Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
hemir2021-07-24 20:24:05
linux
hemir, 2021-07-24 20:24:05

Which killswitch solution for iptables is better?

Hello.

I'm doing a VPN killswitch on a linux laptop and among the recommendations I found two very similar rule sets for iptables. I want to ask you, are they identical? Or is one of them preferable to choose from?

First solution:

iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -P OUTPUT DROP
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -d 169.38.69.24/32 -o wlp6s0 -p udp -m udp --dport 1194
iptables -A INPUT -j ACCEPT -s 169.38.69.24/32 -i wlp6s0 -p udp -m udp --sport 1194
iptables -A INPUT -j ACCEPT -i tun0
iptables -A OUTPUT -j ACCEPT -o tun0


Second solution:

iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -P OUTPUT DROP
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -d 169.38.69.24
iptables -A OUTPUT -j ACCEPT -o tun0


I'm not a very "networked" guy. To me, both solutions look almost the same. I just don’t understand why in the first case we separately allow INPUTon tun0and on the VPN server, and in the second case there is no such rule. Otherwise, the second solution looks more concise.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
H
hint000, 2021-07-25
@hemir

There are no rules here for INPUT with the DROP action, which means that it makes no sense to add something to the INPUT with the ACCEPT action, it will be the default anyway. You can also write more concisely:
iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -P OUTPUT DROP
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -p udp --dport 1194
iptables -A OUTPUT -j ACCEPT -o tun+
The difference is that you can connect to any OpenVPN server, because the limit is set by the port number, not by the server address. Also, the tun+ entry will allow you to work through any tunnel if several tunnels are created (tun0, tun1, tun2, ..) - well, you never know how and what you want to add in the future.

Similar questions
O
OKNOZA2015-06-21 23:31:05
Can I not use NodeJS templating engine? 7Reply
D
Dmitry Kuznetsov2017-12-05 15:02:08
Why is the state not saved after page reload or are there other options? 1Reply
D
Dmitry Vapelnik2015-06-11 12:27:48
How to make a button on the toolbar to run a script in PhpStorm? 1Reply
O
oni__ino2015-06-11 13:46:27
What is the correct way to migrate a virtual machine to a smaller disk? 3Reply
M
Maxim Pavlyuchuk2017-05-25 17:41:11
How to properly parse a bash command? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question