Fedora 20 IPtables DNS Leak Proofing

This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Locked
Chiefahol
OpenVpn Newbie
Posts: 3
Joined: Mon Nov 03, 2014 8:28 pm

Fedora 20 IPtables DNS Leak Proofing

Post by Chiefahol » Tue Nov 04, 2014 7:25 am

Hi guys

I wanted to find guides on this and avoid asking but you can't search "iptables", "vpn", "leak" or "proof" in this forum. Apparently all these words are too common. :P

Anyway what i'm trying to do is create an iptables configuration that blocks all network traffic when the vpn connection drops. I'd prefer to be able to reconnect to the vpn service as well once it drops.

Here is my shell script, copied and modified from the AIRVPN forums. (I'm using NORD which has no special clients.)

Code: Select all

#!/bin/bash
# IPTABLES lock for openvpn


FW="/sbin/iptables"
LCL="192.168.76.128/24"
VPN="10.8.8.185/30"
local_interface="eno16777736"
virtual_interface="tun0"
#OPENVPN Servers
servers=(
37.235.57.32		# Double AT-NL (TCP)
95.143.198.80		# SE-TOR
94.249.245.17		# AUS
181.41.210.93		# BR
158.255.208.52		# HK
95.211.190.205		# NL2
95.211.224.1		# NL
46.108.39.199		# RO
141.105.68.130		# RU
95.143.198.99		# SE1
95.143.198.47		# SE
154.127.61.142		# ZA
)


#---------------------------------------------------------------
# Remove old rules and tables
#---------------------------------------------------------------

echo "Deleting old iptables rules..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

echo "Setting up new rules..."

#---------------------------------------------------------------
# Default Policy - Drop anything!
#---------------------------------------------------------------

$FW -P INPUT DROP
$FW -P FORWARD DROP
$FW -P OUTPUT DROP

#---------------------------------------------------------------
# Allow all local connections via loopback.
#---------------------------------------------------------------

$FW -A INPUT  -i lo  -j ACCEPT
$FW -A OUTPUT -o lo  -j ACCEPT

#---------------------------------------------------------------
# Allow Multicast for local network.
#---------------------------------------------------------------

$FW -A INPUT  -j ACCEPT -p igmp -s $LCL -d 224.0.0.0/4 -i $local_interface
$FW -A OUTPUT -j ACCEPT -p igmp -s $LCL -d 224.0.0.0/4 -o $local_interface

#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the
# local area network
#---------------------------------------------------------------

$FW -A INPUT  -j ACCEPT -s $LCL -i $local_interface
$FW -A OUTPUT -j ACCEPT -d $LCL -o $local_interface

#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the
# virtual privat network
#---------------------------------------------------------------

$FW -A INPUT  -j ACCEPT -i $virtual_interface
$FW -A OUTPUT -j ACCEPT -o $virtual_interface

#---------------------------------------------------------------
# Connection to AirVPN servers (UDP 443)
#---------------------------------------------------------------

server_count=${#servers[@]}
for (( c = 0; c < $server_count; c++ ))
do
    $FW -A INPUT  -j ACCEPT -p udp -s ${servers[c]} --sport 443 -i $local_interface
    $FW -A OUTPUT -j ACCEPT -p udp -d ${servers[c]} --dport 443 -o $local_interface
done

#---------------------------------------------------------------
# Log all dropped packages, debug only.
# View in /var/log/syslog or /var/log/messages
#---------------------------------------------------------------

#iptables -N logging
#iptables -A INPUT -j logging
#iptables -A OUTPUT -j logging
#iptables -A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables general: " --log-level 7
#iptables -A logging -j DROP
Here is the result from ifconfig so you can view my adapters:

Code: Select all

[root@localhost bin]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.76.128  netmask 255.255.255.0  broadcast 192.168.76.255
        ether 00:50:56:3c:9e:74  txqueuelen 1000  (Ethernet)
        RX packets 91894  bytes 85457439 (81.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 84554  bytes 17496400 (16.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 0  (Local Loopback)
        RX packets 106  bytes 9588 (9.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 106  bytes 9588 (9.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.8.186  netmask 255.255.255.255  destination 10.8.8.185
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 34412  bytes 34864163 (33.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 31507  bytes 4391755 (4.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
This shell script doesn't allow openvpn connection after it's been run. After starting openvpn, and running this script i start getting:

