PDA

View Full Version : Guide for VPN Internet Kill Switch + IPv6 Leak Protection via Firewalld



User808
24th December 2016, 11:37 AM
Hi. Finally I finish polishing script for executing what title of this thread indicating!

This script compossed from 4 sets of rules combined to single .sh file.

1st (on) & 2nd (off) set of rules, respectively, enable & disable Internet Kill Switch (iks) + IPv6 leak protection in such a way that only outgoing being possible via VPN. This is recommended from security point of view but interferes with torrent use which need both outgoing & in-going being enabled.

3rd (ONtorrent) & 4th (OFFtorrent) set of rules, respectively, enable & disable Internet Kill Switch + IPv6 leak protection in such a way that both outgoing & in-going being possible via VPN. This is less secure but allow you to use torrent.

Please notice the following:

1) what I put in RED COLOR in this script should be exactly the same as written in your VPN configuration files (protocol whether udp or tcp, & port number).

2) what I put in BLUE COLOR in this script are variable names that you are free to change as you like, but please DO NOT USE the following: _ , - , = , NUL
Also, avoid special characters.

3) sudo commands are not necessary to be written within script if you like to save your script file to any place for scripts saving other than /home/yourusername/.local/bin
For example, if you like to store your script file in /user/local/bin then no need to put command sudo in script (delete it). But if you like to store it in /home/yourusername/.local/bin then you should use sudo command within script, otherwise you will be asked to enter root password (sudo) 10 times ! This is due to sudo special setting in our Fedora.

4) if your VPN server provider support IPv6, then you can delete ALL lines that contain DROP filter for IPv6.

Now open you text editor, like Gedit, & copy/past to it the following script:


#! /bin/bash
ruleson(){
echo
echo "Toggle ON Unidirectional VPN Internet Kill Switch + IPv6 Leak Protection using Firewalld"
echo
echo "Warning: connection to VPN should be established before running this script. Otherwise any Internet connection will be impossible!"
echo "This script only allows VPN output! It does not provide DNS leak protection!"
echo
echo "Establishing firewalld rules is starting!"
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 1194 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP
sudo -k
echo "Establishing firewalld rules is completed!"
echo
echo "VPN Internet Kill Switch is enabled! Only VPN output is allowed now!"
echo "Enjoy surfing Internet safely!"
echo
}

rulesoff(){
echo
echo "Toggle OFF Unidirectional VPN Internet Kill Switch + IPv6 Leak Protection using Firewalld"
echo
echo "Removing firewalld rules is starting!"
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv6 filter INPUT 0 -j DROP
sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --remove-rule ipv6 filter OUTPUT 0 -j DROP
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 1194 -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 999 -j DROP
sudo -k
echo "Removing firewalld rules is completed!"
echo
echo "VPN Internet Kill Switch is disabled!"
echo
}

rulesONtorrent(){
echo
echo "Toggle ON Bidirectional VPN Internet Kill Switch + IPv6 Leak Protection on Firewalld"
echo
echo "Warning: connection to VPN should be established before running this script. Otherwise any Internet connection will be impossible!"
echo "This script only allows VPN output! It does not provide DNS leak protection!"
echo
echo "Establishing firewalld rules is starting!"
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -i tun+ -p udp --dport 1194 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 1194 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP
sudo -k
echo "Establishing firewalld rules is completed!"
echo
echo "VPN Internet Kill Switch is enabled! Both VPN output & input are allowed now!"
echo "Enjoy surfing Internet safely!"
echo
}

rulesOFFtorrent(){
echo
echo "Toggle OFF Bidirectional VPN Internet Kill Switch + IPv6 Leak Protection on Firewalld"
echo
echo "Removing firewalld rules is starting!"
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv6 filter INPUT 0 -j DROP
sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -i tun+ -p udp --dport 1194 -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --remove-rule ipv6 filter OUTPUT 0 -j DROP
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 1194 -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 999 -j DROP
sudo -k
echo "Removing firewalld rules is completed!"
echo
echo "VPN Internet Kill Switch is disabled!"
echo
}

rules${1}

Now save you text editor file that you copy/past above script to. Your file name should end by .sh
For purpose of ease I select name for this script file as (iks), so it's name became: iks.sh
For more details about how to create & save a script file, please visit the following link:

http://www.forums.fedoraforum.org/showthread.php?t=312026

-------------------------------------------------

Now how to use this script?

1) YOU MUST CONNECT TO YOUR VPN 1st BEFOR USING THIS SCRIPT. OTHERWISE, YOU WILL BE UNABLE TO CONNECT TO INTERNET AT ALL TILL YOU DISABLE INTERNET KILL SWITCH.
For how to connect to VPN using OpenVPN via terminal (recommended), please visit this link:

http://www.forums.fedoraforum.org/showthread.php?t=312688

2) now, after you already established your VPN connection, do the following (I will use 1st & 2nd sets of rules as example):

- open 2nd terminal
- enter in it the following command:

$ iks.sh on

- it will ask you for you sudo password, enter it & wait till script completed.
- close 2nd terminal
- that is all. Brows Internet now.

After finish you session (or if you like to change your VPN location), you have to do the following:

- disable your VPN connection 1st (disconnect from VPN)
- then run the following command:

$ iks.sh off

If you like to use torrent, then you should use 3rd & 4th sets of rules, instead of 1st & 2nd sets of rules, as following:

- to enable Internet Kill Switch use following command:

$ iks.sh ONtorrent

- to disable Internet Kill Switch, use:

$ iks.sh OFFtorrent

Please notice that I used the above 2 command as NON-ROOT assuming that script file stored in /hone/yourusername/.local/bin , when in this case I will be asked for sudo password after runing command as non-root. But if you store it in other site like /user/local/bin then commands can executed as ROOT as following (in this case you should already not included sudo commands within script file - see above notes):

$ sudo iks.sh on

$ sudo iks.sh off

---------------------------------------

PLEASE NOTICE THE FOLLOWING:

1) YOU MUST USE EITHER 1ST + 2ND SET OF RULES OR 3RD + 4TH SET OF RULES TO ENABLE/DISABLE INTERNET KILL SWITCH AT ANY GIVEN OCCASION. YOU MUST NEVER USE ANY OTHER COMBINATION !

2) IF YOU DO MISTAKE FROM USING THIS SCRIPT, THAT MAKE YOUR INTERNET CONNECTION, THEN JUST REBOOT YOUR PC & YOUR SYSTEM WILL RESTORED TO IT'S ORIGINAL STATE.

User808
24th December 2016, 12:53 PM
Acknowledgment & Thanks:

1) 1st of all, the basic idea of this script is not from me, but it created by a member of https//airvpn.org forum (sheivoko). PLease vist this link:

https://airvpn.org/topic/15061-firewalld-killswitch/

So, many many many thanks for sheivoko.

My work was to modify the basic idea so as to be more universal & suitable for all users.

2) I would like to thank the following members of our Fedora forum, who assist me to know how to write a script:

- srakitnican

- ocratato

- flyingdutchman

3) Special thanks for Fedora member "sarkitnican" for his great assistant about how to create multi-rules single script file.