LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-26-2015, 10:34 PM   #1
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
VPN iptables


Linux Mint 17
My goal is to have a iptables OUTPUT rule so that I only send traffic out through a VPN.

I attempted this suggestion but it didn't seem to work. Traffic is completely dropped. (It occurs to me that if eth0 is blocked, how can tun0 work?)

Despite my connection to the VPN and ip locator sites reporting a different ip, it seems traffic is being sent over eth0 and not tun0.

Code:
-P OUTPUT DROP
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
This doesn't work and I lose my connection to the web.

Is there a better way of doing this? I'd prefer not hard coding in a ip since it will change.
 
Old 03-27-2015, 03:32 AM   #2
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,868

Rep: Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152
I only have a basic working knowledge of iptables, so no complete answer from me, but I would have expected to see a post routing rule similar to
Code:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
and maybe drop all traffic with destination addresses other than the VPN server on the eth0 interface (just in case VPN disconnects for example).
Code:
iptables -A OUTPUT -o eth0 ! -d <IP address of VPN server> -j DROP
 
Old 03-27-2015, 10:49 AM   #3
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
What is the output of

Code:
netstat -n
Look to ensure your routing table have an entry for tun0

If traffic is not being routed to the tun0 or 192.168.1.* then it will be dropped.
 
Old 03-28-2015, 07:07 PM   #4
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Original Poster
Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
Quote:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
I'm not sure how this would apply? Isn't masquerade meant for routers? My computer sends encrypted traffic to the vpn who then routes it out.

Quote:
iptables -A OUTPUT -o eth0 ! -d <IP address of VPN server> -j DROP
This is a possibility but my address changes every time I connect to it. The other possibility is to do the whole ip range of the server but I'm not sure how to get that info..

Quote:
What is the output of netstat -n
I don't see anything relevant to tun0 (or eth0)
By routing table, you mean iptables?
I presume this command sets the entry for tun0
Code:
iptables -A OUTPUT -o tun0 -j ACCEPT
Here's the output. None of the foreign or local addresses match my vpn server at the time I took it.
 
Old 03-28-2015, 08:22 PM   #5
MQMan
Member
 
Registered: Jan 2004
Location: Los Angeles
Distribution: Slack64 14.1
Posts: 581

Rep: Reputation: 38
Quote:
Originally Posted by Sefyir View Post
Here's the output. None of the foreign or local addresses match my vpn server at the time I took it.
I wouldn't expect them to. netstat shows you have connections from your machine to Yahoo.com (206.190.36.34), canonical.com (91.189.94.25), hostirian.com (209.126.71.233), and others.

Is the local address the IP of tun0, which I'm guessing it is, in which case all those connections were made via the VPN.

Cheers.
 
Old 03-29-2015, 11:24 AM   #6
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
My mistake I meant to say;

Code:
route -n
This will show you your routing table.
Here you can ensure that everything is being routed as expected.
 
1 members found this post helpful.
Old 03-29-2015, 06:02 PM   #7
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Original Poster
Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
Quote:
Originally Posted by lazydog View Post
My mistake I meant to say;

Code:
route -n
This will show you your routing table.
Here you can ensure that everything is being routed as expected.
Oh - route -n's output makes more sense.

It appears that eth0 is used to connect to the vpn and everything else is then tunnelled through tun0.
Very useful command!
 
Old 03-29-2015, 06:43 PM   #8
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,868

Rep: Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152Reputation: 1152
It would have been useful to post the output so that we see what you see.
 
Old 03-29-2015, 06:54 PM   #9
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Original Poster
Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.161.1.5      0.0.0.0         UG    0      0        0 tun0
10.161.1.1      10.161.1.5      255.255.255.255 UGH   0      0        0 tun0
10.161.1.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
vpn-ip-address  192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables and VPN jazernorth2 Linux - Security 5 06-16-2012 08:15 AM
VPN with Iptables Yahweee Linux - Networking 0 07-28-2009 01:26 AM
iptables and VPN dellcom1800 Linux - Networking 3 06-05-2008 07:59 AM
vpn behind iptables kris2002 Linux - Networking 3 06-26-2005 10:18 AM
iptables and vpn buttnutt Linux - Security 1 05-29-2002 02:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration