Find the answer to your Linux question:
Results 1 to 8 of 8
Hello, Using openSUSE 12.1 x64 with KDE. I've had a look, but I'm not overly sure on the procedure required to set up the firewall to only allow internet connections ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2011
    Posts
    8

    Advice on setting firewall rules to allow internet with OpenVPN only


    Hello,

    Using openSUSE 12.1 x64 with KDE.

    I've had a look, but I'm not overly sure on the procedure required to set up the firewall to only allow internet connections when connected to openVPN.

    The primary reason is to stop the connection to and from the internet should the VPN drop its connection during usage. I am happy to prevent any internet access at all unless connected to the VPN, but it is quite important that while connected to the internet the connection remains encrypted via the VPN.

    I am not sure however to implement this. I would appreciate advice (or settings) required in order to achieve this. I'm assuming doing it via the Firewall settings in YaST would be the best way, but having looked nothing appeared obvious, so I've decided to ask here rather than mess up settings with trial and error.

    Thank you in advance.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Do you understand what a VPN is or does? You do not secure the internet with VPN. It sounds like you want to secure every connection to the internet and that isn't going to happen. VPN is for site to site tunneling to connect a remote business site to the central business site. If you users are going to log into www.somesite.com you aren't going to use VPN for this.

    Maybe you should explain a bit more of what you are trying to do.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Dec 2011
    Posts
    8
    Yes, I understand how it works, in principal.

    What I want to achieve is the filtering of all traffic through the VPN when it is logged in, and prevent any external connection when it is not.

    When connected to the VPN (according to my understanding) it does exactly this. But if it was to disconnect, it would no longer do so for obvious reasons. What I wanted to achieve was the connection to the internet to drop IF the VPN connection drops.

    When using the VPN under normal circumstances you would not always be immediately aware of this happening.

    I know in Windows I could use a netstat command (I do not have it to hand right now though) that once entered would do what I needed. In Linux however, I am not aware of how to do it, despite knowing my way around the OS generally.

    The reason I need the connection to work like this is in order to download sensitive files from a remote location, whilst ensuring the connection is fully encrypted during its transmission end to end. In Windows it works flawlessly, but I would much prefer to use Linux for this task, and dedicate a VM on my homeserver to do it once a day automatically as required.

  4. #4
    Guest
    Join Date
    Feb 2005
    Posts
    312
    You need to set some iptables rules - I found a thread at LQ which may help: iptables - only allow connections through vpn

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by Leeky View Post
    What I want to achieve is the filtering of all traffic through the VPN when it is logged in, and prevent any external connection when it is not..
    OK, I now understand what you are looking for. you want this VM to only be able to connect to the remote site and no where else. A firewall will do this for you easily. What you need to do is allow your host to connect to the remote site using the port you need to setup the VPN. Then you need to only allow traffic our the VPN interface and drop everything else. The following code should set you up the way you want:

    Code:
    iptbales -A OUTPUT -o tun0 -j ACCEPT
    iptables -A OUTPUT -d 1.2.3.4 --dport 10000 -j ACCEPT
    iptbales -A OUTPUT -j DROP
    Replace the ip address above with the remote hosts ip address.
    The above assumes that the VPN port would be 1000 and the interface for the VPN would be tun0.

    Quote Originally Posted by caravel View Post
    You need to set some iptables rules - I found a thread at LQ which may help: iptables - only allow connections through vpn
    The Lazydog there and here are one in the same.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #6
    Just Joined!
    Join Date
    Dec 2011
    Posts
    8
    Thanks guys, I'll have a look into this later on, and report back if I need any more guidance.

    Thanks once again.

  7. #7
    Guest
    Join Date
    Feb 2005
    Posts
    312
    Quote Originally Posted by Lazydog View Post
    The Lazydog there and here are one in the same.
    Yes I noticed after finding the thread and posting the link... still I am proud of the small role I played here...

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Helping someone is never a small role. At least not to them.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •