Hello, i have a little problem with the Iptables setting, i can just connect to a few servers.
Here the Iptables rules:
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
If i disable the firewall everything work fine.
Any suggestion?
Hello,
What is your VPN network interface interface?
You might need to to add something like this for eg. tun0
interface:
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
Cannot help further without you describing in more details what the actual issue is.
Lubos
Hello Lubos,
surfshark_2: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 12:ad:d0:6a:42:5f brd ff:ff:ff:ff:ff:ff
inet 127.0.0.1/32 scope host noprefixroute surfshark_2
valid_lft forever preferred_lft forever
surfshark_tun: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.7.7.3/24 brd 10.7.7.255 scope global noprefixroute surfshark_tun
surfshark_tun, i guess?
Hi,
It looks like your network interface is called: surfshark_tun
. Have you tried something like:
iptables -A INPUT -i surfshark_tun -j ACCEPT
iptables -A OUTPUT -o surfshark_tun -j ACCEPT
Test this setting first with something like:
$ curl ifconfig.me
This shoudl return your external IP behind the VPN. If that works you may also block all traffic which is trying to bypass the vpn with something like:
$ iptables -A OUTPUT ! -o surfshark_tun -m conntrack --ctstate NEW -j DROP
and test again… If it does not work please check and post the output of the following command here:
$ ip route
Lubos
The “alert” message remain, but now i can connect to all servers without a connection time out.
ip route
default via 10.7.7.1 dev surfshark_tun proto static metric 50
default via 192.168.1.254 dev enp5s0 proto dhcp src 192.168.1.88 metric 100
10.7.7.0/24 dev surfshark_tun proto kernel scope link src 10.7.7.14 metric 50
45.55.60.159 via 192.168.1.254 dev enp5s0 proto static metric 50
192.168.1.0/24 dev enp5s0 proto kernel scope link src 192.168.1.88 metric 100
192.168.1.254 dev enp5s0 proto static scope link metric 50