You are not logged in.

Pages: 1

#1 2018-08-17 19:22:37

Pryka
Member
Registered: 2018-02-07
Posts: 85

[SOLVED]VPN Killswitch issue.

Hello!

I'm testing now Mullvad VPN. I have forwarded one port in Mullvad dashboard and it's connectable. But I don't understand one thing. Why did I have to add to my iptable rules this:

iptables -A INPUT -p tcp --dport xxxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT

From my understanding port is opened on the VPN server side, so why is necessary to use this rule on my side? When I delete them port appear as closed.

This is my full iptable:

# Generated by iptables-save v1.6.2 on Fri Aug 17 21:20:01 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [35912:5974323]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport xxxxx -j ACCEPT
-A INPUT -p udp -m udp --dport xxxxx -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Aug 17 21:20:01 2018
# Generated by iptables-save v1.6.2 on Fri Aug 17 21:20:01 2018
*nat
:PREROUTING ACCEPT [125:9013]
:INPUT ACCEPT [74:5275]
:OUTPUT ACCEPT [1197:117707]
:POSTROUTING ACCEPT [1033:106487]
COMMIT
# Completed on Fri Aug 17 21:20:01 2018
# Generated by iptables-save v1.6.2 on Fri Aug 17 21:20:01 2018
*mangle
:PREROUTING ACCEPT [58717:59127353]
:INPUT ACCEPT [58717:59127353]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [37000:6081137]
:POSTROUTING ACCEPT [36844:6071414]
COMMIT
# Completed on Fri Aug 17 21:20:01 2018
# Generated by iptables-save v1.6.2 on Fri Aug 17 21:20:01 2018
*raw
:PREROUTING ACCEPT [58712:59124175]
:OUTPUT ACCEPT [36983:6077321]
COMMIT
# Completed on Fri Aug 17 21:20:01 2018
# Generated by iptables-save v1.6.2 on Fri Aug 17 21:20:01 2018
*security
:INPUT ACCEPT [58644:59112978]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [36815:6063105]
COMMIT
# Completed on Fri Aug 17 21:20:01 2018

Can someone will try to explain this to me? Would appreciate.

Last edited by Pryka (2018-08-20 09:11:42)

Offline

#2 2018-08-17 20:44:01

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: [SOLVED]VPN Killswitch issue.

Pryka wrote:

From my understanding port is opened on the VPN server side

The VPN server is listening on a port. However, iptables would *block* connections to that port, given the default rule:

 *filter
:INPUT DROP [0:0]

Therefore you need to tell iptables to *allow* incoming connections, since VPN connections are initiated by the clients, not by the server.

Offline

#3 2018-08-17 21:08:51

Pryka
Member
Registered: 2018-02-07
Posts: 85

Re: [SOLVED]VPN Killswitch issue.

Okay thanks.

But just found that port x02x is opened. To close it I just need to disconnect from Mullvad. How this is possible?(it's not set as opened in Mullvad online dashboard)

No changes in iptables, same as in my first post.

For me its strange.

They probably opened that port(x02x) for some reason, but the part that I don't understand is why it's connectable on my PC without iptable rule, when the other one isn't.

EDIT:
I was thinking about it and will probably dump old rules and do some kind of killswitch to block all traffic outside VPN.

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j ACCEPT -i lo
-A INPUT -j ACCEPT -i tun0
-A OUTPUT -j ACCEPT -o lo
-A OUTPUT -j ACCEPT -o tun0
-A OUTPUT -p udp -m udp --dport xxxx -j ACCEPT
-A OUTPUT -d VPN.DNS.IP -j ACCEPT

Will fiddle with this more tomorrow.


EDIT: I have change a little topic to be more fitting to what I'm actually doing now.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d x.x.x.x -j ACCEPT - VPN DNS
iptables -A OUTPUT -p udp -m udp --dport xxxx -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A OUTPUT -j REJECT --reject-with icmp-net-unreachable

Can't get connected with this rules, I'm stuck on:

Sat Aug 18 11:13:01 2018 RESOLVE: Cannot resolve host address: ADRESS:PORT (Temporary failure in name resolution)
Sat Aug 18 11:13:01 2018 RESOLVE: Cannot resolve host address: ADRESS:PORT (Temporary failure in name resolution)
Sat Aug 18 11:13:01 2018 Could not determine IPv4/IPv6 protocol

Anyone? smile

EDIT: dport on iptables rule and resolve host address in the connection error is the same.

EDIT2: I did try a example killswitch from https://mullvad.net/en/guides/linux-ope … tallation/ with alteration to choose other severs.

sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -t raw -F
sudo iptables -t raw -X
sudo iptables -t security -F
sudo iptables -t security -X
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A OUTPUT -o tun+ -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A OUTPUT -d x.x.x.x -j ACCEPT
sudo iptables -A INPUT -s x.x.x.x -j ACCEPT
sudo iptables -A OUTPUT -o enp2s0+ -p udp -m multiport --dports xxxx,xxxx:xxxx,xxxx:xxxx -d x.x.x.x/x,x.x.x.x/x,x.x.x.x./x -j ACCEPT
sudo iptables -A OUTPUT -o enp2s0+ -p tcp -m multiport --dports xxxx,xxxx -d x.x.x.x/x,x.x.x.x/x,x.x.x.x./x  -j ACCEPT
sudo iptables -A OUTPUT -o enp2s0+ ! -d x.x.x.x -p tcp --dport xxxx -j DROP
sudo ip6tables -P OUTPUT DROP
sudo ip6tables -A OUTPUT -o tun+ -j ACCEPT

It's not working, have to change sudo iptables -P INPUT DROP to ACCEPT.


EDIT:

Manged to fix this by adding again iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

*filter
:INPUT DROP [21:2542]
:FORWARD DROP [0:0]
:OUTPUT DROP [42:3169]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s x.x.x.x/x -j ACCEPT
-A INPUT -p tcp -m tcp --dport xxxx -j ACCEPT
-A INPUT -p udp -m udp --dport xxxx -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d x.x.x.x/x -j ACCEPT
-A OUTPUT -d x.x.x.x/x -o enp2s0+ -p udp -m multiport --dports xxxx:xxxx -j ACCEPT
-A OUTPUT -d x.x.x.x/x -o enp2s0+ -p udp -m multiport --dports xxxx:xxxx -j ACCEPT
-A OUTPUT -d x.x.x.x/x -o enp2s0+ -p udp -m multiport --dports xxxx,xxxx:xxxx,xxxx:xxxx -j ACCEPT
-A OUTPUT -d x.x.x.x/x -o enp2s0+ -p tcp -m multiport --dports xxxx,xxxx -j ACCEPT
-A OUTPUT -d x.x.x.x/x -o enp2s0+ -p tcp -m multiport --dports xxxx,xxxx-j ACCEPT
-A OUTPUT -d x.x.x.x/x -o enp2s0+ -p tcp -m multiport --dports xxxx,xxxx -j ACCEPT
-A OUTPUT ! -d x.x.x.x/x -o enp2s0+ -p tcp -m tcp --dport xxxx -j DROP
COMMIT

Can someone look at this and tell mi if it's fine?

Last edited by Pryka (2018-08-20 09:05:01)

Offline

Pages: 1

Board footer

Powered by FluxBB