Last active
August 14, 2017 07:25
-
-
Save niclaslindstedt/6100d8ba70a9022c75be2fa5ba4f4462 to your computer and use it in GitHub Desktop.
Block all non-VPN traffic in iptables. Replace "192.168.100.0" with your home network.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| HOMENETWORK="192.168.100.0/24" | |
| HOMENETIF="eth0" | |
| HOMEVPNIF="tun0" | |
| iptables --flush | |
| # default policy | |
| iptables -P INPUT DROP | |
| iptables -P OUTPUT DROP | |
| iptables -P FORWARD DROP | |
| # allow access to home network | |
| iptables -A INPUT -s "$HOMENETWORK" -j ACCEPT | |
| iptables -A OUTPUT -d "$HOMENETWORK" -j ACCEPT | |
| # allow connection to vpn server through physical network interface | |
| iptables -A OUTPUT -o "$HOMENETIF" -p tcp --dport 1194 -j ACCEPT | |
| iptables -A INPUT -i "$HOMENETIF" -p tcp --dport 1194 -j ACCEPT | |
| # allow connection to dns server | |
| iptables -A OUTPUT -p udp -o "$HOMENETIF" --dport 53 -j ACCEPT | |
| iptables -A INPUT -p udp -i "$HOMENETIF" --sport 53 -j ACCEPT | |
| # allow established and related incoming connections | |
| iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # allow established outgoing connections | |
| iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # allow loopback access | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| # allow traffic on vpn interface | |
| iptables -A OUTPUT -o "$HOMEVPNIF" -j ACCEPT | |
| iptables -A INPUT -i "$HOMEVPNIF" -j ACCEPT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment