Advice on setting firewall rules to allow internet with OpenVPN only

[Leeky]

Hello,

Using openSUSE 12.1 x64 with KDE.

I've had a look, but I'm not overly sure on the procedure required to set up the firewall to only allow internet connections when connected to openVPN.

The primary reason is to stop the connection to and from the internet should the VPN drop its connection during usage. I am happy to prevent any internet access at all unless connected to the VPN, but it is quite important that while connected to the internet the connection remains encrypted via the VPN.

I am not sure however to implement this. I would appreciate advice (or settings) required in order to achieve this. I'm assuming doing it via the Firewall settings in YaST would be the best way, but having looked nothing appeared obvious, so I've decided to ask here rather than mess up settings with trial and error.

Thank you in advance.

[Lazydog]

Do you understand what a VPN is or does? You do not secure the internet with VPN. It sounds like you want to secure every connection to the internet and that isn't going to happen. VPN is for site to site tunneling to connect a remote business site to the central business site. If you users are going to log into www.somesite.com you aren't going to use VPN for this.

Maybe you should explain a bit more of what you are trying to do.

[Leeky]

Yes, I understand how it works, in principal.

What I want to achieve is the filtering of all traffic through the VPN when it is logged in, and prevent any external connection when it is not.

When connected to the VPN (according to my understanding) it does exactly this. But if it was to disconnect, it would no longer do so for obvious reasons. What I wanted to achieve was the connection to the internet to drop IF the VPN connection drops.

When using the VPN under normal circumstances you would not always be immediately aware of this happening.

I know in Windows I could use a netstat command (I do not have it to hand right now though) that once entered would do what I needed. In Linux however, I am not aware of how to do it, despite knowing my way around the OS generally.

The reason I need the connection to work like this is in order to download sensitive files from a remote location, whilst ensuring the connection is fully encrypted during its transmission end to end. In Windows it works flawlessly, but I would much prefer to use Linux for this task, and dedicate a VM on my homeserver to do it once a day automatically as required.

[cynwulf]

You need to set some iptables rules - I found a thread at LQ which may help: iptables - only allow connections through vpn

[Lazydog]

What I want to achieve is the filtering of all traffic through the VPN when it is logged in, and prevent any external connection when it is not..

OK, I now understand what you are looking for. you want this VM to only be able to connect to the remote site and no where else. A firewall will do this for you easily. What you need to do is allow your host to connect to the remote site using the port you need to setup the VPN. Then you need to only allow traffic our the VPN interface and drop everything else. The following code should set you up the way you want:

Code:

iptbales -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -d 1.2.3.4 --dport 10000 -j ACCEPT
iptbales -A OUTPUT -j DROP

Replace the ip address above with the remote hosts ip address.
The above assumes that the VPN port would be 1000 and the interface for the VPN would be tun0.

You need to set some iptables rules - I found a thread at LQ which may help: iptables - only allow connections through vpn

The Lazydog there and here are one in the same.

[Leeky]

Thanks guys, I'll have a look into this later on, and report back if I need any more guidance.

Thanks once again.

[cynwulf]

The Lazydog there and here are one in the same.

Yes I noticed after finding the thread and posting the link... still I am proud of the small role I played here...

[Lazydog]

Helping someone is never a small role. At least not to them.