[ / / / / / / / / / / / / / ] [ dir / random / 93 / biohzrd / hkacade / hkpnd / tct / utd / uy / yebalnia ]

/slackware/ - Slackware Linux

#slackware@irc.rizon.net

Name
Email
Subject
REC
STOP
Comment *
File
Password (Randomized for file and post deletion; you may also set your own.)
Archive
* = required field[▶Show post options & limits]
Confused? See the FAQ.
Options

Allowed file types:jpg, jpeg, gif, png, webp,webm, mp4, mov
Max filesize is16 MB.
Max image dimensions are15000 x15000.
You may upload5 per post.


File: cee858eb56f444e⋯.png (22.86 KB,635x148,635:148,netfilter_logo3.png)

 No.10

As promised, here is the IPTables script that I use. Please note that this is only for IPv4.

It's designed to block internet connections while the VPN is disabled.

I've made some modifications of my own.

In /etc/rc.d/rc.inet2 there is a section left for rc.firewall where you can enable it.

I hid the –dport on purpose.

There is also /usr/doc/openvpn-2.4.6/sample-config-files/firewall.sh, for those that have upgraded to OpenVPN 2.4.6 and want a sample IPTables that's specific for OpenVPN.

Source: https://linuxconfig.org/how-to-create-a-vpn-killswitch-using-iptables-on-linux

$ cat /etc/rc.d/rc.firewall

#!/bin/sh

# Base Rules
# Before you configure iptables to allow any traffic you need to switch its default to disallow all traffic. Add these three rules to drop all traffic (IPv4 and IPv6) by default.
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -P OUTPUT DROP

# Input
# It's most secure to only allow inbound traffic from established or related connections. Set that up next.
/usr/sbin/iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Loopback and Ping
# Next, allow the loopback interface and ping.
# This assumes that your VPN connection is on tun0. Check that with ip a, if you're not sure.
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o -tun0 -p icmp -j ACCEPT

# LAN
# It doesn't make much sense to shut down or block your LAN traffic, especially on a home network, so allow that too.
/usr/sbin/iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -d 192.168.100.0/24 -j ACCEPT

# Modem
# When the VPN is on, the following route is required so the modem can be reachable.
/usr/sbin/ip route add 192.168.100.0/24 via 192.168.0.1

# Tor
# This is needed so Tor can connect to the internet.
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT

# DNS
# For this next part, you're going to need to know the IP address of your VPN's DNS server(s). If your VPN has access or you use resolv.conf, you'll probably find them in there.
/usr/sbin/iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -d 8.8.4.4 -j ACCEPT

# Allow The VPN
# Of course, you need to allow the VPN itself. There are two parts to this. You need to allow both the service port and the interface.
# Again, check the port and interface that your VPN connection is using.
/usr/sbin/iptables -A OUTPUT -p udp -m udp --dport **** -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o tun0 -j ACCEPT

If you want to list the rules (I find it easier to do both):

# iptables -L -n -v && iptables -S

If you want to flush and accept everything (same as disabling the firewall):

# iptables -F && iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P OUTPUT ACCEPT

Notice that if you run the script above, flush everything and then run the script again, you'll get a warning message about NETLINK. That's because the line "/usr/sbin/ip route add 192.168.100.0/24 via 192.168.0.1" is running again on the already valid route. To avoid this message, you can comment out the infringing line (add a # to the beginning) so when you run the script the route line will be ignored (it's already active), or you could flush the route (instructions at https://ss64.com/bash/ip-route.html), which I consider unnecessary.

____________________________
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
Post last edited at


[Return][Go to top][Catalog][Nerve Center][Random][Post a Reply]
Delete Post [ ]
[]
[ / / / / / / / / / / / / / ] [ dir / random / 93 / biohzrd / hkacade / hkpnd / tct / utd / uy / yebalnia ]