Trying to create IP tables rules on vpn ProxyVM to only allow access to LAN and VPN IPs

31 views
Skip to first unread message

Fredrik

unread,
Sep 12, 2016, 5:56:13 PM9/12/16
to qubes-users
I found some instructions on stackexhange but they are probably ment to be used on the same computer as you are surfing from.

If I run this and disconnect my VPN nothing is blocked. What am I doing wrong?

iptables -P FORWARD DROP # we aren't a router
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT # my LAN and looks like I got an internal ip from my VPN provider
iptables -A INPUT -s 196.52.17.0 -j ACCEPT # vpn ip
iptables -A INPUT -s 213.179.212.2 -j ACCEPT # vpn ip
iptables -A INPUT -s 213.179.208.146 -j ACCEPT # vpn ip
iptables -P INPUT DROP # Drop everything we don't accept


Traceroute from a VM

traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.137.2.1 (10.137.2.1) 2.430 ms 2.414 ms 2.404 ms
2 10.137.5.1 (10.137.5.1) 2.399 ms 2.383 ms 2.373 ms
3 10.137.1.1 (10.137.1.1) 2.526 ms 2.516 ms 2.498 ms
4 192.168.1.1 (192.168.1.1) 5.915 ms 5.917 ms 5.902 ms
then out to the internet


// Fredrik

Chris Laprise

unread,
Sep 12, 2016, 11:34:59 PM9/12/16
to Fredrik, qubes-users
If you're using a dedicated proxyvm, then putting the rules in INPUT
won't help. Contrary to the first iptables comment, you are a router in
that case.

You could try the Qubes vpn doc[1], and configure your vpn client to
route everything over the tunnel as a gateway (typical configuration).
Then add a firewall proxyvm that has a rule to block everything that
isn't DNS or destined for your LAN subnet--connect your LAN-using vms to
this. OR you can just use your regular sys-firewall and specify that
blockage in the firewall settings tab for your appvm(s). These methods
take advantage of modular networking in Qubes.

Alternately, you can use the Qubes vpn doc and add an internal rule to
FORWARD *ahead* of the eth0 (clearnet-blocking) lines to allow your LAN
subnet. However in this case your vpn client or connect script will have
to set the route for the LAN also (which may already be the case). The
vpn doc setup also re-routes all DNS over the vpn tunnel, so that is
something to keep in mind for this option.

Chris

1. https://www.qubes-os.org/doc/vpn/
Reply all
Reply to author
Forward
0 new messages