Hi I use a PPTP VPN (See future post about how to make L2TP/ipsec work) and it doesn't stay connected very well (See future post for how to make VPN auto reconnect ). I'd like to make iptables drop all packets that are not coming through the VPN.

I tried -A OUTPUT -s 10.0.0.180 -j DROP .. but then i couldn't even 'dial' the VPN. Then I tried -A OUTPUT -j LOG and realized i know very little about how it actually works... Please help.

You really need to understand both how Iptables and a VPN works. As far as iptables, I would highly recommend one of the many tutorial on it. Here is one that I know to be reputable: http://bodhizazen.net/Tutorials/iptables

In essence your -A OUTPUT -s 10.0.0.180 -j DROP rule is backwards of what you want. In effect you are saying to drop all traffic that is outbound from the interface that originated at 10.0.0.,180 and I doubt that this is what you want. Instead you want to configure a set of policy rules for your input and output tables based upon your design. With VPN this gets more complicated because you also need to involve the routing table. The routine table determines what interface traffic is handled by and this in turn will be filtered in Iptables. A problem you may face with this approach is that the VPN uses a virtual interface, either a TUN or TAP adapter that is a logical construct on your physical interface such as eth0. so in essence, you can't restrict the traffic from the physical interface and get it to flow via VPN.

You could try the following.

Lets say your VPN is using port 10000, the destination is 1.2.3.4 and the interface is tun0

This should allow you to bring up the VPN and then only allow traffic that is to pass over the VPN.

@Noway2 - thanks, I've started reading that.

@lazydog - thanks, but it says -i can't be used with OUTPUT

The interface it uses is ppp0... More info coming soon I'm still learning to read -j LOG

There is a typo in lazydog's rules (flagged -OUTPUT and should have replaced -i with -o) They should probably look something like:



Though I'm not so sure the second rule is needed since the first rule will route any traffic on tun0, which presumably is your VPN interface.

Your main interface may be ppp0, but the VPN interface is likely to be something else that is run through ppp0.

I thought my main interface was eth0, ppp0 onlY appears when I connect to the vpn.

I am still thinking that the Iptables rules above will only ALLOW traffic to flow through the desired interface but that it won't CAUSE it to flow through the interface; the conditions of cause and permitting being separate concepts. I still think you will need either a modification to your routing table, as is typically employed by tools such as OpenVPN or a masquerade or other NAT statement(s) in iptables.

Yes, it was a typo, my mistake. Sorry.


The second rule is to allow the bringing up of the VPN. OP was looking to drop everything outbound except the VPN connection. You will need to allow for the buildup of the VPN so that that connection is not dropped.

Routing table will most likely still require the proper information to ensure the traffic is flowing through the proper interface. I would be intersted in knowing what the routing tables looks like before and after the VPn is brought up and also what the other sides ip address is on the inside. Only with this information would we be able to tell what is really needed. I assume the OP knows what he is doing just not how to go about it.

Maybe I'm not thinking about this correctly, but if the VPN traffic is running exclusively over the tun device, the second rule will never get used because all the traffic will be handled by the preceding rule.

In other words, the request to establish a VPN connection initially comes in over something other than tun0, but the response should go out on tun0, in which case the first rule will handle it. However, I'm certainly not a VPN expert, so am I misunderstanding how this works?

Connection is first established, then the tunnel is built. If the OP wanted to drop all traffic except the tunnel traffic the original connection to build the tunnel would not be created because all traffic other then the tunnel traffic is dropped. Thus you need that one rule to allow for the creation of the connection to build the tunnel.

1 members found this post helpful.

Thanks lazydog, I get it now.