VPN - only connection allowed

Kernels & Hardware, configuring network, installing services

VPN - only connection allowed

Postby KingBongo » 2019-08-18 08:16

Hi. I have been working on this for a while, but I am simply to stupid to figure it out :( Really frustrating.

I want to set up some rules for iptables only allowing connections through VPN except for what is needed to communicate with the VPN provider in order to establish a connection. I am connecting all my local computers through a router to the outside world, and for now I am happy to setup each computer individually with iptables and leave the router alone. Also, for now, I do not need to connect to any of my computers from the outside world so that possibility should therefore be blocked as well.

I want to allow the bare minimum of communication outside of the VPN tunnel that fulfills all of my requirements above, nothing more and nothing less. I also would like to allow only those ports that are absolutely needed for communication to the outside world. I want it to just work without having to turn off some rules, establish a connection to VPN, and then turn the rules on again. I have to do it like that now and it bugs me.

OH, and of course, I want my LAN and similar stuff to work without any hassle. I am only bothered about connections to the outside world here.

First I like to mention that the ip-addresses provided to me by the VPN provider are not ip-addresses but a DNS. I read that using DNS with iptables is a BAD idea so I have been trying to avoid that. The way I did it was to run "sudo host DNS" in terminal to get eight ip-addresses which I am using in iptables. I have also checked with https://www.robtex.com/dns-lookup and the ones I have gotten seems to all be in use, but I cannot tell for sure. However, by checking with https://ipleak.net/ a couple of times I know for a fact that at least three of them are in use.

This is the shell script I am using (code I mostly found on the web, ip-addresses are hidden),

Code: Select all
#!/bin/bash

# erase current rules
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X

sudo ip6tables -F
sudo ip6tables -X
sudo ip6tables -t nat -F
sudo ip6tables -t nat -X
sudo ip6tables -t mangle -F
sudo ip6tables -t mangle -X

# create chains for iptables
sudo iptables -N ALLOWVPN
sudo iptables -N BLOCKALL

sudo ip6tables -N ALLOWVPN_6
sudo ip6tables -N BLOCKALL_6

# allow access for the interfaces loopback, tun, and tap
sudo iptables -A OUTPUT -o tun+ -j ACCEPT;
sudo iptables -A OUTPUT -o tap+ -j ACCEPT;
sudo iptables -A OUTPUT -o lo+ -j ACCEPT;

sudo ip6tables -A OUTPUT -o tun+ -j ACCEPT;
sudo ip6tables -A OUTPUT -o tap+ -j ACCEPT;
sudo ip6tables -A OUTPUT -o lo+ -j ACCEPT;

# route outgoing data via our created chains
sudo iptables -A OUTPUT -j ALLOWVPN;
sudo iptables -A OUTPUT -j BLOCKALL;

sudo ip6tables -A OUTPUT -j ALLOWVPN_6;
sudo ip6tables -A OUTPUT -j BLOCKALL_6;

# allow connections to certain IP addresses with no active VPN
sudo iptables -A ALLOWVPN -d xx.xx.xx.xx -j ACCEPT
sudo iptables -A ALLOWVPN -d xx.xx.xx.xx -j ACCEPT
sudo iptables -A ALLOWVPN -d xx.xx.xx.xx -j ACCEPT
sudo iptables -A ALLOWVPN -d xx.xx.xx.xx -j ACCEPT
sudo iptables -A ALLOWVPN -d xx.xx.xx.xx -j ACCEPT
sudo iptables -A ALLOWVPN -d xx.xx.xx.xx -j ACCEPT
sudo iptables -A ALLOWVPN -d xx.xx.xx.xx -j ACCEPT
sudo iptables -A ALLOWVPN -d xx.xx.xx.xx -j ACCEPT

# block all disallowed connections
sudo iptables -A BLOCKALL -j DROP

sudo ip6tables -A BLOCKALL_6 -j DROP

I think I have to allow some incoming traffic as well and maybe something more, but if I would be smart enough I would have solved the problem already :(

EDIT:
So, my question is: How do I modify the code so that I don't have to use the following procedure every time I want to connect to VPN,
1. sudo iptables -D BLOCKALL -j DROP
2. connect to VPN
3. sudo iptables -A BLOCKALL -j DROP
KingBongo
 
Posts: 56
Joined: 2010-10-14 13:39

Re: VPN - only external connection allowed

Postby KingBongo » 2019-08-25 18:28

Hi. Since I am not getting any answers on this I think I will ask a related but simpler question: Why can't I connect to my VPN at all if I change the beginning of my script to

Code: Select all
#!/bin/bash

# erase current rules
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X

sudo ip6tables -F
sudo ip6tables -X
sudo ip6tables -t nat -F
sudo ip6tables -t nat -X
sudo ip6tables -t mangle -F
sudo ip6tables -t mangle -X

# drop all traffic by default (trouble with LAN)
sudo iptables -P OUTPUT DROP
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP

sudo ip6tables -P OUTPUT DROP
sudo ip6tables -P INPUT DROP
sudo ip6tables -P FORWARD DROP

and then further down also add

Code: Select all
sudo iptables -A ALLOWVPN -d 192.168.0.0/24 -j ACCEPT    #router

to my "whitelist"? What additional important stuff is removed by the "DROP" lines that has to be added back? I cannot even connect to VPN if I run "sudo iptables -D BLOCKALL -j DROP" like I could before. Why?
KingBongo
 
Posts: 56
Joined: 2010-10-14 13:39


Return to System configuration

Who is online

Users browsing this forum: No registered users and 17 guests

fashionable