!!PLEASE NOTE: This software uses python console commands, you must have your local user binary in your path for it to be callable. Add the following to the end of your ~/.profile and restart or source the file.
export PATH=/home/{YOUR_USER_NAME}/.local/bin:$PATHYour personal linux laptop is wide open to security risks.
I’ve put together some software to automate some level of protection, but first,
please read the articles we have gone through before on how to manually plug some holes,
- Secure Your Linux Laptop With iptables
- OpenVPN: Create A Linux VPN iptables Killswitch
- VPN Kill Switch With Docker
You should read these three articles, and understand that these tips are for a local laptop only, if you apply this knowledge to a remote server you could lock yourself out.
Install ‘vpnkillswitch’
Tested on and for Ubuntu and Linux Mint
****** VPN providers like NordVPN and ProtonVPN do not support ipv6. ********
The RexBytes ‘vpnkillswitch‘ software will turn off ipv6 on your system to prevent data leaks.
Now Available On pypi.org
Python package ‘vpnkillswitch’ is now available at https://pypi.org/project/vpnkillswitch/ .
This package automates everything we have covered in the above 3 articles.
You can install it on your system using the following command.
ubuntu@goodboy:~$ python3 -m pip install vpnkillswitch
Defaulting to user installation because normal site-packages is not writeable
Collecting vpnkillswitch
Downloading vpnkillswitch-0.1.0-py3-none-any.whl (6.7 kB)
Installing collected packages: vpnkillswitch
Successfully installed vpnkillswitch-0.1.0
Also Available On GitHub
OpenVPN Config File
If you have read the previous articles you will have noted that we will be working with OpenVPN, and their config file. The RexBytes ‘vpnkillswitch‘ software assumes you are, and also assumes your default VPN virtual device is the OpenVPN default named ‘tun‘, you can see this name if you open your OpenVPN config file.
client
dev tun <----- HERE IT IS
proto udpYou can check that your system is indeed running a VPN tunneling device of this name using the following command in a terminal.
ubuntu@goodboy:~$ ifconfig
docker0: ...
enp0s3: ...
lo: ...
tun0: ... <----- HERE IS YOUR VIRTUAL TUNNELING DEVICEI have left out the detailed output, but you can see that I am running an OpenVPN tunnel, and my device name is ‘tun0’, which is fine.
vpnkillswitch Usage
Go ahead and run the help for vpnskillswitch command after you have installed it,
ubuntu@goodboy:~$ vpnkillswitch -h
usage: vpnkillswitch [-h]
(--on | --off | --protect | --vpn | --docker | --flush | --nuke)
[-g]
VPN Kill Switch
options:
-h, --help show this help message and exit
protection:
protection arguments
--on Full protection, activates vpn killswitch and docker
killswitch
--off Turns off full protection
--protect Blocks inward traffic unless related and established
--vpn Turn on vpn killswitch only
--docker Turn on docker killswitch only
--flush Flush/Delete Rexbytes additions to your filewall, sets
ACCEPT on all chains too.
--nuke WARNING, this will reset your iptables to allow all traffic
granularity:
option for more granular port lockdown/allow
-g, --granular Creates a more granular iptables ruleset
–nuke WARNING DO NOT USE
I would stay away from the ‘–nuke‘ option and use it as a last resort to restore network access to your laptop. ‘–nuke‘ will delete ALL existing iptable firewall rules, even for other applications, but it will unblock traffic… please check the general network status before resorting to this option.
–on
‘–on’ will turn on the kill switch for your OpenVPN and also Docker, it will also run ‘–protect’.
You can use the switch ‘-g‘ which will create a more granular iptable, which you can add or remove port access by edit the bash files described at the end of this article. It is recommended to use ‘–flush’ if jumping between granular and non granular options.
–off
‘–off’ will remove references to your RexBytes iptables chains. You can re-enable your protection by running the ‘–on’ switch, ‘–on’ effectively re-adds the references to your chains which is why you should use ‘–flush’ if you want to change to or back from a more granular iptables.
–protect
‘–protect’ isn’t a killswitch, it does give your system the most basic protection, which is staying quiet on a network and not responding to traffic it did not originally request.
–vpn
‘–vpn’ will turn on the killswitch for your OpenVPN connection only, by adding the appropriate chain and rules.
