How to block internet connection when VPN fails?

If none of the more specific forums is the right place to ask

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-13 18:38

M51 wrote:The script works only if all your ovpn files are in a single directory. It will not recurse into subdirectories.

You could try this:

/bin/grep -h '^remote ' $(find /home/aaaaa/virtconfigs/allOvpn/ -name '*.ovpn') | /usr/bin/tr -d '\r' | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT

given that all ovpn files are under subdirectories of /home/aaaaa/virtconfigs/allOvpn/

It probably will blow up if any ovpn files have spaces in the names.




this helps a lot- no longer need to keep a separate folder with *.ovpn files copied to be parsed- may parse a major directory with subfolders from where configs were imported to system- THANK YOU
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-06-13 18:40

You definitely shouldn't be able to access the web without vpn after those rules are in place. Feel free to pm.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-13 18:49

can you please pm me- when i try to pm (tried to pm you already- was replied by one of admins i guess- i donno why but spamhuntrts group automatically being notified with my messages- like being sent a copy of,,,just getting in touch with this board as of yet)

thanks
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-06-13 19:06

You have a typo:

/sbin/iptables -A OUTPUT -o eth1 -j REJECT

should be:

/sbin/iptables -A OUTPUT -o eth0 -j REJECT
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-13 19:39

ok, it did the trick- now it works and i have no int connection w/o vpn conencted
GREAT!

here is how i did it
edited script as u told me
than i i chmod +X the script
than i run it

sudo /home/aaaaa/virtconfigs/script/nonvpnblock.sh

than i try to access the web w/o vpn- it works ((- no acces

start vpn- it connects- i have access

wiil test the local access (lan) now and let u know
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-13 20:20

looks like it all works and lan is ok as well
please help- how to make this script to be performed each time computer restarts?

what for is this used?


"" After you have run your script to create the rules, just run iptables-save and redire0t the output into whatever file the iptables-persistent script needs"""

do i have to perform this command?

how to ebable autorun for this scrips? i love it)

thanks
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-06-13 22:41

You can use the iptables-persistent package to save and restore iptables rules whenever the system boots, or you can just add a line to /etc/rc.local to call your script. The second option is probably simpler.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-06-30 22:56

Thank you very much- this really works.
I arranged script to autostart by editind my/etc/rc.local
I can definitely edit /etc/rc.local back to defaul and reboot to disable the script options- but is there any way i can disable (and re-ebable it later) via terminal- in case i need machine to get connected w/o vpn smtimes..

thank you
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-07-01 02:31

Run iptables -F as root to flush the rules and disable all blocking.

Just run the script again (as root of course) to re-enable.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-07-10 19:16

thank you very much for your replies- you made my day providing some valuable info and my script works at my desctop pc
however, im plannin to give it a try on my laptop on the go...

should i change inrerface from eth0 to wlan0 in script body if i use wifi to connect to router ?


as for now i have this way

#!/bin/sh
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/bin/grep -h '^remote ' $(find /home/usernname/folder/ -name '*.ovpn') | /usr/bin/tr -d '\r' | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j REJECT


in case my local subnet ip changes (its not 192.168.***)..should i add any extra changes?.please let me know as well

I dont need local network access on the go, may we remove some lines accosiated with LAN access?

the local subnet now is 172.28.45.**
how should the script be changed?


PS
why do we have a eth1 in this line
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT

if at home im connected via eth0 only - via cable...

thank you and looking for your posts...
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby oweqq99 » 2014-07-10 19:39

i managed it to look like this




#!/bin/sh
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o wlan0 -d 172.28.45.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/bin/grep -h '^remote ' $(find /home/username/ovpn_containing_folder/ -name '*.ovpn') | /usr/bin/tr -d '\r' | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o wlan0 -j REJECT


it this correct to restrict to vpn w/o LAN being allowed either way? let me know.....thanks
oweqq99
 
Posts: 15
Joined: 2014-06-10 01:49

Re: How to block internet connection when VPN fails?

Postby M51 » 2014-07-10 20:09

Looks ok.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

Re: How to block internet connection when VPN fails?

