but most of the time im not? I would think, that i would be either connectable or not connectable?

How, vulnerable to the outside would i be, if this port was opened?
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2013-11-23 22:59

Add these two rules. Just place them with the other input rules. The order won't make any real difference here.

/sbin/iptables -A INPUT -p tcp --dport xxx -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport xxx -j ACCEPT

Where xxx = the port your torrent software is configured to use.

Most torrent client documentation seems vague regarding the need for both tcp and udp ports being opened. A lot of places on the net say to use both. I've never bothered to test if they're both actually needed.

Because the incoming torrent traffic is on the vpn, opening ports in your router will not help (in fact there's a good reason for leaving them closed...bear with me a bit). The traffic is being tunneled through the encrypted connection to the vpn server and the router can't read it. Now, the rules above don't specify an adapter, so technically your machine will also accept torrent traffic over the unencrypted lan connection, which we do not want. However this isn't typically a problem, as 1) your machine can't send any torrent traffic outbound unless a connection was already established, and 2) your router prevents incoming connections because we did not open a port on the router. If you are feeling especially paranoid, you can add '-o tun0' to the rules above to restrict incoming torrent traffic to the vpn.

What vpn provider allows dynamic port opening? If you don't mind me asking. :)
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2013-11-24 10:59

It did the trick.. i am now connectable..! :)

But i couldent figure out where i put the "-o tun0"

i did it like this:

/sbin/iptables -A INPUT -o tun0 -p tcp --dport xxx -j ACCEPT

But iptables tells me that its wrong...!
please dont laugh..!
Last edited by Danielorum on 2013-11-24 16:42, edited 1 time in total.
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2013-11-24 15:01

My bad. You put it in the rght place, but it should be '-i tun0'. '-o' is only used for OUTPUT rules.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

PreviousNext

Return to General Questions

Who is online

Users browsing this forum: No registered users and 24 guests

fashionable