How to write linux iptables firewall rules to prevent traffic from escaping vpn?

R

rodion-dev2015-02-23 20:57:12

linux

rodion-dev, 2015-02-23 20:57:12

Tell me how to write linux iptables firewall rules to protect against traffic leaving bypassing vpn
so that all traffic is blocked (tcp, udp, dns, all ping requests, etc.) if now the connection is not via VPN,
but so that it can connect to open vpn + go to the ip of the vpn site (prescribe ip, access to which is possible without vpn)

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

rodion-dev, 2015-02-24
@rodion-dev

on commands
iptables -I OUTPUT -i eth0 -j REJECT
gives the error "iptables v1.4.21: Can't use -i with OUTPUT"
sudo iptables -I OUTPUT -i lo -j ACCEPT
gives the error "iptables v1.4.21: Can' t use -i with OUTPUT"
sudo iptables -I OUTPUT ! -i tun0 -j REJECT
gives error "iptables v1.4.21: Can't use -i with OUTPUT"

V

Vlad Zhivotnev, 2015-02-24
@inkvizitor68sl

To hell with your previous answer.
The correct way (using Debian/Ubuntu as an example) is
auto eth0
eth0 inet static
address ....
netmask ....
post-up /sbin/ip ro add 8.8.8.8 via dev eth0
post-up /sbin/ip ro add 8.8. 4.4 via dev eth0
gateway - DO NOT specify (so that the default route does not rise to eth at all).
In openvpn we write the option default-route
post-up /sbin/ip we write to all addresses that can be reached without VPN.