How to block internet connection when VPN fails?

Message

oweqq99 · #61 Post by **oweqq99** » 2014-06-13 18:38

M51 wrote:The script works only if all your ovpn files are in a single directory. It will not recurse into subdirectories.

You could try this:

/bin/grep -h '^remote ' $(find /home/aaaaa/virtconfigs/allOvpn/ -name '*.ovpn') | /usr/bin/tr -d '\r' | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT

given that all ovpn files are under subdirectories of /home/aaaaa/virtconfigs/allOvpn/

It probably will blow up if any ovpn files have spaces in the names.

this helps a lot- no longer need to keep a separate folder with *.ovpn files copied to be parsed- may parse a major directory with subfolders from where configs were imported to system- THANK YOU

M51 · #62 Post by **M51** » 2014-06-13 18:40

You definitely shouldn't be able to access the web without vpn after those rules are in place. Feel free to pm.

oweqq99 · #63 Post by **oweqq99** » 2014-06-13 18:49

can you please pm me- when i try to pm (tried to pm you already- was replied by one of admins i guess- i donno why but spamhuntrts group automatically being notified with my messages- like being sent a copy of,,,just getting in touch with this board as of yet)

thanks

M51 · #64 Post by **M51** » 2014-06-13 19:06

You have a typo:

/sbin/iptables -A OUTPUT -o eth1 -j REJECT

should be:

/sbin/iptables -A OUTPUT -o eth0 -j REJECT

oweqq99 · #65 Post by **oweqq99** » 2014-06-13 19:39

ok, it did the trick- now it works and i have no int connection w/o vpn conencted
GREAT!

here is how i did it
edited script as u told me
than i i chmod +X the script
than i run it

sudo /home/aaaaa/virtconfigs/script/nonvpnblock.sh

than i try to access the web w/o vpn- it works ((- no acces

start vpn- it connects- i have access

wiil test the local access (lan) now and let u know

oweqq99 · #66 Post by **oweqq99** » 2014-06-13 20:20

looks like it all works and lan is ok as well
please help- how to make this script to be performed each time computer restarts?

what for is this used?

"" After you have run your script to create the rules, just run iptables-save and redire0t the output into whatever file the iptables-persistent script needs"""

do i have to perform this command?

how to ebable autorun for this scrips? i love it)

thanks

M51 · #67 Post by **M51** » 2014-06-13 22:41

You can use the iptables-persistent package to save and restore iptables rules whenever the system boots, or you can just add a line to /etc/rc.local to call your script. The second option is probably simpler.

oweqq99 · #68 Post by **oweqq99** » 2014-06-30 22:56

Thank you very much- this really works.
I arranged script to autostart by editind my/etc/rc.local
I can definitely edit /etc/rc.local back to defaul and reboot to disable the script options- but is there any way i can disable (and re-ebable it later) via terminal- in case i need machine to get connected w/o vpn smtimes..

thank you

M51 · #69 Post by **M51** » 2014-07-01 02:31

Run iptables -F as root to flush the rules and disable all blocking.

Just run the script again (as root of course) to re-enable.

oweqq99 · #70 Post by **oweqq99** » 2014-07-10 19:16

thank you very much for your replies- you made my day providing some valuable info and my script works at my desctop pc
however, im plannin to give it a try on my laptop on the go...

should i change inrerface from eth0 to wlan0 in script body if i use wifi to connect to router ?

as for now i have this way

#!/bin/sh
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/bin/grep -h '^remote ' $(find /home/usernname/folder/ -name '*.ovpn') | /usr/bin/tr -d '\r' | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j REJECT

in case my local subnet ip changes (its not 192.168.***)..should i add any extra changes?.please let me know as well

I dont need local network access on the go, may we remove some lines accosiated with LAN access?

the local subnet now is 172.28.45.**
how should the script be changed?

PS
why do we have a eth1 in this line
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT

if at home im connected via eth0 only - via cable...

thank you and looking for your posts...

oweqq99 · #71 Post by **oweqq99** » 2014-07-10 19:39

i managed it to look like this

#!/bin/sh
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o wlan0 -d 172.28.45.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/bin/grep -h '^remote ' $(find /home/username/ovpn_containing_folder/ -name '*.ovpn') | /usr/bin/tr -d '\r' | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o wlan0 -j REJECT

it this correct to restrict to vpn w/o LAN being allowed either way? let me know.....thanks

M51 · #72 Post by **M51** » 2014-07-10 20:09

Looks ok.

Danielorum · #73 Post by **Danielorum** » 2014-12-29 21:12

Hello once again

You help me with these IP table ruled a while ago and they work beautifully. But I have run into some problems when I tried adding them to another system in my home.Here are the rules you help me create:

Code: Select all

#!/bin/sh
/sbin/iptables -A INPUT -p tcp --dport 22 -s 192.168.1.50 -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 137 -j ACCEPT
/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @$
/sbin/iptables -A OUTPUT -o eth0 -j LOG
/sbin/iptables -A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -d 192.168.1.0/24 -m udp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p tcp -d 192.168.1.50 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j REJECT
/sbin/iptables -A INPUT -i tun0 -p tcp --dport 11633 -j ACCEPT
/sbin/iptables -A INPUT -i tun0 -p udp --dport 11633 -j ACCEPT
exit 0

Now I have a second system in my house, which I use as a media center. It is running with the system called openelec (linux based), and I like the same rules to be applied to this system as well. Just as my other system, a VPN tunnel is established when the system starts up. I am using a different VPN provider for this second system.

The problem is that I am not able to Add the rules to my system, and have an outgoing connection through the tunnel. All Internet connection is bocked when the rules are applied. Below are the rules on adding on the system, I have changed some paths so they can be accepted by the system.

Also the rule in line 11 has been changed, because it gave an Error when I executed it. And I was told this: "openelec (busybox) doesn't support I argument with xargs."
So I was told to use another line instead which you can see below.

And the rules in line 13 and 14 gives this error:
Iptables: no chain/target/Match by that name

But to be honest, I don't think I need those two rules anyway. (I have added one of them myself)

Code: Select all

bin/sh
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -s 192.168.1.46 -j ACCEPT
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 138 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --dport 137 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -d vpn.provider.com -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -j LOG
/usr/sbin/iptables -A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8
/usr/sbin/iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p udp -d 192.168.1.0/24 -m udp --dport 53 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp -d 192.168.1.46 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -j REJECT
/usr/sbin/iptables -A INPUT -i tun0 -p tcp --dport 11633 -j ACCEPT
/usr/sbin/iptables -A INPUT -i tun0 -p udp --dport 11633 -j ACCEPT
exit 0

I am asking you for help, because I have tried asking in the forum for openelec, but they are not able to help me.I don't think they know what to do. working with IP tables seems like a walk in the park for you, so that is why I hope you are able to help me.forgive me for the long post, I don't know how to be brief about this issue.

many thanks in advance, for your time.and happy holidays!

M51 · #74 Post by **M51** » 2015-01-14 20:38

Rules 13-14 are just for allowing inbound and outbound pings. You don't really need them.
If you want them, change them to be:

/usr/sbin/iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

So it doesn't work even if you take those rules out? What does it do? Is your xbmc machine connected via ethernet or wifi? If it is wifi, remember you need to change all the mentions of eth0 in the rules to wlan0 or whatever your wifi adapter is named. Run 'ip addr' to check.

