LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Openvpn, Mullvad and iptables problem with connection (https://www.linuxquestions.org/questions/slackware-14/openvpn-mullvad-and-iptables-problem-with-connection-4175675710/)

fyv3r 05-22-2020 10:05 AM
Openvpn, Mullvad and iptables problem with connection
 
Hi, This is my first time posing here but I have been browsing for a while and at times I have been a little intimidated by the amount of knowledge. I have been using Slackware seriously for a month or so, after migrating from debian and have had no problems that a little bit of research and a lot of 'lets try that again' hasn't been able to solve so i would welcome any suggestions and patience that could be offered. Thank you.

I have a subscription to Mullvad vpn and over this week have been trying to get it working on slackware. Previously I had used the app on debian with no problem. Initially i tried to butcher the nordvpn slackbuild I found and I got the mullvad app working but it didn't connect... obviously i put this down to my incompetence so I tried another avenue and used networkmanager-openvpn. There was plenty of documentation on the mullvad site and although it seemed to connect I was unable to browse. Again, I tried another method from slackware documentation, using openvpn directly with:
Code:
openvpn --config /path_to_file/mullvad_xx_got.ovpn
.

It authenticated and I verified with:

Code:
$ curl https://am.i.mullvad.net/connected
but again couldn't browse. I pinged google and got:

Quote:
$ ping www.google.com (216.58.210.36) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
Just playing around I decided to stop iptables to see what happened. When I pinged again it worked and I could browse. The iptable rules I am using are from alienbob's modification of Easy Firewall Generator for IPTables.

$ iptables -S

Code:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N bad_packets
-N bad_tcp_packets
-N icmp_packets
-N tcp_inbound
-N tcp_outbound
-N udp_inbound
-N udp_outbound
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wlan0 -p tcp -j tcp_inbound
-A INPUT -i wlan0 -p udp -j udp_inbound
-A INPUT -i wlan0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wlan0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A bad_packets -m conntrack --ctstate INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m conntrack --ctstate INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
Something is obviously happening with the iptable rules blocking me with the vpn but my knoweldge of iptables starts and stops at knowing that there is such a thing as iptables. I appreciate I need to learn iptables myself but I am hoping someone could suggest something to get started.

Once again any patience would be hugely appreciated. Thank you... fyv3r.

Ser Olmy 05-25-2020 11:54 PM
A quick Google search indicates that Mullvad uses either OpenVPN or WireGuard. Both will create a Layer 3 interface through which all VPN traffic is routed.

Your firewall script contains references to two interfaces: loopback (lo) and wlan0. Outbound traffic going through any other interface will hit the DROP policy of the OUTPUT chain.

Find the name of the VPN interface by running ifconfig or ip link list before and after connecting to Mullvad. Then edit the firewall script to include the relevant interface.

And yes, I strongly recommend you get acquainted with iptables, as it's an incredibly powerful firewall tool.

abga 05-26-2020 12:16 AM
@fyv3r

Just to simplify a little bit the good advice Ser Olmy provided, once you figured out the name of the VPN interface (should be tun0), edit the firewall you got generated and duplicate all the wlan0 lines with the new interface, keeping the actual order.
Start with - example:
Code:
-A INPUT -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#etc...
AlienBob's firewall is a "careful" one, a little complicated, creating custom chains, handling some things it shouldn't bother.
If you're looking for a simpler one, "careless" and dropping all the unneeded traffic, allowing just what's relevant, then you could use/start with this one:
https://www.linuxquestions.org/quest...ml#post6044000

P.S.
In any case, make sure you bring up the VPN before you launch the firewall, otherwise the VPN interface is not yet defined and the firewall rules won't apply.
An alternative would be to create a dummy VPN interface in /etc/rc.d/rc.inet2, just before launching rc.firewall, with the exact name as the one created by the VPN (again, should be tun0).
Example:
Code:
/usr/sbin/openvpn --mktun --dev tun0

fyv3r 06-02-2020 06:29 AM
I'm sorry I hadn't replied before. Thank you both for your help. @abga Thank you for the link, I have been playing around with it and managed to get everything working :)


All times are GMT -5. The time now is 10:42 PM.