LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 08-09-2011, 08:55 PM   #1
dschuett
Member
 
Registered: Aug 2010
Posts: 38

Rep: Reputation: 0
Force all internet traffic through tun0 (Vpn Interface)


I am trying to configure iptables on one of my computers to ONLY be allowed to do the following:

1. The computer IS allowed to be accessed by other computers on the LOCAL network.

2. ALL internet traffic (IN and OUT) MUST use the tun0 (OpenVPN tunnel) interface.

3. ALL other traffic that doesn't apply to the above two rules MUST be DROPPED.

My iptables script seems to be working the way I want it to, but I wanted another set of eyes to see if they can catch any "security holes" I may be missing regarding the rules I described above. It is very important that this computer can only be allowed these specific rules.

I will take any suggestions that anyone may have.

Thanks for your time!

Code:
#!/bin/bash

#Set variables
IPT=/sbin/iptables
VPN=x.x.x.x
LAN=192.168.0.0/24

#Flush rules
$IPT -F
$IPT -X

#Default policies and define chains
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

#Allow input from LAN and tun0 ONLY
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i tun0 -m conntrack --ctstate NEW -j ACCEPT
$IPT -A INPUT -s $LAN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A INPUT -j DROP

#Allow output from lo and tun0 ONLY
$IPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o tun0 -m conntrack --ctstate NEW -j ACCEPT
$IPT -A OUTPUT -d $VPN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A OUTPUT -j DROP
exit 0
 
Old 08-09-2011, 09:07 PM   #2
corp769
Guru
 
Registered: Apr 2005
Posts: 5,798

Rep: Reputation: 978Reputation: 978Reputation: 978Reputation: 978Reputation: 978Reputation: 978Reputation: 978Reputation: 978
Hello,

After looking through it, it looks pretty good! I do recommend that you fire up nmap, or another applicable program, and try scanning your computer from different resources and computers outside of your local network, even within your network, to do a security check of your configuration. When I built up my firewall, that is exactly what I did in order to get it just right. One more thing - Just because it looks good to me, doesn't mean that it is. We all have different networks, and different setups, so you should really test your network like I said to verify.

Cheers,

Josh
 
Old 08-10-2011, 07:19 AM   #3
dschuett
Member
 
Registered: Aug 2010
Posts: 38

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by corp769 View Post
Hello,

After looking through it, it looks pretty good! I do recommend that you fire up nmap, or another applicable program, and try scanning your computer from different resources and computers outside of your local network, even within your network, to do a security check of your configuration. When I built up my firewall, that is exactly what I did in order to get it just right. One more thing - Just because it looks good to me, doesn't mean that it is. We all have different networks, and different setups, so you should really test your network like I said to verify.

Cheers,

Josh
Thanks for the pointers. I will definitely do some NMAPing of that computer to see what I come up with!

Dana
 
Old 08-10-2011, 08:36 AM   #4
corp769
Guru
 
Registered: Apr 2005
Posts: 5,798

Rep: Reputation: 978Reputation: 978Reputation: 978Reputation: 978Reputation: 978Reputation: 978Reputation: 978Reputation: 978
No problem. Let me know how the results turn out then.

Josh
 
  


Reply

Tags
filter, iptables, vpn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
tun0 traffic divyashree Linux - Newbie 0 12-18-2010 05:55 AM
Force TCP traffic out over specific interface when IP is bound to another local NIC yeager Linux - Networking 7 08-17-2010 09:16 AM
[SOLVED] How do I route my internet traffic over tun0? FireRaven Linux - Networking 21 03-30-2010 04:38 PM
VPN and local internet traffic PClOStinspace Linux - Networking 2 05-03-2009 04:02 AM
passing internet traffic through a vpn granduke Linux - Networking 1 10-03-2008 02:52 PM


All times are GMT -5. The time now is 06:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration