iptables: How do you stop some applications from accessing Internet when using VPN?

MechaMorph · 02-02-2013, 09:42 AM

Greetings. This being my first post I hope it's a good one.

I have a firewall application for Android that uses iptables/ip6tables to help users manage their data and protect themselves from apps that probably have too many permissions (why those get installed to begin with is a different issue

). It is built from the original GPLv3 application Droidwall.

I want to have more robust VPN support in the app but I'm having issues with the necessary iptables rules. iptables 1.4.10 or greater is used depending on the Android version (2.2 and up).

The way the app works is this. A number of chains are created.
droidwall
droidwall-3g
droidwall-wifi
droidwall-reject

droidwall is added to the OUTPUT chain.
iptables -A OUTPUT -j droidwall
iptables -I OUTPUT 1 -j droidwall

DNS port needs to be added otherwise lookups take a year on Android 3.x or greater.
iptables -A droidwall -m owner --uid-owner 0 -p udp --dport 53 RETURN

The WiFi and Cellular radio interface names are then added to their respective chains.
For example for my Galaxy Nexus:
iptables -A droidwall -o rmnet1+ -j droidwall-3g
iptables -A droidwall -o wlan0+ -j droidwall-wifi

Apps are then granted or denied access by users selecting them from a list.
The apps are inserted by the following:
iptables -I droidwall-3g -m owner --uid-owner <app uid> -j RETURN
iptables -I droidwall-3g -m owner --uid-owner <app uid> -j droidwall-reject

What I want is to add a third option allowing VPN access to only those apps which are allowed. As a test I added another chain called droidwall-vpn. I added two interfaces to that chain, tun+ and tun0+, and then granted/denied application access the same way as above. While that allowed the VPN to function it also allowed ANY application to get data from the VPN. Even applications in droidwall-reject could still access the VPN data stream.

What do I have to do in order to make apps, without access to tun+/tun0+, unable to access the VPN data stream?

Any help would be greatly appreciated! Thanks in advance!

sundialsvcs · 02-04-2013, 09:58 AM

If my dim memory serves, iptables doesn't affect what you can connect-to on the remote side of a VPN tunnel: it only sees the encrypted traffic flowing through the tunnel and can't decode it.

I seem to recall that you must configure the VPN tunnel to specify exactly which ports are available on the other side. The task of choosing what traffic is and is not permitted to flow through the tunnel (and/or to be respected if it does flow through) is VPN's baliwick.

r0b0 · 02-15-2013, 03:31 AM

Hi MechaMorph and welcome to LQ,

Is it possible to paste your whole iptables setup? There might be a rule slipped in that is causing the undesired behavior but without having a look at all the rules I can't tell.

R.

Skaperen · 02-17-2013, 02:06 PM

As long as it can identify the app-id and what destination IPs go to the VPN, rules can be made to decide what is denied or permitted base on those combinations. You can also use destination IP address to break it down to specific remote hosts, or likewise for port numbers. But this could end up being a rather large iptable rule set.