First Allow your local connection and your RELATED, ESTABLISHED
connections protocols.
$ sudo iptables -A INPUT -p tcp -s 127.0.0.1 -j ACCEPT
$ sudo iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
This will allow the internet connection.
Set default chain policies
$ sudo iptables -P INPUT DROP
$ sudp iptables -P OUTPUT DROP
This will deny all kind of inbound/outbound traffic.
Allow your VPN connection
$ sudo iptables -A INPUT -s [VPN ip connection] -j ACCEPT
$ sudo iptables -A OUPUT -d [VPN ip connection] -j ACCEPT
This will allow the VPN connection.
IF YOU ARE CONNECTED BY SSH YOU MUST ALLOW YOUR IP ADDRESS ALSO AS YOUR LOCALHOST
UPDATE:
For other connections rules, just allow them.
HTTP for example:
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
PERSONAL RECOMMENDATION
What I do is to backup my iptables rules with $ sudo iptables-save > iptables_backup
, then for any change I edit the rules with vim and restore the iptables with $ sudo iptables-restore < iptables_backup
. This is only a personal practice to avoid duplicating rules.
Your interpretation is correct.
If you want the whole thing to also apply to UDP packets, you have to add the same set of rules once again, but with -p udp
instead of -p tcp
. Or just leave out this option and have the rules apply to all packets (though there could be some gotchas with ICMP packets, so it's probably safer to just add both kinds of rules). However, you'll need TCP in the first place to access e.g. Youtube, so even if streaming from Youtube used UDP, you wouldn't be able to watch a stream, because you'll never get this far.
The option -m
selects which kind of match to use. You can match on lots of different criteria, and there's even extensions to iptables (man iptables-extensions
) with even matching modules. Here, -m owner
selects match by ownership of packets, and --gid-owner
specifies to match group ownership. So both options together mean "this rule applies only to packets that are send from someone in group internet
".
The option -j
(originally "jump") specifies what to do when the rule matches. You can jump to a different chain, or you can ACCEPT
(stop processing rules and send this packet), or you can REJECT
(stop processing rules and ignore this packet).
The next two rules allow packets (ACCEPT
) for special destinations (-d
), no matter what group the sending application is in, and the last rule drops all packets (REJECT
) that didn't match the previous rules. So it's this last rule that does the actual blocking.
There are plenty of tutorials for iptables
on the internet, google a bit and pick one you like if you want to learn more details. Some random links that I found useful in the past:
Best Answer
gufw
and other default-shipped firewalls aren't designed to filter by application -gufw
is an uncomplicated GUI frontend toufw
, and isn't designed to filter on the application level, it's simply an uncomplicated front-end for setting up basic filtering rules based on IP, port, etc.What you're looking for goes beyond the standard firewall-in-linux rulesets which
ufw
andgufw
can accomodate. There are several suggested methods (the linked one is group-based controls, so you have to add applications you want to access the 'net to a specific group), but there's also other applications such as Douane, which may do this at the application layer as well.