1

I'm running Centos 7 in a VM (I don't believe this should matter, but for context...)

Inside the VM, I'm running software to establish a tunnel. I can already accept connections from the host okay, but I want to force all outbound traffic over the tunnel.

How can I allow return packets for existing connections, while also ensuring no new connections are established from the box unless over tun0?

I've looked at this question iptables blocking all outbound connections but it appears a bit brute-force... I've been using firewall-cmd and the output for iptables -L -n -v is verbose.

Conversely, with Use specific interface for outbound connections (Ubuntu 9.04), I can't see how to apply it to centos.

How can I reliably ensure that all outbound traffic is either established over tun0 or not at all?

Basic
  • 426
  • 2
  • 9
  • 23

1 Answers1

2

This would effectively prevent any outgoing (IPv4) traffic except on tun0.

iptables -F OUTPUT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -P OUTPUT DROP

Be aware that this will prevent any outbound traffic on any interface except tun0, which includes DHCP traffic, established SSH tunnels or the outbound packets from your established tunnel.

This can similarly be applied to IPv6 using ip6tables.

Ginnungagap
  • 1,998
  • 8
  • 9
  • Thanks for the suggestion. My initial concerns were: I use firewall-cmd for everything else and I didn't want to impact the umpteen tables it uses (and/or were setup by Centos by default). Also, this doesn't address inbound from local. That said, the more I think about it, the more I think this sidesteps both issues by only trashing the OUTPUT table. Is that correct? – Basic Aug 31 '19 at 16:03
  • 1
    I don't know firewall-cmd but this clears the OUTPUT table (optional), adds a rule that allows outbound traffic on the specficied interface and denies all other outbound traffic (done by policy in the above example, could be just a rule). Similar rules can be applied to the INPUT table. If you want to restrict network flows without adding rules to your firewall, contact a security vendor who'll hapilly sell you snake oil that does magic. – Ginnungagap Aug 31 '19 at 16:09