PDA

View Full Version : How to setup Linux firewall (iptables,UFW) to prevent leaking non VPN connections



Fli
08-24-2017, 11:51 PM
Here is how to setup OpenVPN server: https://internetlifeforum.com/security/4675-how-setup-private-openvpn-linux-server-windows-android-client/

Then following is how to prevent IP leak (connecting internet when VPN is off, thus revealing true IP to remote servers and transferring data without encryption)

If you are using VPN client on a Linux and want to allow your Ubuntu/Debian/Mint/OpenSuse/Arch... or other Linux distribution supported by UFW/gUFW (http://gufw.org/), to use ONLY VPN to connect to the internet, and prevent real IP leaking (bypassing VPN), i describe below the way to do it, but that way still can leak real IP if ufw firewall is killed or stopped. But there are scripts (https://gist.github.com/nukeador/31d4cae15bc2c5c4789b12c197111ee3) that may monitor it.

IPTABLES & OpenVPN WAY:

I say OpenVPN, because rules contains tun0 and port 1194, you can modify this though. But on the bottom of the article are also rules for UFW and also for Wireguard.

In short, one create new file (nano vpnkillswitch) and paste inside:


iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 255.255.255.255/32 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -j DROP
iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A OUTPUT -j DROP

Note the 1194 port, if you are connecting VPN server at different port, replace it by yours). Then run that file (sudo bash vpnkillswitch) which will add the rules into iptables resulting that the internet traffic that do not go through OpenVPN tunnel will be blocked.

IPTABLES & Wireguard+OpenVPN killswitch


iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 255.255.255.255/32 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 58280:58290 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 58280:58290 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A INPUT -i wg0 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -A FORWARD -j DROP
iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 58967 -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 255.255.255.255/32 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A OUTPUT -o wg0 -j ACCEPT
iptables -A OUTPUT -j DROP

note the rules containing 58967 (you should replace by your wireguard server listining wg port (shown in wg client conf. file too)
also note the 58280:58290 which is the port range to be allowed/opened (port forwarding) - you do not need this likely if not require to open certain ports for example for the torrent.

IMPORTANT after executing the file with above rules (sh filename), test that the internet works as expected. If works, then save iptables rules to persist reboot ( service iptables save OR if not working maybe: iptables-save > /etc/iptables/iptables.rules , you will see after reboot if it will persist ) On Debian this worked: sudo iptables-save|tee -a /etc/iptables/rules.v4 && sudo iptables-save|tee -a /etc/iptables/rules.v6


----------------------
Rest of the text may be more time consuming/less efficient approach:

UFW way with manually defining IPs (less optimal):


sudo dnf install ufw
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out to [VPN server IP] port 1194 proto udp
sudo ufw allow out to [VPN provider's DNS IP] port 53
sudo ufw allow out from any to 192.168.0.0/16
sudo ufw allow in from 192.168.0.0/16 to any
sudo ufw allow out on tun0 from any to any
sudo ufw enable

Note: some use custom vpn server port, not default 1194 ; as a "VPN provider DNS IP" i used: 8.8.8.8 which is Google"s open DNS. But if ovpn config file is defined to do DNS via VPN, then this rule is not needed probably. If you added wrong rule/s, you can delete all firewall rules by command "sudo ufw reset" this will delete all rules and disable firewall (enabling is done by "sudo ufw enable").

GUI way:

1. Install gufw (use your package manager like synaptic.. or visit link above to learn how to do it).
2. Click network icon and select to Edit connections. Simply go to Network manager and there create/add new network connection. As a type select something like VPN/"Import a saved VPN configuration...", if you do not have it there, try to install vpn services thru package manager.
3. select/import the .ovpn file your openvpn server generated or your VPN provider given you
4. try to connect VPN clicking on Networks icon
5. If internet works and you see your VPN IP at www.myip.ms (http://www.myip.ms), proceed to next step:
6. Open gUFW firewall you installed and "Reset Current Profile" (if you want to) clicking on the "Edit" menu entry.
7. Set "Incoming" and "Outgoing" connections to "Deny". Switch status to enabled. This way you denied all network connections and now you will add exceptions for your public DNS IP and for your VPN server IP.
8. Go to "Rules" tab and click + icon to add new rule:

Policy: Allow
Direction: Out
Interface: All interfaces
Protocol: Both
To: RemotePublicIPOfTheVPNServerHere, Port: PortOfTheServer (1194 example)

9. Add second rule (probably not needed if VPN conf file is set to do DNS lookups via VPN):

Policy: Allow
Direction: Out
Interface: All interfaces
Protocol: Both
To: 8.8.8.8 (the DNS IP VPN server is using) and port 53

10. Add third rule (allowing VPN traffic):

Policy: Allow
Direction: Out
Interface: tun0 (or other tun)
Protocol: Both
From: 10.8.0.2

11. Add fourth rule (allowing local trafic):

Policy: Allow
Direction: Out
Interface: All interfaces
Protocol: Both
From: 192.168.0.0/16
To: 192.168.0.0/16

Result:
The internet started working for me then and when i disconnected VPN all internet connections stopped working which is what i wanted. Internet only via VPN.

Bravo
12-01-2019, 10:11 PM
Nice info, thank u! )