Danielorum · #75 Post by **Danielorum** » 2015-01-14 23:49

Okay I will remove them from the script.actually I found out that this rule:

/sbin/iptables -A OUTPUT -o eth0 -j LOG

Gave me this error:
Iptables: no chain/target/Match by that name

So I commented it out.now I do not get an error when I execute the script. I am connected via Ethernet iand I have set up a static IP in xbmc. I managed to make an error log while I try to stream video from the Internet, while the IP table rules were applied. This is from the log:

19:53:54 T:139944479966976 NOTICE: Previous line repeats 1 times.
19:53:54 T:139944479966976 NOTICE: Thread RSSReader start, auto delete: false
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139943368353536 NOTICE: Thread JobWorker start, auto delete: true
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.
19:53:54 T:139944479966976 ERROR: CCurlFile::FillBuffer - Failed: Couldn't resolve host name(6)
19:53:54 T:139944479966976 ERROR: CCurlFile::CReadState::Connect, didn't get any data from stream.

Sent from my iPad using Tapatalk

Danielorum · #76 Post by **Danielorum** » 2015-01-14 23:58

And I don't know if it matters but I am using a different VPN provider then the one used in the original script. I use this command in a start up script, to activate the VPN tunnel:

sleep 10s
openvpn /storage/.config/vpn-config/my.vpn.provider.ovpn &

Don't know if it is relevant or not.

Sent from my iPad using Tapatalk

M51 · #77 Post by **M51** » 2015-01-16 21:05

The errors you show are failures to resolve dns host names.

Does the vpn connect successfully? Try this: Ping something like www.google.com. Note the ip address. Connect to the vpn and try pinging the ip address directly. If it works, then for some reason your vpn provider's dns settings aren't being used or aren't working.

Danielorum · #78 Post by **Danielorum** » 2015-01-17 13:35

Well finally something different happened!

When I try to ping Google's hostname it tells me bad address.but when I ping Google's IP address it works! I have tried this with Google's DNS address inserted into XBMCs network settings, and I tried with my VPN providers DNS address as well, with the same result.

so doesn't it seem like the IP table rules are creating this issue?

Because I did some digging around the web, and found this simple Set of rules, which doesn't create any problems.can't I just use these instead? And what are the main differences between these set of rules?

Code: Select all

#!/bin/sh
# Delete all existing rules
iptables -F

# Allow from local network
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT

# Allow OpenVPN
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT

# Deny eth0
iptables -A OUTPUT -o eth0 -j DROP

dbuse · #79 Post by **dbuse** » 2015-11-27 04:21

Hi

Is this still open please?

I'm new to the forum and, er, I'm a Ubuntu user. I know that as a 'foreigner' 'I don't belong' to the Debian Forum but this script is, I hope, the only firewall I've found that does what I want .....

I was hoping if somebody could help me with the script in Ubuntu? When I run it, terminal just momentarily opens and closes and nothing happens. I am new to iptables (can this be done using gufw??? )

My ovpn scrips (and their certs) are in /etc/openvpn

My script is as the original:

Code: Select all

#!/bin/sh
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --sport 67 -j ACCEPT
/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j REJECT

Fingers crossed and thanks - either way ...

jameshouston135 · #80 Post by **jameshouston135** » 2016-02-02 13:11

Althought i have used selective VPN routing and I use the following logic in my script...

Code:

# Optionally FORCE the use of the VPN tunnel, so if the VPN tunnel drops, the device will not use the unencrypted default WAN
if [ "$FORCE" = "FORCE" ];then
logger -t "($(basename $0))" $$ VPN Selective routing for $IP_RANGE WAN access blocked
echo "$IP_RANGE WAN access blocked"
# Prevent duplicate blocking rule entries
iptables -D FORWARD -i br0 -s $IP_RANGE -o eth0 -j DROP
iptables -I FORWARD -i br0 -s $IP_RANGE -o eth0 -j DROP
fi
# Allow removing of the WAN blocking if it was previously set
if [ "$FORCE" = "NOFORCE" ];then
logger -t "($(basename $0))" $$ VPN Selective routing for $IP_RANGE WAN access allowed
echo "$IP_RANGE WAN access allowed"
iptables -D FORWARD -i br0 -s $IP_RANGE -o eth0 -j DROP
fi

So not sure if specifying eth0 will work in your case?

Debian User Forums