FranceBB Posted December 14, 2018 Share Posted December 14, 2018 Hi, I have Fedora 29 and a few connections listed below: NAME UUID TYPE DEVICE > Hotspot ad2a19b6-6347-4e48-a6f7-1446d4a96d0d wifi wlp2s0 > pan1 0611ae9d-dd40-49b6-91bb-16d95ff21624 bridge pan1 > tun0 447c77d6-005a-422f-b93a-ac4e40474460 tun tun0 > uk656.nordvpn.com.udp f68bfe83-7c23-4bff-9bd8-996510849ea4 vpn enp0s20f> virbr0 6db6a458-7832-414c-9e6f-917a3e7e494b bridge virbr0 > Wired connection 1 9a79441a-2644-3cc9-9cb0-0376935fc0e7 ethernet enp0s20f As you can see, "enp0s20f" is the ethernet, then there's my VPN and finally there's "wlp2s0" which is my Wi-Fi hotspot. The idea is to basically get internet from my router, route the traffic throught the VPN and then send out a Wi-Fi hostpot signal to allow devices to connect using my VPN. So far so good. The problem is that I had to implement a kill switch. To do so, I used UFW, by blocking all the incoming and outgoing connections except the ones from/to the VPN servers (I specified their ip). To Action From -- ------ ---- SSH ALLOW Anywhere 224.0.0.251 mDNS ALLOW Anywhere Anywhere on wlp2s0 DENY Anywhere SSH (v6) ALLOW Anywhere (v6) ff02::fb mDNS ALLOW Anywhere (v6) Anywhere (v6) on wlp2s0 DENY Anywhere (v6) 89.238.183.8 ALLOW OUT Anywhere 81.92.202.17 ALLOW OUT Anywhere 89.238.142.133 ALLOW OUT Anywhere Anywhere ALLOW OUT Anywhere on tun0 81.92.203.47 ALLOW OUT Anywhere 185.169.255.20 ALLOW OUT Anywhere 185.195.202.28 ALLOW OUT Anywhere 195.12.49.141 ALLOW OUT Anywhere 185.195.202.20 ALLOW OUT Anywhere 185.195.202.22 ALLOW OUT Anywhere 23.226.129.171 ALLOW OUT Anywhere 104.222.153.56 ALLOW OUT Anywhere 185.217.69.182 ALLOW OUT Anywhere 194.242.11.142 ALLOW OUT Anywhere 82.102.22.91 ALLOW OUT Anywhere Anywhere DENY OUT Anywhere on wlp2s0 195.12.49.141 ALLOW OUT Anywhere on wlp2s0 Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0 Anywhere (v6) DENY OUT Anywhere (v6) on wlp2s0 It works like a charm on my computer, but devices on my Wi-Fi Hotspot are not affected by any rule set on UFW. I found another person with the same issue (but with Ubuntu instead of Fedora): https://askubuntu.com/questions/1032183/ufw-doesnt-work-with-hotspot Why is that? Thank you in advance, Frank. Link to comment Share on other sites More sharing options...
FranceBB Posted December 18, 2018 Author Share Posted December 18, 2018 (edited) This is the nmap output from the Fedora host: Starting Nmap 6.47 ( http://nmap.org ) at 2018-12-18 02:28 Coordinated Universal Time Nmap scan report for ||||||||||||||| Host is up (0.028s latency). Not shown: 96 filtered ports PORT STATE SERVICE 80/tcp open http 88/tcp open kerberos-sec 443/tcp open https 8080/tcp closed http-proxy Nmap done: 1 IP address (1 host up) scanned in 6.12 seconds This is the route on the host: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default _gateway 0.0.0.0 UG 50 0 0 tun0 default _gateway 0.0.0.0 UG 20100 0 0 enp0s20f0u5 10.8.8.0 0.0.0.0 255.255.255.0 U 50 0 0 tun0 10.42.0.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0 10.59.70.0 0.0.0.0 255.255.255.0 U 0 0 0 pan1 192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s20f0u5 _gateway 0.0.0.0 255.255.255.255 UH 100 0 0 enp0s20f0u5 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 195.12.49.141 _gateway 255.255.255.255 UGH 100 0 0 enp0s20f0u5 I also tried with sudo iptables -A INPUT --src 195.12.49.141 -j ACCEPT -i wlp2s0 sudo iptables -A OUTPUT -d 195.12.49.141 -j ACCEPT -o wlp2s0 but nothing changed. I'm now trying a different approach, which is routing all the traffic from wlp2s0 to tun0, but unfortunately, I don't know how to do that. I tried with: sudo ip route add 10.42.0.0/24 via 0.0.0.0 dev tun0 but nothing happened. sudo iptables -t nat -A POSTROUTING -s 10.42.0.29 -o tun0 -j MASQUERADE sudo iptables -t nat -A POSTROUTING -s 10.42.0.0 -o tun0 -j MASQUERADE sudo iptables -t nat -A POSTROUTING -s 10.42.0.1 -o tun0 -j MASQUERADE didn't work either. Routing wlp2s0 to the ip address of tun0 prevents devices connecting to the wifi to access internet: sudo iptables -t nat -A PREROUTING -i wlp2s0 -p tcp -j DNAT --to-destination 10.8.8.0 sudo iptables -t nat -A PREROUTING -i wlp2s0 -p udp -j DNAT --to-destination 10.8.8.0 Routing wlp2s0 to the ip address of my ethernet prevents devices connecting to the wifi to access internet: sudo iptables -t nat -A PREROUTING -i wlp2s0 -p tcp -j DNAT --to-destination 10.8.8.0 sudo iptables -t nat -A PREROUTING -i wlp2s0 -p udp -j DNAT --to-destination 10.8.8.0 Routing wlp2s0 to the external ip address of my VPN prevents devices connecting to the wifi to access internet: sudo iptables -t nat -A PREROUTING -i wlp2s0 -p udp -j DNAT --to-destination 192.168.0.0 sudo iptables -t nat -A PREROUTING -i wlp2s0 -p tcp -j DNAT --to-destination 192.168.0.0 In other words, it's a mess. Edited December 18, 2018 by FranceBB Link to comment Share on other sites More sharing options...