Code: Select all

Tue Nov  4 01:22:34 2014 UDPv4 link local: [undef]
Tue Nov  4 01:22:34 2014 UDPv4 link remote: [AF_INET]181.41.210.93:1194
Tue Nov  4 01:22:34 2014 write UDPv4: Operation not permitted (code=1)
Tue Nov  4 01:22:36 2014 write UDPv4: Operation not permitted (code=1)
Tue Nov  4 01:22:40 2014 write UDPv4: Operation not permitted (code=1)
Tue Nov  4 01:22:48 2014 write UDPv4: Operation not permitted (code=1)
Again i'd prefer guides if you guys knew of any. But i won't say no to someone helping me 1 on 1. :)

Will post solution in OP when found.
Top
User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: Fedora 20 IPtables DNS Leak Proofing

Post by krzee » Tue Nov 04, 2014 7:44 am

show your iptables-save
(i rarely look at the forum but catch me on irc if you miss me here)

protip for searching the forum, google:

Code: Select all

site:forums.openvpn.net search terms
Top
Chiefahol
OpenVpn Newbie
Posts: 3
Joined: Mon Nov 03, 2014 8:28 pm

Re: Fedora 20 IPtables DNS Leak Proofing

Post by Chiefahol » Tue Nov 04, 2014 1:32 pm

Thanks for the protip. After some searches turns out there isn't much about iptables leak proofing on the forum! Bit of pressure for me to come up with something useful. :lol:

Here is the iptables-save data:

Code: Select all

# Generated by iptables-save v1.4.19.1 on Tue Nov  4 07:24:51 2014
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [5:356]
:POSTROUTING ACCEPT [1:76]
COMMIT
# Completed on Tue Nov  4 07:24:51 2014
# Generated by iptables-save v1.4.19.1 on Tue Nov  4 07:24:51 2014
*mangle
:PREROUTING ACCEPT [5:485]
:INPUT ACCEPT [5:485]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270:27389]
:POSTROUTING ACCEPT [138:9173]
COMMIT
# Completed on Tue Nov  4 07:24:51 2014
# Generated by iptables-save v1.4.19.1 on Tue Nov  4 07:24:51 2014
*security
:INPUT ACCEPT [4983:3589657]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5313:722676]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue Nov  4 07:24:51 2014
# Generated by iptables-save v1.4.19.1 on Tue Nov  4 07:24:51 2014
*raw
:PREROUTING ACCEPT [4989:3590259]
:OUTPUT ACCEPT [5445:740892]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue Nov  4 07:24:51 2014
# Generated by iptables-save v1.4.19.1 on Tue Nov  4 07:24:51 2014
*filter
:INPUT DROP [5:485]
:FORWARD DROP [0:0]
:OUTPUT DROP [132:18216]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.76.0/24 -d 224.0.0.0/4 -i eno16777736 -p igmp -j ACCEPT
-A INPUT -s 192.168.76.0/24 -i eno16777736 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -s 37.235.57.32/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 95.143.198.80/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 94.249.245.17/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 181.41.210.93/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 158.255.208.52/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 95.211.190.205/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 95.211.224.1/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 46.108.39.199/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 141.105.68.130/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 95.143.198.99/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 95.143.198.47/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A INPUT -s 154.127.61.142/32 -i eno16777736 -p udp -m udp --sport 443 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.76.0/24 -d 224.0.0.0/4 -o eno16777736 -p igmp -j ACCEPT
-A OUTPUT -d 192.168.76.0/24 -o eno16777736 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -d 37.235.57.32/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 95.143.198.80/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 94.249.245.17/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 181.41.210.93/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 158.255.208.52/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 95.211.190.205/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 95.211.224.1/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 46.108.39.199/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 141.105.68.130/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 95.143.198.99/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 95.143.198.47/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -d 154.127.61.142/32 -o eno16777736 -p udp -m udp --dport 443 -j ACCEPT
COMMIT
# Completed on Tue Nov  4 07:24:51 2014
So this configuration is left after running the OP shell script. It cuts out openvpn and leads to that error. I need to reload firewall to reconnect. :S
Top
Chiefahol
OpenVpn Newbie
Posts: 3
Joined: Mon Nov 03, 2014 8:28 pm

Re: Fedora 20 IPtables DNS Leak Proofing

Post by Chiefahol » Thu Nov 06, 2014 11:47 am

SOLUTION FOUND!

https://payments.privateinternetaccess. ... anager-new

This iptables bash script blocks off all non-tunnel traffic until the rules are deactivated. So you have to activate this leak proof after connecting to openvpn.

It requires no fancy setup too which is nice. :3
Top
Locked

Return to “Installation Help”