LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Force all internet traffic through tun0 (Vpn Interface) (http://www.linuxquestions.org/questions/linux-security-4/force-all-internet-traffic-through-tun0-vpn-interface-896458/)

dschuett 08-09-2011 09:57 PM

Force all internet traffic through tun0 (Vpn Interface)
 
I am trying to configure iptables on one of my computers to ONLY be allowed to do the following:

1. The computer IS allowed to be accessed by other computers on the LOCAL network.

2. ALL internet traffic (IN and OUT) MUST use the tun0 (OpenVPN tunnel) interface.

3. ALL other traffic that doesn't apply to the above two rules MUST be DROPPED.

My iptables script seems to be working the way I want it to, but I wanted another set of eyes to see if they can catch any "security holes" I may be missing regarding the rules I described above. It is very important that this computer can only be allowed these specific rules.

I will take any suggestions that anyone may have.

Thanks for your time!

Code:

#!/bin/bash

#Set variables
IPT=/sbin/iptables
VPN=x.x.x.x
LAN=192.168.0.0/24

#Flush rules
$IPT -F
$IPT -X

#Default policies and define chains
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

#Allow input from LAN and tun0 ONLY
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i tun0 -m conntrack --ctstate NEW -j ACCEPT
$IPT -A INPUT -s $LAN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A INPUT -j DROP

#Allow output from lo and tun0 ONLY
$IPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o tun0 -m conntrack --ctstate NEW -j ACCEPT
$IPT -A OUTPUT -d $VPN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A OUTPUT -j DROP
exit 0


corp769 08-09-2011 10:01 PM

Hello,

Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread should be closed because it is a duplicate of: https://www.linuxquestions.org/quest...erface-896457/

Cheers,

Josh

win32sux 08-10-2011 01:24 AM

Quote:

Originally Posted by corp769 (Post 4438318)
Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place.

Agreed. Closed.


All times are GMT -5. The time now is 11:50 AM.