PROBLEMCHYLD Posted December 19, 2018 Share Posted December 19, 2018 Does your router have dmz mode? Link to comment Share on other sites More sharing options...
FranceBB Posted December 20, 2018 Author Share Posted December 20, 2018 Yes, it supports demilitarized zone. Link to comment Share on other sites More sharing options...
PROBLEMCHYLD Posted December 20, 2018 Share Posted December 20, 2018 (edited) I just switched my Slackware Linux to Wifi Hotspot and it respects the iptables rules. Here are my rules, might help you if nothing else. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP iptables -N drop_invalid iptables -A OUTPUT -m state --state INVALID -j drop_invalid iptables -A INPUT -m state --state INVALID -j drop_invalid iptables -A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j drop_invalid iptables -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY" iptables -A drop_invalid -j DROP iptables -N RULE_0 iptables -A INPUT -i wlan0 -s darkstar -j RULE_0 iptables -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY" iptables -A RULE_0 -j DROP iptables -N RULE_1 iptables -A INPUT -p icmp -m icmp --icmp-type any -j RULE_1 iptables -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY" iptables -A RULE_1 -j DROP iptables -N RULE_2 iptables -A INPUT -p tcp -m tcp --dport 43 -j RULE_2 iptables -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY" iptables -A RULE_2 -j DROP iptables -N RULE_3 iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -j RULE_3 iptables -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY" iptables -A RULE_3 -j DROP iptables -N RULE_4 iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j RULE_4 iptables -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY" iptables -A RULE_4 -j DROP iptables -N RULE_5 iptables -A INPUT -p all -f -j RULE_5 iptables -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY" iptables -A RULE_5 -j DROP iptables -N RULE_6 iptables -A INPUT -p udp -m udp --dport 513 -j RULE_6 iptables -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY" iptables -A RULE_6 -j DROP iptables -N RULE_7 iptables -A INPUT -p udp -m udp --dport 33434:33524 -j RULE_7 iptables -A RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY" iptables -A RULE_7 -j DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A FORWARD -o lo -j ACCEPT iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -m udp --sport 67 --dport 68 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 25,110,143,465,587,993,995 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -m multiport --dports 500,1701,4500 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 6667,6697 -m state --state NEW -j ACCEPT iptables -N RULE_9 iptables -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j RULE_9 iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j RULE_9 iptables -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- ACCEPT" iptables -A RULE_9 -j ACCEPT iptables -N RULE_10 iptables -A OUTPUT -p 47 -j RULE_10 iptables -A INPUT -p 47 -j RULE_10 iptables -A OUTPUT -p tcp -m tcp --dport 1723 -j RULE_10 iptables -A RULE_10 -j LOG --log-level info --log-prefix "RULE 10 -- ACCEPT" iptables -A RULE_10 -j ACCEPT iptables -N RULE_11 iptables -A OUTPUT -p tcp -m tcp --dport 3389 -j RULE_11 iptables -A OUTPUT -p udp -m udp --dport 3389 -j RULE_11 iptables -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- ACCEPT" iptables -A RULE_11 -j ACCEPT iptables -N RULE_12 iptables -A OUTPUT -p tcp -m multiport --dports 43772,1024:65535 -j RULE_12 iptables -A OUTPUT -p udp -m multiport --dports 43772,1024:65535 -j RULE_12 iptables -A RULE_12 -j LOG --log-level info --log-prefix "RULE 12 -- ACCEPT" iptables -A RULE_12 -j ACCEPT iptables -N RULE_13 iptables -A OUTPUT -p udp -m udp -j RULE_13 iptables -A