You are not logged in.
Hi, I need some help to set up iptables rules to kill outgoing connections that don't pass trough VPN (except dns that uses trusted servers).
I'm using ipsec and iptables, I have made this ruleset but it doesn't allow me to navigate, can you help me to find what I'm missing?
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
# IPsec
-A INPUT -s 10.6.6.0/32 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.6.6.0/32 -j ACCEPT
# local interface
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 -o lo -j ACCEPT
# LAN
-A INPUT -s 192.168.1.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
# DNS
-A OUTPUT -d 103.86.96.100/32 -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 103.86.99.100/32 -o lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 103.86.96.100/32 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 103.86.96.100/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 103.86.99.100/32 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 103.86.99.100/32 -p udp -m udp --dport 53 -j ACCEPT
# VPN IP OUT
-A INPUT -s 136.11.122.124 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 136.11.122.124 -j ACCEPT
-A INPUT -s 136.11.122.123 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 136.11.122.123 -j ACCEPT
COMMITwhere 10.6.6.0/32 is the net created by ipsec and 136.11.122.124 and 136.11.122.123 are the two IP addresses where I come out on net.
I can ping and resolve names but I can't navigate.
Last edited by Kevin00 (2019-07-20 11:05:07)
Offline
Anyone expert of iptables and ipsec can help me?
Offline