4

I have a VPN, and my server frequently sends data to a private IP address that routes over the VPN. When the OpenVPN gets established or dies, it enables/disables the routes.

I want to null-route that private IP range from going out over the main Internet interface (eth0). Is there an easy way to do that without interfering with the route commands coming from the VPN software?

Iptables won't do it. I tried

iptables -A OUTPUT -i eth0 -p tcp -d 192.168.0.0/16 -j REJECT

But iptables does not work when specifying an interface in the output chain.

Anyone know if there is a way to add a dummy route onto a specific interface (eth0) only, without interfering with other interfaces that may be using that route?

Ps- I am aware 192.168.0.0/16 is not INTERNET routeable, but for security reasons, want to ensure no data gets out in the rare chance another local server or network device starts listening on the private subnet.

Crash Override
  • 571
  • 1
  • 8
  • 20

3 Answers3

5

Your interface specification in the iptables rule is backward.

You specified:

iptables -A OUTPUT -i eth0 -p tcp -d 192.168.0.0/16 -j REJECT

Using -i matches traffic that enters the system on the named interface.

Instead, you want to match traffic leaving the system on the named interface, which is done with -o.

iptables -A OUTPUT -o eth0 -p tcp -d 192.168.0.0/16 -j REJECT

(And you probably don't want -p tcp in there, otherwise non-TCP traffic might pass.)

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
2

In addition to Michael's answer, I think one should block the traffic in the FORWARD chain, since the OUTPUT chain applies only to locally generated packets and going out from the firewall. As far as I know, it doesn't apply to routed packets.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
2

You've already got the answer you needed to do it with iptables.

If you want to do it with routes, a good way is to have a route for 192.168.0.0/16 and have your vpn server send you two routes that are a bit more specific, in your case the two routes would be 192.168.0.0/17 and 192.168.128.0/17

The /16 route would be fixed and null-routed:

ip route add blackhole 192.168.0.0/16

And your vpn server (or vpn-up script) would provide you with the others: 

ip route add 192.168.0.0/17 via <VPNGW>
ip route add 192.168.128.0/17 via <VPNGW>

This is actually what the def1 option in OpenVPN does to override the default gateway without messing with existing routes.

GnP
  • 955
  • 8
  • 15