I am using PF as the killswitch on macOS (see this).
Using PF is possible because the ipsec connection has it’s own interface (ipsec0).
How can I implement something similar on Linux given the ipsec connection is on the same interface as ethernet?
Asked
Active
Viewed 508 times
2 Answers
0
Looks like you are searching for something like nftables or iptables or any firewall sitting on top of these like firewalld or ufw.
hargut
- 3,908
- 7
- 10
0
Using Netfilter's policy module you can easily create firewall rules that apply to tunneled or non-tunneled traffic. For instance, to reject all outbound traffic that doesn't match any IPsec policies (i.e. is not tunneled) you could use a rule like this:
iptables -A OUTPUT -m policy --pol none --dir out -j REJECT --reject-with icmp-admin-prohibited
Alternatively, you can block all outbound traffic by default (e.g. set the policy for the OUTPUT chain to DROP) and then use the following to explicitly allow tunneled traffic:
iptables -A OUTPUT -m policy --pol ipsec --dir out -j ACCEPT
If necessary, these rules can be made more specific (e.g. limited to certain interfaces or IP addresses).
In both cases you'll need additional rules to allow IKE (UDP 500/4500) and ESP traffic (protocol 50, or the same ports as IKE if UDP encapsulation is used), plus DNS (unless the VPN server IP is hard-coded) and possibly DHCP.
ecdsa
- 3,973
- 15
- 29