Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi I use a PPTP VPN (See future post about how to make L2TP/ipsec work) and it doesn't stay connected very well (See future post for how to make VPN auto reconnect ). I'd like to make iptables drop all packets that are not coming through the VPN.
I tried -A OUTPUT -s 10.0.0.180 -j DROP .. but then i couldn't even 'dial' the VPN. Then I tried -A OUTPUT -j LOG and realized i know very little about how it actually works... Please help.
You really need to understand both how Iptables and a VPN works. As far as iptables, I would highly recommend one of the many tutorial on it. Here is one that I know to be reputable: http://bodhizazen.net/Tutorials/iptables
In essence your -A OUTPUT -s 10.0.0.180 -j DROP rule is backwards of what you want. In effect you are saying to drop all traffic that is outbound from the interface that originated at 10.0.0.,180 and I doubt that this is what you want. Instead you want to configure a set of policy rules for your input and output tables based upon your design. With VPN this gets more complicated because you also need to involve the routing table. The routine table determines what interface traffic is handled by and this in turn will be filtered in Iptables. A problem you may face with this approach is that the VPN uses a virtual interface, either a TUN or TAP adapter that is a logical construct on your physical interface such as eth0. so in essence, you can't restrict the traffic from the physical interface and get it to flow via VPN.
I am still thinking that the Iptables rules above will only ALLOW traffic to flow through the desired interface but that it won't CAUSE it to flow through the interface; the conditions of cause and permitting being separate concepts. I still think you will need either a modification to your routing table, as is typically employed by tools such as OpenVPN or a masquerade or other NAT statement(s) in iptables.
There is a typo in lazydog's rules (flagged -OUTPUT and should have replaced -i with -o) They should probably look something like:
Yes, it was a typo, my mistake. Sorry.
Quote:
Code:
iptbales -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -d 1.2.3.4 --dport 10000 -j ACCEPT
iptbales -A OUTPUT -j DROP
Though I'm not so sure the second rule is needed since the first rule will route any traffic on tun0, which presumably is your VPN interface.
The second rule is to allow the bringing up of the VPN. OP was looking to drop everything outbound except the VPN connection. You will need to allow for the buildup of the VPN so that that connection is not dropped.
I am still thinking that the Iptables rules above will only ALLOW traffic to flow through the desired interface but that it won't CAUSE it to flow through the interface; the conditions of cause and permitting being separate concepts. I still think you will need either a modification to your routing table, as is typically employed by tools such as OpenVPN or a masquerade or other NAT statement(s) in iptables.
Routing table will most likely still require the proper information to ensure the traffic is flowing through the proper interface. I would be intersted in knowing what the routing tables looks like before and after the VPn is brought up and also what the other sides ip address is on the inside. Only with this information would we be able to tell what is really needed. I assume the OP knows what he is doing just not how to go about it.
The second rule is to allow the bringing up of the VPN. OP was looking to drop everything outbound except the VPN connection. You will need to allow for the buildup of the VPN so that that connection is not dropped.
Maybe I'm not thinking about this correctly, but if the VPN traffic is running exclusively over the tun device, the second rule will never get used because all the traffic will be handled by the preceding rule.
In other words, the request to establish a VPN connection initially comes in over something other than tun0, but the response should go out on tun0, in which case the first rule will handle it. However, I'm certainly not a VPN expert, so am I misunderstanding how this works?
Maybe I'm not thinking about this correctly, but if the VPN traffic is running exclusively over the tun device, the second rule will never get used because all the traffic will be handled by the preceding rule.
In other words, the request to establish a VPN connection initially comes in over something other than tun0, but the response should go out on tun0, in which case the first rule will handle it. However, I'm certainly not a VPN expert, so am I misunderstanding how this works?
Connection is first established, then the tunnel is built. If the OP wanted to drop all traffic except the tunnel traffic the original connection to build the tunnel would not be created because all traffic other then the tunnel traffic is dropped. Thus you need that one rule to allow for the creation of the connection to build the tunnel.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.