Differences

This shows you the differences between two versions of the page.

--- iptables:create_a_vpn_kill_switch [2018/06/15 11:19] – created peter
+++ iptables:create_a_vpn_kill_switch [2019/11/29 17:25] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== IPTables - Create a VPN Kill Switch ======
-Use iptables to block all Internet connections in the event your VPN is disconnected.
-It's a mechanism that stops your Internet connection when you're disconnected from the VPN.  It protects you from inadvertently leaking sensitive information onto the Internet when the VPN connection drops.
-Some VPN services provide clients with a built-in killswitch, but none are as reliable as using iptables.  Since iptables is independent of your VPN service, and it's integrated into the kernel itself, it won't fail when your VPN does.  Iptables is also a well-proven security technology that can and will keep your computer safe.
-===== Sysctl =====
-Before you start creating iptables rules, you should make some alterations to the sysctl configuration.  In some distributions, it's located at /etc/sysctl.d/99-sysctl.conf.  Others have it at /etc/sysctl.conf.  Open up that file, and locate the following line and change it to match the example here.
-<code bash>
-net.ipv4.ip_forward=1
-<code>
-Then, add the following lines to the bottom of the file.  Be sure to change the interfaces to match the ones on your machine.
-<file bash>
-net.ipv6.conf.all.disable_ipv6 = 1
-net.ipv6.conf.default.disable_ipv6 = 1
-net.ipv6.conf.lo.disable_ipv6 = 1
-net.ipv6.conf.eth0.disable_ipv6 = 1
-</file>
-Save and exit.  Then run:
-<code bash>
-# sysctl -p
-</code>
-===== Set Up The Firewall Document =====
-Create a file for your firewall rules.
-<file>
-*filter
-COMMIT
-</file>
-===== Base Rules =====
-Before you configure iptables to allow any traffic you need to switch its default to disallow all traffic.  Add these three rules to drop all traffic by default.
-<file bash>
--P INPUT DROP
--P FORWARD DROP
--P OUTPUT DROP
-</file>
-===== Input =====
-It's most secure to only allow inbound traffic from established or related connections.  Set that up next.
-<file bash>
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-</file>
-===== Loopback and Ping =====
-Next, allow the loopback interface and ping.
-<file bash>
--A OUTPUT -o lo -j ACCEPT
--A OUTPUT -o tun0 -p icmp -j ACCEPT
-</file>
-This assumes that your VPN connection is on **tun0**.  Check that with **ip a**, if you're not sure.
-===== LAN =====
-It doesn't make much sense to shut down or block your LAN traffic, especially on a home network, so allow that too.
-<file bash>
--A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-</file>
-===== DNS =====
-You need to know the IP address of your VPN's DNS server(s).  If your VPN has access or your resolv.conf, you'll probably find them in there.
-<file bash>
--A OUTPUT -d 10.45.16.1 -j ACCEPT
-</file>
-===== Allow The VPN =====
-You need to allow the VPN itself.  There are two parts to this.  You need to allow both the service port and the interface.
-<file bash>
--A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
--A OUTPUT -o tun0 -j ACCEPT
-</file>
-Again, check the port and interface that your VPN connection is using.
-You could stop here.  This will work just fine for a killswitch.  However, if you want iptables to function as a regular firewall and block connections on unwanted ports too, you can do that too.
-From here, you would delete the last line that accepts all traffic on tun0, and replace it with specific allowances for the ports that you want to allow.
-<file bash>
--A OUTPUT -o tun0 -p tcp --dport 443 -j ACCEPT
--A OUTPUT -o tun0 -p tcp --dport 80 -j ACCEPT
--A OUTPUT -o tun0 -p tcp --dport 993 -j ACCEPT
--A OUTPUT -o tun0 -p tcp --dport 465 -j ACCEPT
-</file>
-You get the general idea.  It's longer and more tedious, but it gives you more control over what traffic gets through.
-===== IPv6 =====
-IPv6 is really bad for VPNs right now.  Most don't adequately support it, and your information can leak out over that connection.  It's best to shut it down altogether.
-Create another file for IPv6 and block everything.
-<file bash>
--P INPUT DROP
--P FORWARD DROP
--P OUTPUT DROP
-</file>
-===== Commit =====
-You need to import your files into iptables in order for them to take effect.  First, clear out any old rules.
-<code bash>
-iptables -F && iptables -X
-</bash>
-Import the new ones from your files.
-<code bash>
-iptables-restore < /tmp/ipv4
-ip6tables-restore < /tmp/ipv6
-</code>
-===== Make It Permanent =====
-Iptables doesn't save its state after a reboot by default. You need to set that up yourself.
-===== Debian/Ubuntu =====
-Debian-based systems have a program called, **iptables-persistent**.  It's a service that handles backing up and loading your configurations.
-When you install it, iptables-persistent will ask you if you want to save your existing configuration.  Say yes.
-<code bash>
-apt install iptables-persistent
-</code>
-Since Debian systems run services on startup by default, you don't need to do anything else.
-===== Other Systemd =====
-Other systems have a couple of different ways to handle this.  The first is to edit /etc/sysconfig/iptables-config.  There will be one of two lines there.  Edit the one that you have to look like the following.
-<file bash /etc/sysconfig/iptables-config>
-IPTABLES_SAVE_ON_STOP="yes"
-</file>
-OR
-<file bash /etc/sysconfig/iptables-config>
-IPTABLES_SAVE_ON_RESTART="yes"
-</file>
-The other way is to use the save and restore functions of iptables.  Create a directory where you want to save your rules.
-<code bash>
-mkdir /etc/iptables/
-iptables-save > /etc/iptables/iptables.rules
-ip6tables-save > /etc/iptables/ip6tables.rules
-</code>
-Then, create a script to load those rule when your computer boots up.
-<file bash>
-#! /bin/bash
-iptables-restore < /etc/iptables/iptables.rules;
-ip6tables-restore < /etc/iptables/ip6tables.rules;
-</file>
-===== OpenRC =====
-OpenRC systems like Gentoo have their own way of saving the configurations.
-<code bash>
-rc-service iptables save
-rc-service ip6tables save
-rc-service iptables start
-rc-service ip6tables start
-rc-update add iptables default
-rc-update add ip6tables default
-</code>
-===== Closing Thoughts =====
-Using an iptables-based killswitch makes your VPN much more secure.  Leaking data makes totally defeats the purpose of using a VPN, so stopping leaks should be a top priority.
-Do not trust the so-called killswitches baked into VPN clients.  Most don't work.  The only way to really ensure that your data isn't leaking is to do it yourself with iptables.