Postby Danielorum » 2014-12-29 21:12

Hello once again

You help me with these IP table ruled a while ago and they work beautifully. But I have run into some problems when I tried adding them to another system in my home.Here are the rules you help me create:

Code: Select all
#!/bin/sh
/sbin/iptables -A INPUT -p tcp --dport 22 -s 192.168.1.50 -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 137 -j ACCEPT
/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @$
/sbin/iptables -A OUTPUT -o eth0 -j LOG
/sbin/iptables -A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -d 192.168.1.0/24 -m udp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp -d 192.168.1.50 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j REJECT
/sbin/iptables -A INPUT -i tun0 -p tcp --dport 11633 -j ACCEPT
/sbin/iptables -A INPUT -i tun0 -p udp --dport 11633 -j ACCEPT
exit 0


Now I have a second system in my house, which I use as a media center. It is running with the system called openelec (linux based), and I like the same rules to be applied to this system as well. Just as my other system, a VPN tunnel is established when the system starts up. I am using a different VPN provider for this second system.

The problem is that I am not able to Add the rules to my system, and have an outgoing connection through the tunnel. All Internet connection is bocked when the rules are applied. Below are the rules on adding on the system, I have changed some paths so they can be accepted by the system.

Also the rule in line 11 has been changed, because it gave an Error when I executed it. And I was told this: "openelec (busybox) doesn't support I argument with xargs."
So I was told to use another line instead which you can see below.

And the rules in line 13 and 14 gives this error:
Iptables: no chain/target/Match by that name

But to be honest, I don't think I need those two rules anyway. (I have added one of them myself)

Code: Select all
bin/sh
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -s 192.168.1.46 -j ACCEPT
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 137 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -d vpn.provider.com -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -j LOG
/usr/sbin/iptables -A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8
/usr/sbin/iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p udp -d 192.168.1.0/24 -m udp --dport 53 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp -d 192.168.1.46 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -j REJECT
/usr/sbin/iptables -A INPUT -i tun0 -p tcp --dport 11633 -j ACCEPT
/usr/sbin/iptables -A INPUT -i tun0 -p udp --dport 11633 -j ACCEPT
exit 0



I am asking you for help, because I have tried asking in the forum for openelec, but they are not able to help me.I don't think they know what to do. working with IP tables seems like a walk in the park for you, so that is why I hope you are able to help me.forgive me for the long post, I don't know how to be brief about this issue.

many thanks in advance, for your time.and happy holidays!
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

Re: How to block internet connection when VPN fails?

Postby M51 » 2015-01-14 20:38

Rules 13-14 are just for allowing inbound and outbound pings. You don't really need them.
If you want them, change them to be:

/usr/sbin/iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

So it doesn't work even if you take those rules out? What does it do? Is your xbmc machine connected via ethernet or wifi? If it is wifi, remember you need to change all the mentions of eth0 in the rules to wlan0 or whatever your wifi adapter is named. Run 'ip addr' to check.
M51
 
Posts: 397
Joined: 2013-05-13 01:38

How to block internet connection when VPN fails?

Postby Danielorum » 2015-01-14 23:49

Okay I will remove them from the script.actually I found out that this rule:

/sbin/iptables -A OUTPUT -o eth0 -j LOG

Gave me this error:
Iptables: no chain/target/Match by that name

So I commented it out.now I do not get an error when I execute the script. I am connected via Ethernet iand I have set up a static IP in xbmc. I managed to make an error log while I try to stream video from the Internet, while the IP table rules were applied. This is from the log:

19:53:54 T:139944479966976 NOTICE: Previous line repeats 1 times.
19:53:54 T:139944479966976 NOTICE: Thread RSSReader start, auto delete: false
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139943368353536 NOTICE: Thread JobWorker start, auto delete: true
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.



Sent from my iPad using Tapatalk
Danielorum
 
Posts: 32
Joined: 2013-10-21 17:47

PreviousNext

Return to General Questions

Who is online

Users browsing this forum: No registered users and 8 guests

fashionable