–docker
‘–docker’ will turn on the killswitch for your Docker chain only, by adding the appropriate chain and rules.
–flush
‘–flush’ will turn off all rules, all chains, delete chains, delete systemd unit files and the bash files.
Removing all signs of ‘vpnkillswitch‘ from your system, leaving behind your original iptables state.
On system restart no scripts will be run.
You will be asked for your sudo password when using any of these switches as editing iptables needs root privileges.
The RexBytes ‘vpnkillswitch‘ package will create the following iptable chains for you,
root@goodboy:/home/ubuntu# iptables -L | grep 'Chain RB_'
Chain RB_DOCKER_VPN_KILL_SWITCH (1 references)
Chain RB_OUTPUT_VPN_KILL_SWITCH (1 references)
Chain RB_RELATED_AND_ESTABLISHED (1 references)
and create references in the default chains (INPUT,OUTPUT,FORWARD), and docker chains (DOCKER-USER), that point to these new RexByte chains.
Turning off, or flushing ‘vpnkillswitch‘ will either remove RexBytes references, or also delete RexBytes ipchain tables, and so leaving your original iptable rules in place.
The RexBytes ‘vpnkillswitch‘ also creates the appropriate systemd files and enables these services for you, so that on restart your iptable rules are in place.
Run vpnkillswitch –protect Now!
You may not even have setup a VPN, or docker on your system, but at the very least you should only allow access to your machine on connections that are Related, or Established .
If you have a freshly installed Linux system and check your iptables you will see, as mentioned in previous articles, you are fully open.
root@goodboy:~# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination You should run the following command,
ubuntu@goodboy:~$ vpnkillswitch --protect
my_args.protect:True
[sudo] password for ubuntu:
Creating RB_RELATED_AND_ESTABLISHED...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
Created symlink /etc/systemd/system/network.target.wants/rexbytes_protect.service → /etc/systemd/system/rexbytes_protect.service.
if you list your iptables you will now see that a new RB_RELATED_AND_ESTABLISHED chain has been created, and that a reference to that chain has been inserted in the INPUT chain.
root@goodboy:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RB_RELATED_AND_ESTABLISHED all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain RB_RELATED_AND_ESTABLISHED (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
THIS IS THE BARE MINIMUM SECURITY YOU SHOULD HAVE FOR YOUR LINUX LAPTOP
You can undo these changes if you like with the following command,
ubuntu@goodboy:~$ vpnkillswitch --flush
my_args.flush:True, granularity:False
Removed /etc/systemd/system/network.target.wants/rexbytes_protect.service.
Failed to disable unit: Unit file rexbytes_vpn4killswitch.service does not exist.
Failed to disable unit: Unit file rexbytes_dockerkillswitch.service does not exist.
off-D
iptables v1.8.7 (nf_tables): Chain 'RB_OUTPUT_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_DOCKER_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
flush-D
iptables: Bad rule (does a matching rule exist in that chain?).
iptables v1.8.7 (nf_tables): Chain 'RB_OUTPUT_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_DOCKER_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
flush-F
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
flush-D
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Wherever a chain, or service, or rule doesn’t exists, for now you will see complaints that it can’t delete them – which is fine. A “flush” is a restoration of your iptables by deleting the RexBytes Chains and rules, and you may not have activated all of them. You can’t delete what doesn’t exist.
After a ‘vpnkillswitch –flush‘, your iptables will be restored to their previous state.
Fully Protected System
On a system with a running OpenVPN, and an install of Docker, you can turn on full protection with the following command.
ubuntu@goodboy:~$ vpnkillswitch --on
my_args.on:True, granularity:False
Failed to disable unit: Unit file rexbytes_protect.service does not exist.
Failed to disable unit: Unit file rexbytes_vpn4killswitch.service does not exist.
Failed to disable unit: Unit file rexbytes_dockerkillswitch.service does not exist.
off-D
iptables v1.8.7 (nf_tables): Chain 'RB_RELATED_AND_ESTABLISHED' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_OUTPUT_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_DOCKER_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
flush-D
iptables v1.8.7 (nf_tables): Chain 'RB_RELATED_AND_ESTABLISHED' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_OUTPUT_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): Chain 'RB_DOCKER_VPN_KILL_SWITCH' does not exist
Try `iptables -h' or 'iptables --help' for more information.
flush-F
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
flush-D
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Creating RB_RELATED_AND_ESTABLISHED...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
Creating RB_OUTPUT_VPN_KILL_SWITCH...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
Created symlink /etc/systemd/system/network.target.wants/rexbytes_vpn4killswitch.service → /etc/systemd/system/rexbytes_vpn4killswitch.service.
