ZeroNet - free opensource uncensored distributed web site hosting network
+ Post New Thread
Results 1 to 2 of 2

Thread: How to setup Linux firewall (iptables,UFW) to prevent leaking non VPN connections

  1. #1
    Fli
    Fli is offline
    Administrator Fli's Avatar
    Join Date
    Mar 2013
    Posts
    2,517

    How to setup Linux firewall (iptables,UFW) to prevent leaking non VPN connections



    Here is how to setup OpenVPN server: https://internetlifeforum.com/security/4675-how-setup-private-openvpn-linux-server-windows-android-client/

    Then following is how to prevent IP leak (connecting internet when VPN is off, thus revealing true IP to remote servers and transferring data without encryption)

    If you are using VPN client on a Linux and want to allow your Ubuntu/Debian/Mint/OpenSuse/Arch... or other Linux distribution supported by UFW/gUFW, to use ONLY VPN to connect to the internet, and prevent real IP leaking (bypassing VPN), i describe below the way to do it, but that way still can leak real IP if ufw firewall is killed or stopped. But there are scripts that may monitor it. But if you find that scripts too difficult, try one of the following two approaches:

    UPDATE: another, maybe better approach to prevent leak can be using iptables directly: https://www.privateinternetaccess.com/forum/discussion/comment/44686/#Comment_44686

    In short, one create new file (nano vpnkillswitch) and paste to it:

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -s 255.255.255.255/32 -j ACCEPT
    iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A INPUT -j DROP
    iptables -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A OUTPUT -d 255.255.255.255/32 -j ACCEPT
    iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -o tun+ -j ACCEPT
    iptables -A OUTPUT -j DROP
    Note the 1194 port, if you are connecting VPN server at different port, replace it by yours). Then run that file (sudo bash vpnkillswitch) which will add the rules into iptables resulting that the internet traffic that do not go thru OpenVPN tunnel will be blocked.


    ----------------------
    Rest of the text in this post is outdated (more time consuming and maybe less efficient approach), no need to continue reading on


    another way with manually defining IPs:

    sudo dnf install ufw
    sudo ufw default deny incoming
    sudo ufw default deny outgoing
    sudo ufw allow out to [VPN server IP] port 1194 proto udp
    sudo ufw allow out to [VPN provider's DNS IP] port 53
    sudo ufw allow out from any to 192.168.0.0/16
    sudo ufw allow in from 192.168.0.0/16 to any
    sudo ufw allow out on tun0 from any to any
    sudo ufw enable
    Note: some use custom vpn server port, not default 1194 ; as a "VPN provider DNS IP" i used: 8.8.8.8 which is Google"s open DNS. But if ovpn config file is defined to do DNS via VPN, then this rule is not needed probably. If you added wrong rule/s, you can delete all firewall rules by command "sudo ufw reset" this will delete all rules and disable firewall (enabling is done by "sudo ufw enable").

    GUI way:

    1. Install gufw (use your package manager like synaptic.. or visit link above to learn how to do it).
    2. Click network icon and select to Edit connections. Simply go to Network manager and there create/add new network connection. As a type select something like VPN/"Import a saved VPN configuration...", if you do not have it there, try to install vpn services thru package manager.
    3. select/import the .ovpn file your openvpn server generated or your VPN provider given you
    4. try to connect VPN clicking on Networks icon
    5. If internet works and you see your VPN IP at www.myip.ms, proceed to next step:
    6. Open gUFW firewall you installed and "Reset Current Profile" (if you want to) clicking on the "Edit" menu entry.
    7. Set "Incoming" and "Outgoing" connections to "Deny". Switch status to enabled. This way you denied all network connections and now you will add exceptions for your public DNS IP and for your VPN server IP.
    8. Go to "Rules" tab and click + icon to add new rule:

    Policy: Allow
    Direction: Out
    Interface: All interfaces
    Protocol: Both
    To: RemotePublicIPOfTheVPNServerHere, Port: PortOfTheServer (1194 example)

    9. Add second rule (probably not needed if VPN conf file is set to do DNS lookups via VPN):

    Policy: Allow
    Direction: Out
    Interface: All interfaces
    Protocol: Both
    To: 8.8.8.8 (the DNS IP VPN server is using) and port 53

    10. Add third rule (allowing VPN traffic):

    Policy: Allow
    Direction: Out
    Interface: tun0 (or other tun)
    Protocol: Both
    From: 10.8.0.2

    11. Add fourth rule (allowing local trafic):

    Policy: Allow
    Direction: Out
    Interface: All interfaces
    Protocol: Both
    From: 192.168.0.0/16
    To: 192.168.0.0/16

    Result:
    The internet started working for me then and when i disconnected VPN all internet connections stopped working which is what i wanted. Internet only via VPN.

  2. #2
    Junior Member Bravo's Avatar
    Join Date
    Nov 2019
    Location
    Montreal
    Posts
    10
    Nice info, thank u! )

+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 02-02-2015, 10:20 PM
  2. CSF firewall: iptables rule limit (numiptent) is too low
    By Fli in forum Security, protection
    Replies: 0
    Last Post: 03-10-2014, 03:23 PM
  3. Replies: 0
    Last Post: 10-03-2013, 10:10 AM
  4. Replies: 0
    Last Post: 08-28-2013, 07:34 AM
  5. Replies: 0
    Last Post: 08-28-2013, 06:15 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
 Protected by : ZB BLOCK  &  StopForumSpam