LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-22-2020, 10:05 AM   #1
fyv3r
LQ Newbie
 
Registered: May 2020
Posts: 4

Rep: Reputation: 0
Openvpn, Mullvad and iptables problem with connection


Hi, This is my first time posing here but I have been browsing for a while and at times I have been a little intimidated by the amount of knowledge. I have been using Slackware seriously for a month or so, after migrating from debian and have had no problems that a little bit of research and a lot of 'lets try that again' hasn't been able to solve so i would welcome any suggestions and patience that could be offered. Thank you.

I have a subscription to Mullvad vpn and over this week have been trying to get it working on slackware. Previously I had used the app on debian with no problem. Initially i tried to butcher the nordvpn slackbuild I found and I got the mullvad app working but it didn't connect... obviously i put this down to my incompetence so I tried another avenue and used networkmanager-openvpn. There was plenty of documentation on the mullvad site and although it seemed to connect I was unable to browse. Again, I tried another method from slackware documentation, using openvpn directly with:
Code:
openvpn --config /path_to_file/mullvad_xx_got.ovpn
.

It authenticated and I verified with:

Code:
$ curl https://am.i.mullvad.net/connected
but again couldn't browse. I pinged google and got:

Quote:
$ ping www.google.com (216.58.210.36) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
Just playing around I decided to stop iptables to see what happened. When I pinged again it worked and I could browse. The iptable rules I am using are from alienbob's modification of Easy Firewall Generator for IPTables.

$ iptables -S

Code:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N bad_packets
-N bad_tcp_packets
-N icmp_packets
-N tcp_inbound
-N tcp_outbound
-N udp_inbound
-N udp_outbound
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wlan0 -p tcp -j tcp_inbound
-A INPUT -i wlan0 -p udp -j udp_inbound
-A INPUT -i wlan0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wlan0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A bad_packets -m conntrack --ctstate INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m conntrack --ctstate INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
Something is obviously happening with the iptable rules blocking me with the vpn but my knoweldge of iptables starts and stops at knowing that there is such a thing as iptables. I appreciate I need to learn iptables myself but I am hoping someone could suggest something to get started.

Once again any patience would be hugely appreciated. Thank you... fyv3r.
 
Old 05-25-2020, 11:54 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,751

Rep: Reputation: Disabled
A quick Google search indicates that Mullvad uses either OpenVPN or WireGuard. Both will create a Layer 3 interface through which all VPN traffic is routed.

Your firewall script contains references to two interfaces: loopback (lo) and wlan0. Outbound traffic going through any other interface will hit the DROP policy of the OUTPUT chain.

Find the name of the VPN interface by running ifconfig or ip link list before and after connecting to Mullvad. Then edit the firewall script to include the relevant interface.

And yes, I strongly recommend you get acquainted with iptables, as it's an incredibly powerful firewall tool.
 
3 members found this post helpful.
Old 05-26-2020, 12:16 AM   #3
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,551

Rep: Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866
@fyv3r

Just to simplify a little bit the good advice Ser Olmy provided, once you figured out the name of the VPN interface (should be tun0), edit the firewall you got generated and duplicate all the wlan0 lines with the new interface, keeping the actual order.
Start with - example:
Code:
-A INPUT -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#etc...
AlienBob's firewall is a "careful" one, a little complicated, creating custom chains, handling some things it shouldn't bother.
If you're looking for a simpler one, "careless" and dropping all the unneeded traffic, allowing just what's relevant, then you could use/start with this one:
https://www.linuxquestions.org/quest...ml#post6044000

P.S.
In any case, make sure you bring up the VPN before you launch the firewall, otherwise the VPN interface is not yet defined and the firewall rules won't apply.
An alternative would be to create a dummy VPN interface in /etc/rc.d/rc.inet2, just before launching rc.firewall, with the exact name as the one created by the VPN (again, should be tun0).
Example:
Code:
/usr/sbin/openvpn --mktun --dev tun0

Last edited by abga; 05-26-2020 at 12:30 AM. Reason: P.S.
 
2 members found this post helpful.
Old 06-02-2020, 06:29 AM   #4
fyv3r
LQ Newbie
 
Registered: May 2020
Posts: 4

Original Poster
Rep: Reputation: 0
I'm sorry I hadn't replied before. Thank you both for your help. @abga Thank you for the link, I have been playing around with it and managed to get everything working
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Problems with Mullvad VPN in Fedora 25 Reksio Linux - Security 4 06-13-2017 11:02 AM
VPN Mullvad client won't install proper -dependency problems(?)- helloagain Linux - Newbie 1 03-02-2015 03:30 AM
Mullvad VPN Software. Safe to install? NotAComputerGuy Linux - Networking 2 06-12-2013 07:46 AM
[SOLVED] Slackware, OpenVPN and Mullvad derrekito Linux - Software 2 03-27-2012 07:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 05:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration