iptables para rotear um único usuário para openvpn em tun0 e negar o acesso eth0?

Eu consegui este trabalho usando a seguinte configuração:

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -m pkttype --pkt-type broadcast -m comment --comment "Block Broadcast INPUT (No log)" -j DROP
-A INPUT -m pkttype --pkt-type multicast -m comment --comment "Block Multicast INPUT (No Log)" -j DROP
-A INPUT -i lo -m comment --comment "Accept localhost Input" -j ACCEPT
-A INPUT -p udp -m udp --sport 1194 -m state --state ESTABLISHED -m comment --comment "Allow the server to reply (related to lport)" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state ESTABLISHED -m comment --comment "Allow the DNS1 to answer" -j ACCEPT
-A INPUT -s 8.8.4.4/32 -p udp -m udp --sport 53 -m state --state ESTABLISHED -m comment --comment "Allow the DNS2 to answer" -j ACCEPT
-A INPUT -m limit --limit 10/min -m comment --comment "Log Input" -j LOG --log-prefix "FW DROP INPUT: " --log-level 7
-A INPUT -i tun+ -m comment --comment "Accept TUN Input" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 10/min -m comment --comment "Log Forward" -j LOG --log-prefix "FW DROP FORWARD: " --log-level 7
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s $EXTERNALIP -o $EXT_INT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT ! -s $EXTERNALIP/32 -o $EXT_INT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1003 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1003 -j ACCEPT
-A OUTPUT ! -s $EXTERNALIP/32 -o $EXT_INT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m comment --comment "Accept localhost Output" -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1194 -m comment --comment "Allow my computer to query the DNS server" -j ACCEPT
-A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT
-A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o $EXT_INT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
-A OUTPUT -o $EXT_INT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -m comment --comment "Allow my machine to connect to the DNS1" -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -m comment --comment "Allow my machine to connect to the DNS2" -j ACCEPT
-A OUTPUT -m limit --limit 10/min -m comment --comment "Log Output" -j LOG --log-prefix "FW DROP OUTPUT: " --log-level 7
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ping to Outside" -j ACCEPT
-A OUTPUT -o tun+ -m comment --comment "Accept TUN Output" -j ACCEPT
-A f2b-sshd -j RETURN

Isso pode ser de alguma ajuda:

link

Eles bloquearam todo o tráfego para eth0, depois permitiram que alguns passassem mais tarde (DNS, ping)

goldsztajn

August 2014 in General Privacy Discussion

Posts: 4

(UPDATED)

Hi everybody,

I have tried to build a solution that will transform a Debian or Ubuntu machine to be able to access the Internet ONLY via the VPN (to avoid any mistake if you are disconnected or if OpenVPN crashes).

For your information, I use OpenVPN configured with the PIA config files and I assume you have only the eth0 on your computer.

1/ When the interfaces goes up, disable the trafic

/etc/network/interfaces

   auto eth0

   iface eth0 inet dhcp

       pre-up iptables-restore < /etc/iptables.rules

Then : /etc/iptables.rules

   *filter

   # Default Policy

   :INPUT DROP [0:0]

   :FORWARD DROP [0:0]

   :OUTPUT DROP [0:0]

   # Broadcast without logging

   -A INPUT -m pkttype --pkt-type broadcast -j DROP -m comment --comment "Block Broadcast INPUT (No log)"

   -A INPUT -m pkttype --pkt-type multicast -j DROP -m comment --comment "Block Multicast INPUT (No Log)"

   # Allow localhost

   -A INPUT  -i lo -m comment --comment "Accept localhost Input" -j ACCEPT

   -A OUTPUT -o lo -m comment --comment "Accept localhost Output" -j ACCEPT

   ## Allow to connect to upd 1194 (openvpn)

   -A OUTPUT -p udp --dport 1194 -j ACCEPT -m comment --comment "Allow my computer to query the DNS server"

   -A INPUT  -p udp --sport 1194 -m state --state ESTABLISHED -j ACCEPT  -m comment --comment "Allow the server to reply (related to lport)"

   # Allow DNS

   -A OUTPUT -p udp -d 209.222.18.222 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow my machine to connect to the DNS1"

    -A INPUT  -p udp -s 209.222.18.222 --sport 53 -m state --state ESTABLISHED     -j ACCEPT -m comment --comment "Allow the DNS1 to answer"

   -A OUTPUT -p udp -d 209.222.18.218 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow my machine to connect to the DNS2"

   -A INPUT  -p udp -s 209.222.18.218 --sport 53 -m state --state ESTABLISHED     -j ACCEPT -m comment --comment "Allow the DNS2 to answer"

   # Logging

   -A INPUT -m limit --limit 10/min -j LOG --log-prefix "FW DROP INPUT: " --log-level 7 -m comment --comment "Log Input"

   -A FORWARD -m limit --limit 10/min -j LOG --log-prefix "FW DROP FORWARD: " --log-level 7 -m comment --comment "Log Forward"

   -A OUTPUT -m limit --limit 10/min -j LOG --log-prefix "FW DROP OUTPUT: " --log-level 7 -m comment --comment "Log Output"

   # Ping

   -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ping to Outside"

   COMMIT

Then if you don't start your VPN, you have ... nothing, except localhost, DNS and OpenVPN

To apply the changes :

   # ifdown eth0

   # ifup eth0

When you start your VPN, to avoid DNS Leak I launch a script

I had to "hack" the /etc/default/openvpn file to add on top:

   # A pre script for Private Internet Access

/etc/openvpn/before_start.sh

That /etc/openvpn/before_start.sh contains:

   #!/bin/bash

   DNS1=209.222.18.222

   DNS2=209.222.18.218

   ## Change the DNS to avoid DNS Leak

   echo "nameserver $DNS1" > /etc/resolv.conf

   echo "nameserver $DNS2" >> /etc/resolv.conf

Then into /etc/openvpn/vpn.conf, I added at the end (don't forget to remove nobind, because I force the local port)

   lport 1194

   ipchange up_script.sh

   down down_script.sh

Look up_script.sh (I have improved it with logs and drop of all broadcast address, but I don't have the file right now). The firewall rules are there because I don't know the public IP before. The Gateway allowance is only for my personal needs, you can remove it

   #!/bin/bash

   # Firewall Rules

   IP=$(echo $1 | sed 's/\[AF_INET\]//g')

   GW=$(/sbin/ip route | awk '/default/ { print $3 }')

   IPT=iptables

   # Start

   logger "ovpn: Got public IP $IP"

   # tun interfaces (VPN)

   $IPT -A INPUT  -i tun+ -j ACCEPT -m comment --comment "Accept TUN Input"

   $IPT -A OUTPUT -o tun+ -j ACCEPT -m comment --comment "Accept TUN Output"

   # Allow traffic with my VPN server

   $IPT -A INPUT  -s $IP -j ACCEPT -m comment --comment "Accept PIA Input"

   $IPT -A OUTPUT -d $IP -j ACCEPT -m comment --comment "Accept PIA Output"

   # Allow my gateway on eth0

   $IPT -A OUTPUT -d $GW -o eth+ -j ACCEPT -m comment --comment "Accept My Gateway"

Then down_script.sh

   #!/bin/bash

   GW=$(/sbin/ip route | awk '/default/ { print $3 }')

   IPT=iptables

   # Push DNS again

   echo "nameserver 127.0.0.1" > /etc/resolv.conf

   # Restart my interface !

   ifdown -a

   ifup -a

So what do you think about that ?

G.