Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-09-2011, 09:55 PM
|
#1
|
Member
Registered: Aug 2010
Posts: 40
Rep:
|
Force all internet traffic through tun0 (Vpn Interface)
I am trying to configure iptables on one of my computers to ONLY be allowed to do the following:
1. The computer IS allowed to be accessed by other computers on the LOCAL network.
2. ALL internet traffic (IN and OUT) MUST use the tun0 (OpenVPN tunnel) interface.
3. ALL other traffic that doesn't apply to the above two rules MUST be DROPPED.
My iptables script seems to be working the way I want it to, but I wanted another set of eyes to see if they can catch any "security holes" I may be missing regarding the rules I described above. It is very important that this computer can only be allowed these specific rules.
I will take any suggestions that anyone may have.
Thanks for your time!
Code:
#!/bin/bash
#Set variables
IPT=/sbin/iptables
VPN=x.x.x.x
LAN=192.168.0.0/24
#Flush rules
$IPT -F
$IPT -X
#Default policies and define chains
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
#Allow input from LAN and tun0 ONLY
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i tun0 -m conntrack --ctstate NEW -j ACCEPT
$IPT -A INPUT -s $LAN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A INPUT -j DROP
#Allow output from lo and tun0 ONLY
$IPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o tun0 -m conntrack --ctstate NEW -j ACCEPT
$IPT -A OUTPUT -d $VPN -m conntrack --ctstate NEW -j ACCEPT
$IPT -A OUTPUT -j DROP
exit 0
|
|
|
08-09-2011, 10:07 PM
|
#2
|
LQ Guru
Registered: Apr 2005
Location: /dev/null
Posts: 5,818
|
Hello,
After looking through it, it looks pretty good! I do recommend that you fire up nmap, or another applicable program, and try scanning your computer from different resources and computers outside of your local network, even within your network, to do a security check of your configuration. When I built up my firewall, that is exactly what I did in order to get it just right. One more thing - Just because it looks good to me, doesn't mean that it is. We all have different networks, and different setups, so you should really test your network like I said to verify.
Cheers,
Josh
|
|
|
08-10-2011, 08:19 AM
|
#3
|
Member
Registered: Aug 2010
Posts: 40
Original Poster
Rep:
|
Quote:
Originally Posted by corp769
Hello,
After looking through it, it looks pretty good! I do recommend that you fire up nmap, or another applicable program, and try scanning your computer from different resources and computers outside of your local network, even within your network, to do a security check of your configuration. When I built up my firewall, that is exactly what I did in order to get it just right. One more thing - Just because it looks good to me, doesn't mean that it is. We all have different networks, and different setups, so you should really test your network like I said to verify.
Cheers,
Josh
|
Thanks for the pointers. I will definitely do some NMAPing of that computer to see what I come up with!
Dana
|
|
|
08-10-2011, 09:36 AM
|
#4
|
LQ Guru
Registered: Apr 2005
Location: /dev/null
Posts: 5,818
|
No problem. Let me know how the results turn out then.
Josh
|
|
|
All times are GMT -5. The time now is 06:27 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|