LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-02-2013, 09:42 AM   #1
MechaMorph
LQ Newbie
 
Registered: Feb 2013
Posts: 6

Rep: Reputation: Disabled
iptables: How do you stop some applications from accessing Internet when using VPN?


Greetings. This being my first post I hope it's a good one.

I have a firewall application for Android that uses iptables/ip6tables to help users manage their data and protect themselves from apps that probably have too many permissions (why those get installed to begin with is a different issue ). It is built from the original GPLv3 application Droidwall.

I want to have more robust VPN support in the app but I'm having issues with the necessary iptables rules. iptables 1.4.10 or greater is used depending on the Android version (2.2 and up).

The way the app works is this. A number of chains are created.
droidwall
droidwall-3g
droidwall-wifi
droidwall-reject

droidwall is added to the OUTPUT chain.
iptables -A OUTPUT -j droidwall
iptables -I OUTPUT 1 -j droidwall

DNS port needs to be added otherwise lookups take a year on Android 3.x or greater.
iptables -A droidwall -m owner --uid-owner 0 -p udp --dport 53 RETURN

The WiFi and Cellular radio interface names are then added to their respective chains.
For example for my Galaxy Nexus:
iptables -A droidwall -o rmnet1+ -j droidwall-3g
iptables -A droidwall -o wlan0+ -j droidwall-wifi

Apps are then granted or denied access by users selecting them from a list.
The apps are inserted by the following:
iptables -I droidwall-3g -m owner --uid-owner <app uid> -j RETURN
iptables -I droidwall-3g -m owner --uid-owner <app uid> -j droidwall-reject

What I want is to add a third option allowing VPN access to only those apps which are allowed. As a test I added another chain called droidwall-vpn. I added two interfaces to that chain, tun+ and tun0+, and then granted/denied application access the same way as above. While that allowed the VPN to function it also allowed ANY application to get data from the VPN. Even applications in droidwall-reject could still access the VPN data stream.

What do I have to do in order to make apps, without access to tun+/tun0+, unable to access the VPN data stream?

Any help would be greatly appreciated! Thanks in advance!
 
Old 02-04-2013, 09:58 AM   #2
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,401

Rep: Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119Reputation: 1119
If my dim memory serves, iptables doesn't affect what you can connect-to on the remote side of a VPN tunnel: it only sees the encrypted traffic flowing through the tunnel and can't decode it.

I seem to recall that you must configure the VPN tunnel to specify exactly which ports are available on the other side. The task of choosing what traffic is and is not permitted to flow through the tunnel (and/or to be respected if it does flow through) is VPN's baliwick.
 
Old 02-15-2013, 03:31 AM   #3
r0b0
Member
 
Registered: Aug 2004
Location: Europe
Posts: 602

Rep: Reputation: 49
Hi MechaMorph and welcome to LQ,

Is it possible to paste your whole iptables setup? There might be a rule slipped in that is causing the undesired behavior but without having a look at all the rules I can't tell.

R.
 
Old 02-17-2013, 02:06 PM   #4
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 115Reputation: 115
As long as it can identify the app-id and what destination IPs go to the VPN, rules can be made to decide what is denied or permitted base on those combinations. You can also use destination IP address to break it down to specific remote hosts, or likewise for port numbers. But this could end up being a rather large iptable rule set.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to stop Linux accessing the internet resetreset Linux - Software 10 10-18-2012 12:10 PM
Iptables, two internet connections, VPN + two local networks. dlublink Linux - Networking 1 12-31-2008 12:06 PM
Internet accessing applications freezing LOLobo Linux - General 1 06-29-2007 06:10 PM
What VPN client under debian is stopping me from accessing the internet? shodekiagari Linux - Networking 5 01-07-2005 07:52 PM
Iptables stop my linux box from accessing the web sundown Linux - Networking 7 06-12-2001 11:02 AM


All times are GMT -5. The time now is 01:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration