Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am using a firewall to keep my computer from connecting when a vpn goes down, to restrict it to go through the vpn service. I can get a connection to the vpn, but lose it after I start the firewall. Can someone tell what is wrong with it. This is a firewall I found in a post, except a couple lines. I start it after I start openvpn:
# re: how to block internet connection when vpn fails?
# forums.debian.net
# by M51 » 2013-11-02 12:43
#
# Here's my script, modified to allow all incoming traffic on eth0 from the local
# lan. It assumes you have no other iptables rules in place (that is the default
# with Debian, but may not be for other distros). If, after running it and
# connecting to your vpn you can no longer resolve hostnames, it's likely because
# your system isn't using the DNS servers provided by the vpn and is instead
# using your ISP or local router assigned servers (DNS leak! Bad!) To fix this,
# make sure the resolvconf package is installed and you run
# /etc/openvpn/update-resolv-conf on connecting/disconnecting from the vpn. The
# --up and --down command line parameters can be used for this like so: openvpn
# --script-security 2 --up /etc/openvpn/update-resolv-conf --down
# /etc/openvpn/update-resolv-conf
#!/bin/sh
# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --sport 68 -j ACCEPT
/bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A OUTPUT -d @ -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j REJECT
# What it does (line by line):
# 1) Set policy to reject all incoming traffic other than what we specifically allow.
# 2) Allow incoming loopback traffic.
# 3) Allow incoming traffic already associated with a connection.
# 4) Allow incoming traffic on eth0 from the local lan.
# 5) Allow outbound traffic on eth0 to the local lan if it is already associated with a connection.
# 6) Allow outbound traffic on udp port 68 to allow the machine to get an IP address via DHCP (you can remove this if you use manually assigned addresses).
# An even better version of the rule would be:
# /sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -p udp --sport 68 --dport 67 -j ACCEPT
# This is a little more restrictive than the one above, and matches what I have in use.
# 7) Parse the ovpn files found in /etc/openvpn and allow outbound traffic to any servers listed.
# 8) Reject all other outbound traffic on eth0. It is important to specify eth0 here, otherwise we'd block outbound traffic on the vpn itself.
# Note: This will block normal web browsing and other such activity even when the
# vpn is disconnected (I simply never do anything on the net from this machine
# without the vpn). To enable normal communications, just run iptables -F to
# flush the rules. You can even use the --up and --down parameters of openvpn to
# do this as well. EDIT: That last sentence should be ignored for a secure setup.
# While it might be convenient to automatically disable the rules, it defeats the
# original purpose of preventing communication when the vpn fails unexpectedly.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
