Iptables killswitch not working correctly (Pi/OpenVPN)

[soldave]

Wondering if anyone can help me here. I'm trying to set up a VPN killswitch on my Raspberry Pi but having troubles with it. Have been following the guide on https://linuxconfig.org/how-to-create-a ... s-on-linux and have the following set up as my rules:

Code: Select all

*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o -lo -j ACCEPT
-A OUTPUT -o tun0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -d 209.222.18.222 -j ACCEPT
-A OUTPUT -d 209.222.18.218 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1198 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT

But when I apply these rules, all my connections (except those already open) close and won't open. I can't run ping commands, can't access websites or servers, I lose local network access etc. Changing "-P OUTPUT DROP" to "-P OUTPUT ACCEPT" brings it back. Also, "-P INPUT DROP" loses me LAN network access, despite my LAN being on the 192.168.1.0 network with /24 subnet mask.

DNS servers are correctly matching what's in resolv.conf and also PIA servers, and my port number is correct. I've also checked using "curl ifconfig.me" that my VPN is active on the Pi. I'm new to playing around with iptables and rules as you can probably tell, but would appreciate any thoughts you might have on getting this killswitch working right.

[bzt]

But when I apply these rules, all my connections (except those already open) close and won't open.

That's obvious, because your rules allows already open connections (RELATED for UDP and ICMP, ESTABLISHED for TCP channels).

I can't run ping commands,

Ping usually uses ICMP protocol which you forgot to allow in your rules. You can also use UDP ping, which (again) is not allowed.

can't access websites or servers, I lose local network access etc.

You should be able to access anything in the 192.168.1.0/24 local network, because you have allowed that. For web, you should allow the TCP ports 80 and 443.

Changing "-P OUTPUT DROP" to "-P OUTPUT ACCEPT" brings it back.

Of course, because that changes the default policy. Iptables works this way: when a package is sent or recevied, then it's checked against the given ruleset (OUTPUT table used for sending, INPUT for receiving network packets). If no rule matches, then the default policy applies, same as if there were a last, all catching rule in the table. Setting it to ACCEPT basically tells the kernel to allow anything regardless if they are allowed by the rules or not.

Also, "-P INPUT DROP" loses me LAN network access, despite my LAN being on the 192.168.1.0 network with /24 subnet mask.

This should work. You have "-d LAN -j ACCEPT". I'm not sure about this, I'd suggest to read the kernel logs.

DNS servers are correctly matching what's in resolv.conf and also PIA servers, and my port number is correct.

Nope, DNS is using UDP and TCP port 53 (or maybe 5353) that your ruleset doesn't allow. Check out /etc/services file for protocols you want to allow.

I've also checked using "curl ifconfig.me" that my VPN is active on the Pi. I'm new to playing around with iptables and rules as you can probably tell, but would appreciate any thoughts you might have on getting this killswitch working right.

That's because you've allowed UDP 1198, used by your VPN. Which makes me wonder, are you sure you're accessing the LAN on the proper interface? Isn't it possible that you try to route 198.168.1.0/24 into tun0, therefore it's not the firewall that blocks, rather LAN packets are never sent to the right interface in the first place? What does "ip ro get 198.168.1.1" tell you? If the output has "dev tun0" in it, then you're having a routing problem rather than a firewall problem. Does your VPN provider push a routing table? If so, you'll have to change your local LAN to another subnet, like 10.0.0.0/8. Same stands for DNS, what does "ip ro get 209.222.18.222" tell you?

Cheers,
bzt