INPUT -p udp -m udp -j RULE_13 iptables -A RULE_13 -j LOG --log-level info --log-prefix "RULE 13 -- DENY" iptables -A RULE_13 -j DROP iptables -N RULE_14 iptables -A OUTPUT -p tcp -m tcp -j RULE_14 iptables -A INPUT -p tcp -m tcp -j RULE_14 iptables -A RULE_14 -j LOG --log-level info --log-prefix "RULE 14 -- DENY" iptables -A RULE_14 -j DROP iptables -N RULE_15 iptables -A OUTPUT -d darkstar -j RULE_15 iptables -A INPUT -j RULE_15 iptables -A RULE_15 -j LOG --log-level info --log-prefix "RULE 15 -- DENY" iptables -A RULE_15 -j DROP Edited March 1, 2019 by PROBLEMCHYLD updated firewall rules 1 Link to comment Share on other sites More sharing options...
PROBLEMCHYLD Posted December 21, 2018 Share Posted December 21, 2018 My rules come from here in case you're wondering. https://www.wilderssecurity.com/threads/tutorial-expert-linux-firewalling.376935/ Link to comment Share on other sites More sharing options...
FranceBB Posted December 25, 2018 Author Share Posted December 25, 2018 (edited) I don't get it. What I did was: 1) Removing all the former rules sudo iptables -F 2) Denying everything sudo iptables -P INPUT DROP sudo iptables -P OUTPUT DROP sudo iptables -P FORWARD DROP 3) Accepting the loopback sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A OUTPUT -o lo -j ACCEPT 4) Allowing internal networking (i.e connecting to my router) sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT sudo iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT 5) Enabling openvpn port udo iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT sudo iptables -A INPUT -p udp --sport 1194 -j ACCEPT 6) Enabling the VPN Server ip address sudo iptables -A INPUT -s xxx.xx.xx.xxx -j ACCEPT sudo iptables -A OUTPUT -d xxx.xx.xx.xxx -j ACCEPT 7) Enabling tun0, which is the internal connection to the VPN sudo iptables -A OUTPUT -o tun+ -j ACCEPT sudo iptables -A INPUT -i tun+ -j ACCEPT It actually works for my computer and as soon as the VPN connection drops, all the traffic is blocked, which is fine, but when I share my connection using Linux as Wi-Fi hotspot, the devices connected to it can connect without VPN if tun0 goes offline, which is exactly the same situation I had before with UFW... I need all wlp2s0 to use tun0 only as its source of traffic. I tried with sudo iptables -A FORWARD -i tun0 -o wlp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT but it's the same... sudo ifconfig -a enp0s20f0u5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.114 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::81d2:ca64:9358:261d prefixlen 64 scopeid 0x20<link> ether 06:e1:fe:ad:3b:8a txqueuelen 1000 (Ethernet) RX packets 51969 bytes 34961450 (33.3 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 54430 bytes 29211706 (27.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 enp3s0f1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 70:4d:7b:46:72:a7 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 238 bytes 20064 (19.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 238 bytes 20064 (19.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 pan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.59.70.11 netmask 255.255.255.0 broadcast 0.0.0.0 inet6 fe80::34b6:bcff:fe0a:3f4b prefixlen 64 scopeid 0x20<link> ether 36:b6:bc:0a:3f:4b txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 245 bytes 10834 (10.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.8.201 netmask 255.255.255.0 destination 10.8.8.201 inet6 fe80::65bd:f28a:9ac:3e3a prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 1099 bytes 531983 (519.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1114 bytes 149277 (145.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 ether 52:54:00:c9:d0:a4 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 virbr0-nic: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether 52:54:00:c9:d0:a4 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.42.0.1 netmask 255.255.255.0 broadcast 10.42.0.255 inet6 fe80::bca5:7f7b:cbec:5bd3 prefixlen 64 scopeid 0x20<link> ether e2:74:fa:a9:36:4b txqueuelen 1000 (Ethernet) RX packets 25386 bytes 22922627 (21.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 20010 bytes 7900762 (7.5 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Edited December 25, 2018 by FranceBB Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now