I have been looking into VPNs the last few weeks. I want to have some anonymity/privacy so I thought of using a VPN service. From what I have read in a few articles there can be a problem with 'dns leaks' if the computer tried to get it's info from the ISP or if the VPN fails the ip address can be exposed and that VPN services weren't always reliable to protect from this and thought this script would work if I could fit it for my situation. I only have one computer so don't know if I need the IP he used; if I could delete the lines for that or edit the lines. This is the link to the post I found it from: http://forums.debian.net/viewtopic.php?f=10&t=108381 Would like to hear of other solutions. I was hoping to find a simple solution for this.
On Wed, 11 Mar 2015 01:27:08 -0600 Gustin Johnson <gus...@meganerd.ca> wrote: > Are you trying to host a VPN server or connect to one? It would > help to step back and explain the problem and then explain what you > understand the solution to be. Some context would be really helpful > (and potentially help you avoid solutions that don't really fix your > problem... this is pretty much the story of my career). > > From the script that you posted it appears that you are setting some > iptables (aka "firewall") rules allowing all traffic on the eth0 > interface of some host from all computers in the network range of > 192.168.1.1-255. It appears that you are also attempting to allow > this machine to make DHCP requests and to connect to some vpn servers > pulled from openvpn config files. This would indicate that you want > to connect your machine to an openvpn server to protect your traffic > from snoopers on the first couple of hops, but you don't need > iptables to do that. > > Basically it looks like an overly complicated (but not a complete or > thourough) client configuration. You don't need iptables to connect > to an openvpn server. This is where the context would be handy. > > *** Begin what is probably insanely boring background information for > most sane people. *** > > 192.168.XX.XX addresses are one of the blocks set aside for "private" > use. That is they were never intended to be used on the Internet, > just small private, disconnected networks. When we started running > out of IP addresses 20 years ago, some people came up with the idea > of Network Address Translation (NAT) where you could have a router > hide these private networks behind a single publicly routable IP (a > "real" IP address out on the Internet). > > 192.168.0.0/24 (basically 192.168.0.1-255) is commonly used in off the > shelf routers (Dlink, Linksys, TP-Link, Asus etc.) and in a lot of > examples in do DIY solutions. > > 10.XXX.XXX.XXX and 172.16.XXX.XXX are some other "private" IP blocks. > > What this all means is that your computers on your LAN that are > behind your router probably have an IP address like this. The thing > is no one on the Internet can initiate a connection to them directly, > they have to connect to your router's "external" (Shaw provided) IP > address, and then maybe the router will forward that packet to an > internal host (this is usually known as port forwarding). This is > not usually a problem when you connect because your machine will > connect to the router, which will then "remember" that your computer > sent the request, and then forwards all the replies to your computer. > > *** End boring stuff. If you want to really get to know networking > and Linux, lartc.org is *THE* place to go first. *** > > > On Tue, Mar 10, 2015 at 11:07 PM, Joe S <joes...@shaw.ca> wrote: > > > I found this script and am trying to get it to work for my > > computer. It is to restrict connections to the VPN. The thing I > > don't understand is what IP address to use. I have been looking > > on the NET, but am not familiar with networking. In this script > > the person uses 192.168.1.0/24 > > I think this is for a network. I am connected to shaw through a > > cable modem, so I need to know what IP would be used in my > > case. > > > > Thanks > > > > > > #!/bin/sh > > > > /sbin/iptables -P INPUT DROP > > > > /sbin/iptables -A INPUT -i lo -j ACCEPT > > > > /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j > > ACCEPT > > > > /sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT > > > > /sbin/iptables -A OUTPUT -o eth0 -d 192.168.1.0/24 -m state --state > > RELATED,ESTABLISHED -j ACCEPT > > > > /sbin/iptables -A OUTPUT -p udp --sport 68 -j ACCEPT > > > > /bin/grep -h '^remote ' /etc/openvpn/*.ovpn | /usr/bin/cut -d ' ' > > -f 2 | /usr/bin/sort -du | /usr/bin/xargs -I @ /sbin/iptables -A > > OUTPUT -d @ -j ACCEPT > > > > /sbin/iptables -A OUTPUT -o eth0 -j REJECT > > > > _______________________________________________ > > clug-talk mailing list > > clug-talk@clug.ca > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > > **Please remove these lines when replying > > _______________________________________________ clug-talk mailing list clug-talk@clug.ca http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
