Você está na página 1de 4

Hardening your VPN Setup with iptables - InputOutput.

io

http://www.inputoutput.io/hardening-your-vpn-setup-with...

InputOutput.io
The free-thinkin free-speakin rabble-rousin geek.

Home Contact

Pages
Contact

Archives
January 2013 July 2012 June 2012 July 2011 January 2011 July 2010 January 2010 November 2009 April 2009 March 2009 February 2009 November 2008 July 2008 June 2008 May 2008 Jul 14 2011

Hardening your VPN Setup with iptables


Category: Hacks, How-Tos | Tags :iptables, openvpn, routes, security, SSL, vpn | No Comments Ill be heading out to Defcon 19 next month, so I want my VPN connection to be stable and secure. You probably know the situation. Youre at your local coee shop, using their (hopefully

1 de 4

06/05/13 01:36

Hardening your VPN Setup with iptables - InputOutput.io

http://www.inputoutput.io/hardening-your-vpn-setup-with...

not) wide-open unsecured wi hotspot. But youre smart enough not to send all your data out over the clear, since there might be malicious script kiddies ready to take your sensitive data and sell it to kids on the street. So you use a VPN. You re up OpenVPN and connect to your VPN service. Then you start browsing, comforted by the fact that your trac is encapsulated in a secure SSL tunnel. Better yet, the user experience is transparent: you dont have to congure your applications to manually use a SOCKS5 proxy. OpenVPN handles your routing tables and creates a virtual interface using the tun module. Its so simple, you dont need to think about it. But theres a problem with this setup. No one can reach into your stream and extract or insert data, but theres a caveat. Anyone can destroy your TCP stream by sending you a spoofed RST packet from the remote server, or otherwise making the service unavailable to you. Destroying the TCP stream destroys the virtual (tun) interface, which, in turn, destroys the routes associated with that interface. Now youre using your physical interface unprotected from those pesky hackers. Worse still, you dont realize it. Not a thing has changed from the perspective of user experience. Since everything is transparent, you dont notice any change at all. Now youre screwed. Little did you know that this all could have been avoided by our friend iptables. Sure, you could modify your routes further to ensure that only trac going to the remote server goes over your physical interface, but thats too easy. Plus, routing tables arent intended for security, theyre inteded to move packets along. iptables seems like the tool for the task, so I modied a script I found here to make sure that we disallow any trac that we dont want:
#!/bin/bash if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" 1>&2 exit 1 fi # name of primary network interface (before tunnel) PRIMARY=wlan0 # address of tunnel server SERVER=seattle.vpn.riseup.net # address of vpn server VPN_SERVER=seattle.vpn.riseup.net # gateway ip address (before tunnel - adsl router ip address) # automatically determine the ip from the default route GATEWAY=`route -n | grep $PRIMARY | egrep "^0\.0\.0\.0" | tr -s " " | cut -d" " -f2` # provided by pppd: interface name TUNNEL=tun0 openvpn --config /my/path/to/riseup.ovpn --auth-user-pass /my/path/to/authentication.conf & # iptables rules - important! #LOCAL_NET=192.168.0.0/16 LOCAL_NET=$GATEWAY # Flush all previous filter rules, you might not want to include this line if you already have other r iptables -t filter --flush

2 de 4

06/05/13 01:36

Hardening your VPN Setup with iptables - InputOutput.io

http://www.inputoutput.io/hardening-your-vpn-setup-with...

iptables -t filter -X MYVPN iptables -t filter -N MYVPN # Exceptions for local traffic & vpn server iptables -t filter -A MYVPN -o lo -j RETURN iptables -t filter -A MYVPN -o ${TUNNEL} -j RETURN iptables -t filter -A MYVPN --dst 127.0.0.1 -j RETURN iptables -t filter -A MYVPN --dst $LOCAL_NET -j RETURN iptables -t filter -A MYVPN --dst ${SERVER} -j RETURN iptables -t filter -A MYVPN --dst ${VPN_SERVER} -j RETURN # Add extra local nets here as necessary iptables -t filter -A MYVPN -j DROP # MYVPN traffic leaving this iptables -t filter -A OUTPUT iptables -t filter -A OUTPUT iptables -t filter -A OUTPUT host: -p tcp --syn -j MYVPN -p icmp -j MYVPN -p udp -j MYVPN

echo "nameserver 8.8.8.8" > /etc/resolv.conf

Youll want to modify the openvpn command, interfaces, and servers to meet your needs. And thats it! If your stream is taken down, you have these rules to protect you. I have this script as a post-connect hook for any untrusted networks I connect to (wicd is a nice network manager for adding hooks). Later, if you want your trac to go over the clear again, you can use this script:
#!/bin/bash if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" 1>&2 exit 1 fi iptables -t filter --flush iptables -t filter -X MYVPN

Respond to this post


Name (required)

Mail (will not be published) (required)

Website

3 de 4

06/05/13 01:36

Hardening your VPN Setup with iptables - InputOutput.io

http://www.inputoutput.io/hardening-your-vpn-setup-with...

Submit Comment
2013 InputOutput.io | Theme wpBurn Blue by wpburn.com

4 de 4

06/05/13 01:36