ObjectiveUse iptables to block all Internet connections in the event your VPN is disconnected.
DistributionsThis will work on any Linux distribution.
RequirementsA working Linux install with root privileges.
- # - requires given command to be executed with root privileges either directly as a root user or by use of
- $ - given command to be executed as a regular non-privileged user
IntroductionIf you're connected to a VPN, you need a killswitch. No, it's not as metal as it sounds. It's just a mechanism that stops your Internet connection when you're disconnected from the VPN. It protects you from inadvertently leaking sensitive information onto the Internet when the VPN connection drops.
Some VPN services provide clients with a built-in killswitch, but none are as reliable as using iptables. Since iptables is independent of your VPN service, and it's integrated into the kernel itself, it won't fail when your VPN does. Iptables is also a well-proven security technology that can and will keep your computer safe.
SysctlBefore you start creating iptables rules, you should make some alterations to the
sysctlconfiguration. In some distributions, it's located at
/etc/sysctl.d/99-sysctl.conf. Others have it at
/etc/sysctl.conf. Open up that file, and locate the following line and change it to match the example here.
Then, add the following lines to the bottom of the file. Be sure to change the interfaces to match the ones on your machine.
Save and exit. Then run:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.eth0.disable_ipv6 = 1
# sysctl -p
Set Up The DocumentNow you can create a file for your rules. It doesn't really matter where you make it, so just make one. It'll be referred to as
ipv4for this guide.
Start the file by adding the following lines. They will be the beginning and end of the file.
Base RulesBefore you configure iptables to allow any traffic you need to switch its default to disallow all traffic. Add these three rules to drop all traffic by default.
-P INPUT DROP -P FORWARD DROP -P OUTPUT DROP
InputIt's most secure to only allow inbound traffic from established or related connections. Set that up next.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Loopback and PingNext, allow the loopback interface and ping.
This assumes that your VPN connection is on
-A OUTPUT -o lo -j ACCEPT -A OUTPUT -o tun0 -p icmp -j ACCEPT
tun0. Check that with
ip a, if you're not sure.
LANIt doesn't make much sense to shut down or block your LAN traffic, especially on a home network, so allow that too.
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
DNSFor this next part, you're going to need to know the IP address of your VPN's DNS server(s). If your VPN has access or your
resolv.conf, you'll probably find them i there.
-A OUTPUT -d 10.45.16.1 -j ACCEPT
Allow The VPNOf course, you need to allow the VPN itself. There are two parts to this. You need to allow both the service port and the interface.
Again, check the port and interface that your VPN connection is using.
-A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT
You could stop here. This will work just fine for a killswitch. However, if you want iptables to function as a regular firewall and block connections on unwanted ports too, you can do that.
From here, you would delete the last line that accepts all traffic on
tun0, and replace it with specific allowances for the ports that you want to allow.
You get the general idea. It's longer and more tedious, but it gives you more control over what traffic gets through.
-A OUTPUT -o tun0 -p tcp --dport 443 -j ACCEPT -A OUTPUT -o tun0 -p tcp --dport 80 -j ACCEPT -A OUTPUT -o tun0 -p tcp --dport 993 -j ACCEPT -A OUTPUT -o tun0 -p tcp --dport 465 -j ACCEPT
IPv6IPv6 is really bad for VPNs right now. Most don't adequately support it, and your information can leak out over that connection. It's best to shut it down altogether.
Create another file for IPv6 and block everything.
-P INPUT DROP -P FORWARD DROP -P OUTPUT DROP
CommitYou need to import your files into iptables in order for them to take effect. First, clear out any old rules.
# iptables -F && iptables -XImport the new ones from your files.
# iptables-restore < /tmp/ipv4 # ip6tables-restore < /tmp/ipv6
Make It PermanentIptables doesn't save its state after a reboot by default. You need to set that up yourself.
Debian/UbuntuDebian-based systems have a program called,
iptables-persistent. It's a service that handles backing up and loading your configurations.
When you install it,
iptables-persistentwill ask you if you want to save your existing configuration. Say yes.
# apt install iptables-persistentSince Debian systems run services on startup by default, you don't need to do anything else.