Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
hemir2021-07-24 20:24:05
linux
hemir, 2021-07-24 20:24:05

Which killswitch solution for iptables is better?

Hello.

I'm doing a VPN killswitch on a linux laptop and among the recommendations I found two very similar rule sets for iptables. I want to ask you, are they identical? Or is one of them preferable to choose from?

First solution:

iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -P OUTPUT DROP
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -d 169.38.69.24/32 -o wlp6s0 -p udp -m udp --dport 1194
iptables -A INPUT -j ACCEPT -s 169.38.69.24/32 -i wlp6s0 -p udp -m udp --sport 1194
iptables -A INPUT -j ACCEPT -i tun0
iptables -A OUTPUT -j ACCEPT -o tun0


Second solution:

iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -P OUTPUT DROP
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -d 169.38.69.24
iptables -A OUTPUT -j ACCEPT -o tun0


I'm not a very "networked" guy. To me, both solutions look almost the same. I just don’t understand why in the first case we separately allow INPUTon tun0and on the VPN server, and in the second case there is no such rule. Otherwise, the second solution looks more concise.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
H
hint000, 2021-07-25
@hemir

There are no rules here for INPUT with the DROP action, which means that it makes no sense to add something to the INPUT with the ACCEPT action, it will be the default anyway. You can also write more concisely:
iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -P OUTPUT DROP
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -p udp --dport 1194
iptables -A OUTPUT -j ACCEPT -o tun+
The difference is that you can connect to any OpenVPN server, because the limit is set by the port number, not by the server address. Also, the tun+ entry will allow you to work through any tunnel if several tunnels are created (tun0, tun1, tun2, ..) - well, you never know how and what you want to add in the future.

Similar questions
A
alexnem2020-09-26 09:46:45
Big time using a new laptop? 5Reply
R
redcircle2020-05-31 20:13:48
How to change the path to a file that is opened by a Linux application? 1Reply
T
Talyan2020-05-31 20:13:54
How to clean up problems in Zabbix quickly? 1Reply
D
Demigodd2018-05-03 10:19:24
How to use Linux terminal(bash, apt, vim..) on Windows 10? 1Reply
A
Alexey Nechaev2012-11-21 10:37:05
Networking in KVM, Gateway 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question