Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

HOWTO: leak protection with iptables

Guides, HOWTOs etc on how to setup Cryptostorm on PCs, smartphones, tablets and routers.

Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

HOWTO: leak protection with iptables

Postby Lignus » Sun Nov 24, 2013 5:21 pm

Desu:

Try the following:

Code: Select all

iptables -A INPUT -i wan_interface_name_here -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -i wan_interface_name_here -d 70.38.46.226  -j ACCEPT


You are still going to have DNS leaks upon disconnects unless you change the DD-WRT to assign DNS servers other than itself. If your client requests a DNS for a domain and you are not connected to the VPN, your router will happily resolve it in the open and relay it to your clients. That is why my iptables config is super paranoid, just for things like this.

You need to set DHCP option 6 to assign custom DNS servers.

Here is what iptables looks like, let me know if you have any questions, but I tried to make it very readable:

Code: Select all

# FLUSH (clear) any IPv6 rules
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -F

# DROP all IPv6 traffic
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

# ALLOW two-way traffic from LAN to VPN
iptables -I FORWARD -i br-lan -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br-lan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


# ***************************************************************************#
# DROP all traffic to the WAN that originates from the LAN clients #
#     This prevents LAN traffic from going out unencrypted!              #
# ***************************************************************************#
iptables -I FORWARD -i br-lan -o br-wan -j DROP
iptables -I FORWARD -i br-wan -o br-lan -j DROP

# ALLOW NAT to VPN
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

# ALLOW HTTP, SSH, and DHCP access to router only over LAN interface
iptables -A INPUT -p tcp -i br-lan --dport 80 -d 10.13.37.1 -j ACCEPT
iptables -A INPUT -p tcp -i br-lan --dport 22 -d 10.13.37.1 -j ACCEPT
iptables -A INPUT -p udp -i br-lan --dport 68 -j ACCEPT
iptables -A INPUT -p udp -i br-lan --dport 67 -j ACCEPT

# ALLOW solicited traffic on WAN/VPN interface
iptables -A INPUT -i br-wan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT



# DROP unsolicited traffic on ALL interfaces
iptables -A INPUT -i br-lan -j DROP
iptables -A INPUT -i br-wan -j DROP
iptables -A INPUT -i tun0 -j DROP

User avatar

DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: IPTables - Leak Protection and automatic Reconnect

Postby DesuStrike » Sun Nov 24, 2013 6:09 pm

Haha, I love this community! :clap:

I indeed force 3 DNS-Servers in my DD-WRT setup so it can't fallback to my ISP provided ones so I should be safe anyways, right? But nonetheless your iptables look WAY more advanced than my messed up configuration. I am with my family right now so I have no time to take a thorough look at your config but I will definitely later do so.


But I already have two questions:
  1. This configuration does allow to reconnect to the VPN after it dropps, right? For me it looks like it but maybe I missed something in the hurry.
  2. Do you enforce these rules on your router or directly on your system? I had to stop using the OpenVPN Client of my router because it is way to weak to deliver acceptable speeds with this level of encryption. So I need something that can be enforced on the system itself.


Thanks for taking the time to help me and everyone else with this. This is a beautifully neat and easy to read configuration you wrote there. Worthy a spot in the HOWTO section! After I understand where this configuration is used I will delete my OP post and move the thread with your Guide on top into the appropriate sub forum.
home is where the artillery hits


Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: IPTables - Leak Protection and automatic Reconnect

Postby Lignus » Sun Nov 24, 2013 8:05 pm

I have not seen any issued with reconnects, I have purposely caused disconnects in various ways (rebooted ISP router, killed the uplink from the ISP router to the switch, moved device from one ISP to another while keeping power on) and have not once seen any issued not directly related to CS tweaking/maintenance or my entire area having the CMTS die unexpectedly(I didn't do it, this time).

Unless you set the three DNS servers in the DHCP SERVER area of your router, you are still leaking DNS through your router. When I look at my connection properties in windows, the DNS servers it shows is not my router IP, it shows the ones that I set in the DHCP server config.

There are a few things that need to be understood about my config(it is a copy/paste from my OpenWRT HOWTO thread).
  1. This will only protect you from DNS leaks if run on the router itself.
  2. There is a distinct lack of output rules, but that is OK because the router has a very limited set of services running on it.
  3. There are two input rules that make the whole thing work.

