ZeroNet - free opensource uncensored distributed web site hosting network
+ Post New Thread
Results 1 to 2 of 2

Thread: How to setup Linux firewall (iptables,UFW) to prevent leaking non VPN connections

  1. #1
    Administrator
    Join Date
    Mar 2013
    Posts
    2,802

    How to setup Linux firewall (iptables,UFW) to prevent leaking non VPN connections

    Here is how to setup OpenVPN server: https://internetlifeforum.com/security/4675-how-setup-private-openvpn-linux-server-windows-android-client/

    Then following is how to prevent IP leak (connecting internet when VPN is off, thus revealing true IP to remote servers and transferring data without encryption)

    If you are using VPN client on a Linux and want to allow your Ubuntu/Debian/Mint/OpenSuse/Arch... or other Linux distribution supported by UFW/gUFW, to use ONLY VPN to connect to the internet, and prevent real IP leaking (bypassing VPN), i describe below the way to do it, but that way still can leak real IP if ufw firewall is killed or stopped. But there are scripts that may monitor it.

    IPTABLES & OpenVPN WAY:

    I say OpenVPN, because rules contains tun0 and port 1194, you can modify this though. But on the bottom of the article are also rules for UFW and also for Wireguard.

    In short, one create new file (nano vpnkillswitch) and paste inside:

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -s 255.255.255.255/32 -j ACCEPT
    iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A INPUT -j DROP
    iptables -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A OUTPUT -d 255.255.255.255/32 -j ACCEPT
    iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -o tun+ -j ACCEPT
    iptables -A OUTPUT -j DROP
    Note the 1194 port, if you are connecting VPN server at different port, replace it by yours). Then run that file (sudo bash vpnkillswitch) which will add the rules into iptables resulting that the internet traffic that do not go through OpenVPN tunnel will be blocked.

    IPTABLES & Wireguard+OpenVPN killswitch

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -s 255.255.255.255/32 -j ACCEPT
    iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 58280:58290 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 58280:58290 -j ACCEPT
    iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A INPUT -i wg0 -j ACCEPT
    iptables -A INPUT -j DROP
    iptables -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A FORWARD -i wg0 -j ACCEPT
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --dport 58967 -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A OUTPUT -d 255.255.255.255/32 -j ACCEPT
    iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -o tun+ -j ACCEPT
    iptables -A OUTPUT -o wg0 -j ACCEPT
    iptables -A OUTPUT -j DROP
    note the rules containing 58967 (you should replace by your wireguard server listining wg port (shown in wg client conf. file too)
    also note the 58280:58290 which is the port range to be allowed/opened (port forwarding) - you do not need this likely if not require to open certain ports for example for the torrent.

    IMPORTANT after executing the file with above rules (sh filename), test that the internet works as expected. If works, then save iptables rules to persist reboot ( service iptables save OR if not working maybe: iptables-save > /etc/iptables/iptables.rules , you will see after reboot if it will persist ) On Debian this worked: sudo iptables-save|tee -a /etc/iptables/rules.v4 && sudo iptables-save|tee -a /etc/iptables/rules.v6


    ----------------------
    Rest of the text may be more time consuming/less efficient approach:


    UFW way with manually defining IPs (less optimal):

    sudo dnf install ufw
    sudo ufw default deny incoming
    sudo ufw default deny outgoing
    sudo ufw allow out to [VPN server IP] port 1194 proto udp
    sudo ufw allow out to [VPN provider's DNS IP] port 53
    sudo ufw allow out from any to 192.168.0.0/16
    sudo ufw allow in from 192.168.0.0/16 to any
    sudo ufw allow out on tun0 from any to any
    sudo ufw enable
    Note: some use custom vpn server port, not default 1194 ; as a "VPN provider DNS IP" i used: 8.8.8.8 which is Google"s open DNS. But if ovpn config file is defined to do DNS via VPN, then this rule is not needed probably. If you added wrong rule/s, you can delete all firewall rules by command "sudo ufw reset" this will delete all rules and disable firewall (enabling is done by "sudo ufw enable").

    GUI way:

    1. Install gufw (use your package manager like synaptic.. or visit link above to learn how to do it).
    2. Click network icon and select to Edit connections. Simply go to Network manager and there create/add new network connection. As a type select something like VPN/"Import a saved VPN configuration...", if you do not have it there, try to install vpn services thru package manager.
    3. select/import the .ovpn file your openvpn server generated or your VPN provider given you
    4. try to connect VPN clicking on Networks icon
    5. If internet works and you see your VPN IP at www.myip.ms, proceed to next step:
    6. Open gUFW firewall you installed and "Reset Current Profile" (if you want to) clicking on the "Edit" menu entry.
    7. Set "Incoming" and "Outgoing" connections to "Deny". Switch status to enabled. This way you denied all network connections and now you will add exceptions for your public DNS IP and for your VPN server IP.
    8. Go to "Rules" tab and click + icon to add new rule:

    Policy: Allow
    Direction: Out
    Interface: All interfaces
    Protocol: Both
    To: RemotePublicIPOfTheVPNServerHere, Port: PortOfTheServer (1194 example)

    9. Add second rule (probably not needed if VPN conf file is set to do DNS lookups via VPN):

    Policy: Allow
    Direction: Out
    Interface: All interfaces
    Protocol: Both
    To: 8.8.8.8 (the DNS IP VPN server is using) and port 53

    10. Add third rule (allowing VPN traffic):

    Policy: Allow
    Direction: Out
    Interface: tun0 (or other tun)
    Protocol: Both
    From: 10.8.0.2

    11. Add fourth rule (allowing local trafic):

    Policy: Allow
    Direction: Out
    Interface: All interfaces
    Protocol: Both
    From: 192.168.0.0/16
    To: 192.168.0.0/16

    Result:
    The internet started working for me then and when i disconnected VPN all internet connections stopped working which is what i wanted. Internet only via VPN.

  2. #2
    Junior Member Bravo's Avatar
    Join Date
    Nov 2019
    Location
    Montreal
    Posts
    9
    Nice info, thank u! )

+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 02-02-2015, 11:20 PM
  2. CSF firewall: iptables rule limit (numiptent) is too low
    By Fli in forum Security, protection
    Replies: 0
    Last Post: 03-10-2014, 03:23 PM
  3. Replies: 0
    Last Post: 10-03-2013, 11:10 AM
  4. Replies: 0
    Last Post: 08-28-2013, 08:34 AM
  5. Replies: 0
    Last Post: 08-28-2013, 07:15 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
 Protected by : ZB BLOCK  &  StopForumSpam