How to use iptables to allow traffic only through ONE SPECIFIC VPN
Solution 1
I suppose here that you want all non local traffic to go through the VPN (internet access for example). If this is true, I think it would be easier and better to use the routing table to do what you want instead of the firewall. You could define your default route to use the VPN instead of the current default.
route add default dev tun0
or something similar and remove the current default route.
On the other hand, if what you want is really to block anything that is not local or coming from the VPN then you are in the right direction using iptables.
Solution 2
Since it appears like you are using OpenVPN, one thing you could easily do is to give your VPN tun device an explicit name instead of using tunN.
It is perfectly valid to put something like. dev tun_home
in your OpenVPN configuration. This will result in the tunnel device being named tun_home
. You can then use this in your firewall rules instead of using a wildcard device name match tun+
.
Related videos on Youtube
BeneStr
Updated on September 18, 2022Comments
-
BeneStr over 1 year
I'm trying to allow all traffic from my Banana PI running Lubuntu to only go to my LAN or otherwise through an VPN Server. I'm following this guide: http://joelslowik.blogspot.co.uk/2013/05/setup-iptables-for-vpn-and-local.html
Essentially it says I should use these rules:
#Allow loopback device (internal communication) iptables -A INPUT -i lo -j iptables -A OUTPUT -o lo -j ACCEPT #Allow all local traffic. iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT #Allow VPN establishment iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT iptables -A INPUT -p udp --sport 1194 -j ACCEPT #Accept all TUN connections (tun = VPN tunnel) iptables -A OUTPUT -o tun+ -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT #Set default policies to drop all communication unless specifically allowed iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
But as far as I understand it, that will allow traffic through ANY VPN (or anything with a network interface starting with "tun" for that matter).
I tried to use
iptables -A INPUT -s XXX.XXX.XXX.XXX -j ACCEPT iptables -A OUTPUT -d XXX.XXX.XXX.XXX -j ACCEPT
with the IP Address of the VPN Server, but that doesn't seem to work either, it simply won't connect to the VPN.
So how should I do this? I did the exact same thing on Windows using the Windows Firewall (following this guide), just blocking any IP Address except the local ones and the one of the VPN Server and it works perfectly.
-
BeneStr about 9 yearsWell I guess this would work... I just still don't feel comfortable making it dependent on the name of the network interface which, as far as I understand, any program can create one of any name. Do you know, why the IP-based rules don't work (considering it works perfectly on Windows)?
-
Zoredache about 9 yearsNo ideal, you probably have written your rules, wrong, but it is difficult to tell since you haven't given us the full set of rules you used when it failed. You also haven't shared the routing tables, so it isn't clear to me what will be crossing the tun interface.
-
Jeter-work over 6 yearsConversely, the tunx device should not be changing. Find out what the name is on your installation (tun0 perhaps) and change
tun+
totun0
.