LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Force all internet traffic through tun0 (Vpn Interface) (http://www.linuxquestions.org/questions/linux-security-4/force-all-internet-traffic-through-tun0-vpn-interface-896457/)

dschuett 08-09-2011 08:55 PM
Force all internet traffic through tun0 (Vpn Interface)
 
I am trying to configure iptables on one of my computers to ONLY be allowed to do the following:

1. The computer IS allowed to be accessed by other computers on the LOCAL network.

2. ALL internet traffic (IN and OUT) MUST use the tun0 (OpenVPN tunnel) interface.

3. ALL other traffic that doesn't apply to the above two rules MUST be DROPPED.

My iptables script seems to be working the way I want it to, but I wanted another set of eyes to see if they can catch any "security holes" I may be missing regarding the rules I described above. It is very important that this computer can only be allowed these specific rules.

I will take any suggestions that anyone may have.

Thanks for your time!

Code:
#!/bin/bash

#Set variables
IPT=/sbin/iptables
VPN=x.x.x.x
LAN=192.168.0.0/24

#Flush rules
$IPT -F
$IPT -X

#Default policies and define chains
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

#Allow input from LAN and tun0 ONLY
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i tun0 -m conntrack --ctstate NEW -j ACCEPT
$IPT -A INPUT -s $LAN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A INPUT -j DROP

#Allow output from lo and tun0 ONLY
$IPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o tun0 -m conntrack --ctstate NEW -j ACCEPT
$IPT -A OUTPUT -d $VPN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A OUTPUT -j DROP
exit 0

corp769 08-09-2011 09:07 PM
Hello,

After looking through it, it looks pretty good! I do recommend that you fire up nmap, or another applicable program, and try scanning your computer from different resources and computers outside of your local network, even within your network, to do a security check of your configuration. When I built up my firewall, that is exactly what I did in order to get it just right. One more thing - Just because it looks good to me, doesn't mean that it is. We all have different networks, and different setups, so you should really test your network like I said to verify.

Cheers,

Josh

dschuett 08-10-2011 07:19 AM
Quote:
Originally Posted by corp769 (Post 4438320)
Hello,

After looking through it, it looks pretty good! I do recommend that you fire up nmap, or another applicable program, and try scanning your computer from different resources and computers outside of your local network, even within your network, to do a security check of your configuration. When I built up my firewall, that is exactly what I did in order to get it just right. One more thing - Just because it looks good to me, doesn't mean that it is. We all have different networks, and different setups, so you should really test your network like I said to verify.

Cheers,

Josh
Thanks for the pointers. I will definitely do some NMAPing of that computer to see what I come up with!

Dana

corp769 08-10-2011 08:36 AM
No problem. Let me know how the results turn out then.

Josh


All times are GMT -5. The time now is 03:50 AM.