Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added firewall rules for OPENVPN kill switch #1640

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added firewall rules for OPENVPN kill switch #1640

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions OPENVPN_KILL_SWITCH.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@

#RASPAP KILL SWITCH#
#Tested on OPEN VPN#
# ***NOTHING*** passes if openvpn tunnel drops.
# Previously, masquerade would pass traffic if tunnel disappeared.
# These rules stop that


# ***** First: clear every possible user setting ******
# Accept all traffic first to avoid ssh lockdown via iptables firewall rules #
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Flush All Iptables Chains/Firewall rules #
iptables -F

# Delete all Iptables Chains #
iptables -X

# Flush all counters too #
iptables -Z
# Flush and delete all nat and mangle #
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X

# **** Now apply tight firewall rules
# RASPAP relies on Masquerading - which means forwarding.
# Do not allow any forwarded packet that doesnt travel thru a wg+ or tun+ interface

# lo traffic very ok
iptables -A INPUT -i lo -j ACCEPT

#All local lan traffic ok - assumes 192.168.1.1 to 192.168.255.255
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

#Emergency override - put your mac address here
iptables -A INPUT -m mac --mac-source MACADDRESS -j ACCEPT

#Do not allow tun to tun packets
iptables -A FORWARD -i tun+ -o +tun+ -j DROP

#Do not allow anything from TUN to hit local network - someone is probing when they do this
iptables -A FORWARD -s 192.168.0.0/16 -i tun+ -j DROP

#Very ok - tun to wlan - this is what we want
iptables -A FORWARD -i tun+ -o wlan+ -j ACCEPT

#Very ok wlan to tun
iptables -A FORWARD -i wlan+ -o tun+ -j ACCEPT

#very ok eth to tun
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT

#Very ok tun to eth
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT

#very ok - any established connection from tun to wlan
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

#very ok all output packets
iptables -A OUTPUT -j ACCEPT

#NAT rules (forwarding)
iptables -A POSTROUTING -j MASQUERADE
iptables -A POSTROUTING -o tun0 -j MASQUERADE