1

I am using the latest Ubuntu distribution... and I have a rather spotty VPN connection. I am using the default Network Manager application that came with Ubuntu.

I am having trouble maintaining a connection to my VPN, and that being a separate issue, I'm looking for something to make me a little bit more secure. I would like an automated way to shut down either specific ports when the PPTP VPN drops connection, or to kill an application at that time... Even better yet would be to reconnect to the VPN while halting traffic.

Anyone know of an application that does this for Linux / how I can configure IPTables to block the ports?

Crowe T. Robot
  • 113
  • 4
  • His proper name is ["Crow T. Robot"](http://en.wikipedia.org/wiki/Crow_T._Robot) sans the 'e'. I'll consider trying to answer your question after I get over my indignation. =) – Wesley Apr 23 '12 at 19:23
  • By "more secure" do you mean not allowing traffic to go out unsecured? – mgorven Apr 24 '12 at 01:26
  • I am aware of the e being extra. Been my handle for a while. Allows me to pay homeage while maintaining my username isnt taken on many sites. Worked well so far. Also gives it a little personality. – Crowe T. Robot Apr 30 '12 at 05:22

2 Answers2

2

If you don't want any traffic to be sent unsecured, I would suggest setting up your routing table without a default route, and only a specific route to the VPN server. This means that when your VPN connection goes down and removes the route over the VPN, there won't be any matching route for the traffic and it won't go out. For example, assuming that 192.168.0.0/24 is your local network, and your VPN server is at 1.2.3.4:

192.168.0.0/24 dev eth0
1.2.3.4/32 via 192.168.0.1

If you need finer granularity on a port level, you could add iptables rules which block traffic going out eth0 on those port numbers. While the VPN is up those packets will go out the VPN interface (e.g. tun0), and will be encapsulated and go out eth0 on the VPN port number. When the VPN is down they will attempt to go directly out eth0 on the original port number, which the iptables rules should block. For example, to prevent HTTP traffic going out unsecured:

iptables --append OUTPUT --out-interface eth0 --protocol tcp --dport 80 --jump REJECT
mgorven
  • 30,036
  • 7
  • 76
  • 121
-2

Look at a tool like Shorewall to build your iptables rules. Configure your VPN and the Internet into different zones. You can then allow ports on the VPN zone that you don't allow on the NET zone. The Shorewall documentation is extensive and includes how to modify your configuration when adding a VPN. Start with the example 1 interface configuration and add in the VPN.

BillThor
  • 27,354
  • 3
  • 35
  • 69