beenull/raspap-webgui-mirror
1
0
Fork 0
mirror of https://github.com/RaspAP/raspap-webgui.git synced 2024-09-19 11:21:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added firewall rules for OPENVPN kill switch

Browse source
This commit is contained in:
frankozland 2024-08-18 08:33:10 -04:00 committed by GitHub
parent 57199def06
commit 62978a7755
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 70 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

70
OPENVPN_KILL_SWITCH.txt Normal file
View file

@ -0,0 +1,70 @@
#RASPAP KILL SWITCH#
#Tested on OPEN VPN#
# ***NOTHING*** passes if openvpn tunnel drops.
# Previously, masquerade would pass traffic if tunnel disappeared.
# These rules stop that
# ***** First: clear every possible user setting ******
# Accept all traffic first to avoid ssh lockdown via iptables firewall rules #
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Flush All Iptables Chains/Firewall rules #
iptables -F
# Delete all Iptables Chains #
iptables -X
# Flush all counters too #
iptables -Z
# Flush and delete all nat and mangle #
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
# **** Now apply tight firewall rules
# RASPAP relies on Masquerading - which means forwarding.
# Do not allow any forwarded packet that doesnt travel thru a wg+ or tun+ interface
# lo traffic very ok
iptables -A INPUT -i lo -j ACCEPT
#All local lan traffic ok - assumes 192.168.1.1 to 192.168.255.255
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
#Emergency override - put your mac address here
iptables -A INPUT -m mac --mac-source MACADDRESS -j ACCEPT
#Do not allow tun to tun packets
iptables -A FORWARD -i tun+ -o +tun+ -j DROP
#Do not allow anything from TUN to hit local network - someone is probing when they do this
iptables -A FORWARD -s 192.168.0.0/16 -i tun+ -j DROP
#Very ok - tun to wlan - this is what we want
iptables -A FORWARD -i tun+ -o wlan+ -j ACCEPT
#Very ok wlan to tun
iptables -A FORWARD -i wlan+ -o tun+ -j ACCEPT
#very ok eth to tun
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
#Very ok tun to eth
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT
#very ok - any established connection from tun to wlan
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#very ok all output packets
iptables -A OUTPUT -j ACCEPT
#NAT rules (forwarding)
iptables -A POSTROUTING -j MASQUERADE
iptables -A POSTROUTING -o tun0 -j MASQUERADE