Iptables Surfshark VPN

Hello, i have a little problem with the Iptables setting, i can just connect to a few servers.
Here the Iptables rules:
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
If i disable the firewall everything work fine.
Any suggestion?

Hello,

What is your VPN network interface interface?

You might need to to add something like this for eg. tun0 interface:

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT

Cannot help further without you describing in more details what the actual issue is.

Lubos

Hello Lubos,
surfshark_2: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 12:ad:d0:6a:42:5f brd ff:ff:ff:ff:ff:ff
inet 127.0.0.1/32 scope host noprefixroute surfshark_2
valid_lft forever preferred_lft forever
surfshark_tun: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.7.7.3/24 brd 10.7.7.255 scope global noprefixroute surfshark_tun
surfshark_tun, i guess?

Hi,

It looks like your network interface is called: surfshark_tun. Have you tried something like:


iptables -A INPUT -i surfshark_tun -j ACCEPT
iptables -A OUTPUT -o surfshark_tun -j ACCEPT

Test this setting first with something like:

$ curl ifconfig.me
This shoudl return your external IP behind the VPN. If that works you may also block all traffic which is trying to bypass the vpn with something like:

$ iptables -A OUTPUT ! -o surfshark_tun -m conntrack --ctstate NEW -j DROP

and test again…:slight_smile: If it does not work please check and post the output of the following command here:

$ ip route

Lubos

1 Like

The “alert” message remain, but now i can connect to all servers without a connection time out.
ip route
default via 10.7.7.1 dev surfshark_tun proto static metric 50
default via 192.168.1.254 dev enp5s0 proto dhcp src 192.168.1.88 metric 100
10.7.7.0/24 dev surfshark_tun proto kernel scope link src 10.7.7.14 metric 50
45.55.60.159 via 192.168.1.254 dev enp5s0 proto static metric 50
192.168.1.0/24 dev enp5s0 proto kernel scope link src 192.168.1.88 metric 100
192.168.1.254 dev enp5s0 proto static scope link metric 50