Knowledgebase: Securing VPN & DNS
How to prevent an IP leak on Linux with IPtables
Posted by Max Biggavelli on 01 October 2014 08:32

In this Knowledgebase article we will describe the steps how to secure the VPN (and therefore a potential IP leak) on Linux using the IPtables firewall and using BASH as the shell.

IPtables firewall is installed by default on the most Linux Distros, you can verify if its installed:


- Debian

dpkg -s iptables | grep Status

- CentOS

rpm -qa | grep iptables


Enough talk, time to get into the action..

1. Download this executable script to your Linux machine: wget https://nvpn.net/tools/nvpn.sh

2. Make "nvpn.sh" executable: chmod u+x nvpn.sh

3. Read and adjust "nvpn.sh" script to your requirements, the mainly interesting variables are the following "local_interface", "vpn_connect_protocol" and "vpn_connect_port" (in most cases it will just work without any changes).

4. Once you are finished adjusting, save and execute it to actually apply the rules: ./nvpn.sh

5. Example result after execution:

nVpn@ubuntu:/tmp$ ./nvpn.sh
Deleting all old iptables rules...
Setting up the new rules...
nVpn.net - Rules successfully applied, we start "watch" to verify IPtables in realtime (you can cancel it as usual CTRL + c)

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
  872 61288 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     2    --  eth0   *       192.168.0.0/24       224.0.0.0/4        
    0     0 ACCEPT     2    --  eth0   *       192.168.0.0/24       239.0.0.0/8        
    0     0 ACCEPT     all  --  eth0   *       192.168.0.0/24       0.0.0.0/0          
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:1194
   46  3432 logging    all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
  872 61288 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     2    --  *      eth0    192.168.0.0/24       224.0.0.0/4        
    0     0 ACCEPT     udp  --  *      eth0    192.168.0.0/24       239.255.255.250      udp dpt:1900
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            192.168.0.0/24     
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:1194
 3514  247K logging    all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain logging (2 references)
 pkts bytes target     prot opt in     out     source               destination        
    7   510 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 2/min burst 5 LOG flags 0 level 7 prefix "IPTables general: "
 3560  251K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


6. Verify if everything is working as intended: connect to the VPN and see if browsing works while using the VPN, if yes, good. Now disconnect from the VPN and again try if browsing works - if all is setup properly then you will not be able to ping/browse unless you are connected to the VPN!

(43 vote(s))
Helpful
Not helpful