You are not logged in.

#1 2015-01-14 17:02:25

julesm
Member
Registered: 2014-07-29
Posts: 70

[SOLVED] Blocking internet traffic if openvpn disconnects - elegantly

I have followed the wiki instructions to set up the simple, stateful firewall. And it seems to be working fine. But now I want to expand it so that if my openvpn connection fails, then all internet traffic is blocked. I've researched this and it seems that there are a number of ways to achieve this. But I want to do it in a way that fits with the arch wiki firewall and does it in an effective and elegant way.  smile

So, I've got two questions and would be grateful for some expert advice.

1) Have I inserted my additional rule in the right place?  (To block traffic if the vpn connection fails)

2) In the way that I have done this, I need to supply vpn server ip address. So, if I switch vpn servers, then I have to change the ip address and update the iptable table rules. I've got a script that does this quickly but still it's a bit awkward. Is there another way of doing this - again that fits with the arch wiki firewall - that either doesn't need the vpn ip server address or allows me to specify multiple vpn servers?

Here's what I have so far.  (In my script, <ip of vpn server> is the actual ip address.)

#!/bin/bash
iptables-restore < /etc/iptables/empty.rules
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#I added the next rule to block traffic should vpn connection fail
iptables -A OUTPUT -o wlp3s0 ! -d <ip of vpn server> -j DROP 

iptables -P INPUT DROP
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
iptables=/etc/iptables/iptables.rules
iptables-save > /etc/iptables/iptables.rules
systemctl start iptables.service && systemctl status iptables.service

Many thanks for any assistance on this one.

Cheers,
Jules

Last edited by julesm (2015-01-15 12:05:11)

Offline

#2 2015-01-15 12:04:52

julesm
Member
Registered: 2014-07-29
Posts: 70

Re: [SOLVED] Blocking internet traffic if openvpn disconnects - elegantly

I believe I have solved this.  So, I'll post the modified iptables rules for anyone interested and for any comments/feedback. Again, my aim was to take the stateful firewall from the wiki and modify it so that all traffic would be blocked if my vpn connection fails to any of the vpn servers I use.  Cheers, Jules

#!/bin/bash

local_network="192.168.1.0/24"
wireless_interface="wlp3s0"
virtual_interface="tun0"
#VPN Servers
servers=(
0.0.0.0 #ip address of vpn server 1
1.1.1.1 #ip address of vpn server 2
)

iptables-restore < /etc/iptables/empty.rules #create default rules, overwriting any that may be present already
iptables -N TCP #TCP user-defined chain used open up ports in the firewall
iptables -N UDP #UDP user-defined chain used open up ports in the firewall
iptables -P FORWARD DROP #this is a single PC and not a NAT gateway 	

#set up out rules
iptables -P OUTPUT DROP #block all outgoing traffic by default
iptables -A OUTPUT -j ACCEPT -d $local_network -o $wireless_interface #allow out to local network via wireless 
iptables -A OUTPUT -j ACCEPT -o $virtual_interface #allow out to local network via virtual
iptables -A OUTPUT -o lo -j ACCEPT #allow out to loopback
server_count=${#servers[@]} #loop through VPN servers
for (( c = 0; c < $server_count; c++ ))
do
    #set up out rules for upd    
    iptables -A OUTPUT -p udp -d ${servers[c]} --dport 53  -o $wireless_interface -j ACCEPT
    iptables -A OUTPUT -p udp -d ${servers[c]} --dport 80  -o $wireless_interface -j ACCEPT
    iptables -A OUTPUT -p udp -d ${servers[c]} --dport 443 -o $wireless_interface -j ACCEPT

    #set up out rules for tcp
    iptables -A OUTPUT -p tcp -d ${servers[c]} --dport 53  -o $wireless_interface -j ACCEPT
    iptables -A OUTPUT -p tcp -d ${servers[c]} --dport 80  -o $wireless_interface -j ACCEPT
    iptables -A OUTPUT -p tcp -d ${servers[c]} --dport 443 -o $wireless_interface -j ACCEPT
done

#set up in rules
iptables -P INPUT DROP #block all incoming traffic by default
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT #set up rate-limiting block of ping requests
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP #set up rate-limiting block of ping requests
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #allow in established connections
iptables -A INPUT -i lo -j ACCEPT #allow in to loopback
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP #drop all traffic with an INVALID state match
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP #attach the UDP chain to the INPUT chain to handle all new incoming connections
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP #attach the TCP chain to the INPUT chain to handle all new incoming connections
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst #handle SYN scans
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst #handle SYN scans
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable #handle UDP scans
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable #handle UDP scans
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable #reject all remaining incoming traffic with icmp protocol unreachable messages

#use new rules
iptables-save > /etc/iptables/iptables.rules #save rules
systemctl start iptables.service && systemctl status iptables.service #check that the rules load correctly 

Last edited by julesm (2015-01-15 18:09:58)

Offline

#3 2015-01-19 10:23:55

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: [SOLVED] Blocking internet traffic if openvpn disconnects - elegantly

julesm wrote:

so that if my openvpn connection fails, then all internet traffic is blocked

This is too vague. If your openvpn connection fails, then exactly what is the concern?

Offline

#4 2015-01-19 10:31:53

julesm
Member
Registered: 2014-07-29
Posts: 70

Re: [SOLVED] Blocking internet traffic if openvpn disconnects - elegantly

Good question.  Happy to explain.  There are times when you may want to have your internet traffic encrypted for privacy and security reasons.  A good example of when this is important is when you use public wifi hotspots.  But what can happen is that for whatever reason your openvpn connection can fail and unless you notice that the padlock has disappeared (if you're using network manager) then you could continue believing - mistakenly - that your traffic is encrypted when it is not.  With what I've set up, you are always protected - because should the vpn connection go down then nothing is allowed out ensuring nothing has been exposed to the outside world.  I hope that explains why someone would want to do this.  smile

Cheers,
Jules

Offline

#5 2015-03-15 08:44:03

yanis
Member
Registered: 2015-03-15
Posts: 2

Re: [SOLVED] Blocking internet traffic if openvpn disconnects - elegantly

Hi Jules,

Thanks for your sharing your knowledge with us.

I've the following questions for you:

(1) It appears that I need to install iptables for your script to work, correct?

(2) What if I don't wish to install the package "iptables"? Is there a way to still use your wonderful script?

(3) My local network's IP is not the typical 192.168.1.0. It's 192.168.100.1 (the default DHCP gateway). Will your script work if I substitute 192.168.100.0 for 192.168.1.0?

(4) Regarding VPN server addresses, can I use hostnames instead of resolved IP addresses? For example instead of using 1.1.1.1 can I use usa.myvpn.org?

(5) How do I manually switch to using a specific VPN server? (I'm not knowledgeable about scripting language and network administration.)

Thanks in advance for your help.

Adrian

Offline

#6 2015-03-15 08:56:29

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,212
Website

Re: [SOLVED] Blocking internet traffic if openvpn disconnects - elegantly

yanis wrote:

(1) It appears that I need to install iptables for your script to work, correct?

Yes.

yanis wrote:

(2) What if I don't wish to install the package "iptables"? Is there a way to still use your wonderful script?

No. The whole script revolves around iptables.

yanis wrote:

(3) My local network's IP is not the typical 192.168.1.0. It's 192.168.100.1 (the default DHCP gateway). Will your script work if I substitute 192.168.100.0 for 192.168.1.0?

Yes, but only if you install iptables.

yanis wrote:

(4) Regarding VPN server addresses, can I use hostnames instead of resolved IP addresses? For example instead of using 1.1.1.1 can I use usa.myvpn.org?

Yes, and you still need iptables.

yanis wrote:

(5) How do I manually switch to using a specific VPN server? (I'm not knowledgeable about scripting language and network administration.)

The script has nothing to do with establishing the VPN connection, only restricting how packets can egress from your computer (ie, anything THROUGH the tunnel is OK, anything to the local network is OK, but outside the tunnel only traffic required to maintain the tunnel).

Offline

#7 2015-03-15 23:13:52

yanis
Member
Registered: 2015-03-15
Posts: 2

Re: [SOLVED] Blocking internet traffic if openvpn disconnects - elegantly

fukawi2 wrote:

Yes.

fukawi2 wrote:

No. The whole script revolves around iptables.

fukawi2 wrote:

Yes, but only if you install iptables.

fukawi2 wrote:

Yes, and you still need iptables.

Well, I discovered I've iptables installed.

But there is no directory called iptables in /etc/.

Should I install the package called iptables-persistent because if it is installed, a directory called iptables will be present in /etc/.

Offline

#8 2015-03-15 23:20:31

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,212
Website

Re: [SOLVED] Blocking internet traffic if openvpn disconnects - elegantly

Personally, I would just replace that line with:

iptables -F
iptables -X

Although, you should have that directory from iptables:

# pacman -Qo /etc/iptables/empty.rules 
/etc/iptables/empty.rules is owned by iptables 1.4.21-1

Offline

#9 2015-06-06 21:19:41

pmatts
Member
Registered: 2015-02-23
Posts: 25

Re: [SOLVED] Blocking internet traffic if openvpn disconnects - elegantly

thankyou jules

Offline

Board footer

Powered by FluxBB