As promised, here is the IPTables script that I use. Please note that this is only for IPv4.
It's designed to block internet connections while the VPN is disabled.
I've made some modifications of my own.
In /etc/rc.d/rc.inet2 there is a section left for rc.firewall where you can enable it.
I hid the –dport on purpose.
There is also /usr/doc/openvpn-2.4.6/sample-config-files/firewall.sh, for those that have upgraded to OpenVPN 2.4.6 and want a sample IPTables that's specific for OpenVPN.
Source: https://linuxconfig.org/how-to-create-a-vpn-killswitch-using-iptables-on-linux
$ cat /etc/rc.d/rc.firewall
#!/bin/sh
# Base Rules
# Before you configure iptables to allow any traffic you need to switch its default to disallow all traffic. Add these three rules to drop all traffic (IPv4 and IPv6) by default.
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -P OUTPUT DROP
# Input
# It's most secure to only allow inbound traffic from established or related connections. Set that up next.
/usr/sbin/iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Loopback and Ping
# Next, allow the loopback interface and ping.
# This assumes that your VPN connection is on tun0. Check that with ip a, if you're not sure.
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o -tun0 -p icmp -j ACCEPT
# LAN
# It doesn't make much sense to shut down or block your LAN traffic, especially on a home network, so allow that too.
/usr/sbin/iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -d 192.168.100.0/24 -j ACCEPT
# Modem
# When the VPN is on, the following route is required so the modem can be reachable.
/usr/sbin/ip route add 192.168.100.0/24 via 192.168.0.1
# Tor
# This is needed so Tor can connect to the internet.
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
# DNS
# For this next part, you're going to need to know the IP address of your VPN's DNS server(s). If your VPN has access or you use resolv.conf, you'll probably find them in there.
/usr/sbin/iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -d 8.8.4.4 -j ACCEPT
# Allow The VPN
# Of course, you need to allow the VPN itself. There are two parts to this. You need to allow both the service port and the interface.
# Again, check the port and interface that your VPN connection is using.
/usr/sbin/iptables -A OUTPUT -p udp -m udp --dport **** -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o tun0 -j ACCEPT
If you want to list the rules (I find it easier to do both):
# iptables -L -n -v && iptables -S
If you want to flush and accept everything (same as disabling the firewall):
# iptables -F && iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P OUTPUT ACCEPT
Notice that if you run the script above, flush everything and then run the script again, you'll get a warning message about NETLINK. That's because the line "/usr/sbin/ip route add 192.168.100.0/24 via 192.168.0.1" is running again on the already valid route. To avoid this message, you can comment out the infringing line (add a # to the beginning) so when you run the script the route line will be ignored (it's already active), or you could flush the route (instructions at https://ss64.com/bash/ip-route.html), which I consider unnecessary.
Post last edited at