I want to block all internet connections unless I'm connected to my OpenVPN. Now of course, I need to allow connection to the VPN server.
Can this be done, by allowing out/in traffic to/from the VPN server ip, but have a drop all rule afterwards with iptables
?
I tried to solution proposed by @tachomi, but I don't have internet connection, when the iptables
rules are set. iptables-save
states:
# Generated by iptables-save v1.6.0 on Wed Feb 3 00:53:32 2016
*filter
:INPUT DROP [247:40343]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [153:25961]
-A INPUT -s 127.0.0.1/32 -p tcp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p udp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p udp -j ACCEPT
-A INPUT -s <VPN_SERVER_IP>/32 -p tcp -j ACCEPT
-A INPUT -s <VPN_SERVER_IP>/32 -p udp -j ACCEPT
-A OUTPUT -d <VPN_SERVER_IP>/32 -p tcp -j ACCEPT
-A OUTPUT -d <VPN_SERVER_IP>/32 -p udp -j ACCEPT
COMMIT
# Completed on Wed Feb 3 00:53:32 2016
Best Answer
First Allow your local connection and your
RELATED, ESTABLISHED
connections protocols.This will allow the internet connection.
Set default chain policies
This will deny all kind of inbound/outbound traffic.
Allow your VPN connection
This will allow the VPN connection.
IF YOU ARE CONNECTED BY SSH YOU MUST ALLOW YOUR IP ADDRESS ALSO AS YOUR LOCALHOST
UPDATE:
For other connections rules, just allow them.
HTTP for example:
PERSONAL RECOMMENDATION
What I do is to backup my iptables rules with
$ sudo iptables-save > iptables_backup
, then for any change I edit the rules with vim and restore the iptables with$ sudo iptables-restore < iptables_backup
. This is only a personal practice to avoid duplicating rules.