    Code: Select all

    iptables -A INPUT -i br-wan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    This allows incoming traffic only in response to a connection initiated by the router. I should probably beef up the rules, disallowing all OUTPUT WAN traffic not DNS/HTTPS/DHCP.

As to your use of DNS servers, if your linux machine is where your browser is located, you're still screwed. Basically, unless you connect through an intermediary device, you cannot have functional DNS and prevent DNS leakage. What you can do is break DNS and connect through an IP to cryptostorm, but that is a kludge.

P.S. You can run DDWRT/OpenWRT inside of a VM and use that as the intermediary device. I do not recommend it because you still have risks. Using a router can eliminate user/connection error leaks as long as you are connected to said router. As for speed, for under $50, including shipping, you can have a OpenVPN router that should do, at a minimum, 30Mbps, if not 50+Mbps.

I'll be doing a detailed writeup in a few weeks, but used thin clients are cheap and if you get the Neoware CA22($38shipped for one, or $81shipped for five right now on ebay), it is ready to take an old PCI nic and DDWRT/OpenWRT. I went with something slightly more expensive, but lacking the hardware crypto acceleration that the CA22 has. If I didn't want flexibility, the CA22 would have been the optimal choice (I went with a Wyse R90L because after I am done testing it will be getting OpenELEC/XBMC).

User avatar

DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: IPTables - Leak Protection and automatic Reconnect

Postby DesuStrike » Sun Nov 24, 2013 10:04 pm

You know how to make a man insecure about his config even though he was confident with it before. But still I am pretty sure you mean this little piece of configuration. Right?
Selection_029.png


What you can do is break DNS and connect through an IP to cryptostorm, but that is a kludge.

Well, thats exactly what I am doing because I have to enforce these rules on my machine.

As for speed, for under $50, including shipping, you can have a OpenVPN router that should do, at a minimum, 30Mbps, if not 50+Mbps.

Hmm I wish that was true for my router. I have a TP-Link TL-WR1043ND wich costs about 40€ and I had speeds as slow as 200MBit/s and less with cryptostorm. (I flashed it with DD-WRT of course.) This is what forced me to switch back to connecting directly with each device in my network. But that's what I get for buying such a piece of plastic. I'm just starting to get the hang of this stuff. So I am really looking forward to your detailed writeup about suitable routers and thin clients that can be deployed as routers.

I'll still move this thread to the HOWTO section because you provide very detailed and useful information here and I am sure a lot of people will profit from it.

Thanks so far. You have been a great help to me. :thumbup:
home is where the artillery hits


Topic Author
Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: HOWTO: leak protection with iptables

Postby Lignus » Mon Nov 25, 2013 1:31 am

DesuStrike wrote:You know how to make a man insecure about his config even though he was confident with it before. But still I am pretty sure you mean this little piece of configuration. Right?[/attachment]

Exactly that place. Now, since you are using a local client to connect you are still vulnerable to DNS leaks should you actually have said DNS servers assigned locally and the VPN is down.

Well, thats exactly what I am doing because I have to enforce these rules on my machine.


That requires a rethinking of the entire strategy of the IPtables rules. My recommendation would be adding that ruleset I previously auggested along with an OUTPUT -j REJECT for the wan interface. You'll need to add exceptions for DHCP reaching your router (or just static config and forget it).

As for speed, for under $50, including shipping, you can have a OpenVPN router that should do, at a minimum, 30Mbps, if not 50+Mbps.

Hmm I wish that was true for my router. I have a TP-Link TL-WR1043ND wich costs about 40€ and I had speeds as slow as 200MBit/s and less with cryptostorm. (I flashed it with DD-WRT of course.) This is what forced me to switch back to connecting directly with each device in my network. But that's what I get for buying such a piece of plastic. I'm just starting to get the hang of this stuff. So I am really looking forward to your detailed writeup about suitable routers and thin clients that can be deployed as routers.


Suitable routers....well, the thing is that AES265 + hashing is hard, really hard. For reference, an AMD K8 architecture only puts out about 8Mbps per 650MHz or so. OpenVPN is, and will be for a long time, a single threaded application. A 2GHz AMD K8 (Specifically a Turion X2 TL-60) should cap out at about 24Mbps. Kind of pathetic when you think about it. The good news is that the new Intel and AMD processors all have AES instructions that accelerate it really well. Right now, and for at least the next six months, an old thin client is your best bet. The 1GHz C7 should push significantly more than my K8 can and the cost is relatively inexpensive. Like I said, $50 shipped for everything you need. If you need to push 100+Mbps, you are going to need a significant boost in speed. The new Intel Bay Trail processors are probably the best bet, but it will be another six months until there is a decent selection. Also, the cost will probably be closer to $200. How much bandwidth those will push, that is another question entirely and something we just wont know until someone tries it.

As to your router, I am surprised that the performance is so bad. My Ubiquiti NanoStation Loco M2 has virtually the same specs except that you have the gigabit Atheros and I have the Fast Ethernet Atheros, with it I consistently get over 3Mbps. For normal web browsing, it is nearly indistinguishable from my 10Mbit open connection.

User avatar

DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: HOWTO: leak protection with iptables

Postby DesuStrike » Sat Dec 21, 2013 3:19 am

I'll copy and paste my current iptables with some redactions that only concern access to some ressources on my home network. So only stuff of general value should be left.

These iptables are intended to be used on your home computer and NOT on your router!

Code: Select all

iptables -F

iptables -A INPUT -i tun+ -j ACCEPT

iptables -A OUTPUT -o tun+ -j ACCEPT

iptables -A INPUT -s 127.0.0.1 -j ACCEPT

iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT

iptables -A INPUT -s 127.0.1.1 -j ACCEPT

iptables -A OUTPUT -d 127.0.1.1 -j ACCEPT

iptables -A INPUT -s 70.38.46.226 -j ACCEPT

iptables -A OUTPUT -d 70.38.46.226 -j ACCEPT

iptables -A INPUT -s 85.17.31.121 -j ACCEPT

iptables -A OUTPUT -d 85.17.31.121 -j ACCEPT

iptables -A INPUT -s 46.165.222.207 -j ACCEPT

iptables -A OUTPUT -d 46.165.222.207 -j ACCEPT

iptables -A INPUT -s 213.73.91.35 -j ACCEPT

iptables -A OUTPUT -d 213.73.91.35 -j ACCEPT

iptables -A INPUT -s 80.237.196.2 -j ACCEPT

iptables -A OUTPUT -d 80.237.196.2 -j ACCEPT

iptables -A INPUT -s 194.150.168.168 -j ACCEPT

iptables -A OUTPUT -d 194.150.168.168 -j ACCEPT

iptables -A INPUT -s 198.50.119.171 -j ACCEPT

iptables -A OUTPUT -d 198.50.119.171 -j ACCEPT

iptables -A INPUT -j DROP

iptables -A OUTPUT -j DROP
home is where the artillery hits

User avatar

marzametal
Posts: 517
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: leak protection with iptables

Postby marzametal » Sat May 02, 2015 3:56 pm

Any chance to get the Ubuntu IPTables section updated to reflect the new IPs and new exit nodes?
I am willing to try it on my VM, but I ain't a ubernix person... lol

If using Linux via VM, how would the rules be modified?

User avatar

parityboy
Site Admin
Posts: 1234
Joined: Wed Feb 05, 2014 3:47 am

Re: HOWTO: leak protection with iptables

Postby parityboy » Sat May 02, 2015 6:26 pm

@marzametal

See my sig. for a Desu's list of the latest *nix/*nux exit nodes. If the VM is bridged onto your LAN, you won't need to change anything apart from making sure you use the latest IP addresses.

User avatar

marzametal
Posts: 517
Joined: Mon Aug 05, 2013 11:39 am

Re: HOWTO: leak protection with iptables

Postby marzametal » Sun May 03, 2015 6:32 am

parityboy wrote:@marzametal

See my sig. for a Desu's list of the latest *nix/*nux exit nodes. If the VM is bridged onto your LAN, you won't need to change anything apart from making sure you use the latest IP addresses.

Damn signatures eh... staring me straight in the face... even while I was pinging the linux hostnames in command prompt. Old school.
Thanks parityboy :)


Return to “guides, HOWTOs & tutorials”

Who is online

Users browsing this forum: No registered users and 5 guests

cron

Login