Skip to content

Instantly share code, notes, and snippets.

@RiFi2k RiFi2k/iptables.openvpn
Last active Jul 18, 2019

Embed
What would you like to do?
Force all traffic through VPN tun, drop any traffic not headed through VPN to prevent DNS leaks. Assuming use of TUN-based routing and redirect-gateway OpenVPN client options.
# https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
# Force all traffic through VPN tun
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Set a default DROP policy
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow basic INPUT traffic
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# Allow basic OUTPUT traffic
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# Allow traffic to the OpenVPN server and via the tunnel
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -p udp -m udp -d 55.555.555.55 --dport 1194 -j ACCEPT
# Log dropped and rejected
-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IPTables:INPUT-INVALID-DROPPED -" --log-level 4
-A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables:INPUT-REJECTED -" --log-level 4
-A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables:FORWARD-REJECTED -" --log-level 4
-A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables:OUTPUT-REJECTED -" --log-level 4
# Reject everything else
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
@jcalfee

This comment has been minimized.

Copy link

commented Jul 18, 2019

Is there an undo?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.