Creating RB_DOCKER_VPN_KILL_SWITCH...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
RULE DOES NOT EXIST, CREATING...
Created symlink /etc/systemd/system/multi-user.target.wants/rexbytes_dockerkillswitch.service → /etc/systemd/system/rexbytes_dockerkillswitch.service.
ubuntu@goodboy:~$
The output is there for information, you can ignore it for now, in later versions I may tidy it up.
You can check it worked by listing your iptables,
root@goodboy:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1733 1676K RB_RELATED_AND_ESTABLISHED all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
505 42420 DOCKER-USER all -- any any anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
Chain OUTPUT (policy DROP 2 packets, 400 bytes)
pkts bytes target prot opt in out source destination
1545 150K RB_OUTPUT_VPN_KILL_SWITCH all -- any any anywhere anywhere
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RB_DOCKER_VPN_KILL_SWITCH all -- any any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain RB_DOCKER_VPN_KILL_SWITCH (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any tun+ anywhere anywhere
0 0 ACCEPT all -- tun+ any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DROP all -- any any anywhere anywhere
Chain RB_OUTPUT_VPN_KILL_SWITCH (1 references)
pkts bytes target prot opt in out source destination
775 95563 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
768 54376 ACCEPT all -- any tun+ anywhere anywhere
0 0 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT all -- any any anywhere 10.0.0.0/8
Chain RB_RELATED_AND_ESTABLISHED (1 references)
pkts bytes target prot opt in out source destination
1733 1676K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
If the above doesn’t read as easy as an email rules set, you should definitely go back and read the 3 articles recommended at the top of this post.
It is surprisingly simple.
Persistent iptable With systemd
As briefly mentioned above, ‘vpnkillswitch‘ will create systemd unit files, and also relevant scripts to be run on startup to populate your iptables.
Systemd Unit Files
‘vpnkillswitch‘ will create the following service files, it will also delete them when you give the appropriate commands. There is no need to edit these files directly.
‘systemctl enable/disable‘ is automatically run for the command switches you specify.
/etc/systemd/system/rexbytes_protect.service
/etc/systemd/system/rexbytes_dockerkillswitch.service
/etc/systemd/system/rexbytes_vpn4killswitch.serviceSystem Bash Files
‘vpnkillswitch‘ will create the following associated bash scripts for each iptables chain,
/usr/local/bin/rexbytes_protect.sh
/usr/local/bin/rexbytes_dockerkillswitch.sh
/usr/local/bin/rexbytes_vpn4killswitch.shYou should edit these under one condition, if you specify the ‘-g, –granular Creates a more granular iptables ruleset‘ option when calling ‘vpnkillswitch‘ you have the option of adding or removing port access by editing ‘rexbytes_vpnkillswitch.sh‘ and ‘rexbytes_dockerkillswitch.sh‘. For basic ports I have
lines ready in that script for you to comment or uncomment. You can then either restart your system or run the bash script directly as root.
In Action
Here is a gif of the killswitch in action.
On the left is a terminal on the system running a ping.
On the right is a docker container running a ping in a terminal.
You can see that as soon as I turn off the VPN the pings stop,
as soon as I turn on the VPN the pings restart.
The RexBytes ‘vpnkillswitch’ software works.
ENJOY!
Please remember that this software is supposed to be used on your local laptop and not on a remote server, you will lock yourself out.
Please enjoy hardening your systems, and if you have any issues please report them at the following page,
[…] I have written some software to apply the above iptable changes for you, take a look here, https://rexbytes.com/2022/10/11/rexbytes-software-bumper-vpn-kill-switch/ […]
[…] I’ve put together a python package that does all this for you, read more here… https://rexbytes.com/2022/10/11/rexbytes-software-bumper-vpn-kill-switch/ […]
[…] RexBytes Software: Bumper VPN Kill Switch Package […]
[…] RexBytes Software: Bumper VPN Kill Switch Package […]