iptables - force all traffic over VPN (and drop all traffic when no VPN connection)

Question

Goal: Ensure all traffic is forced over VPN tunnel from all network interfaces (wlan0,rmnet0,rmnet1), that is all traffic is dropped when not connected to VPN. In other words, Internet traffic should not be allowed, and only traffic over the VPN is acceptable.

So far... Android Device with iptables binary, wlan & 3g connection VPN gateway @ 10.10.10.10 (not real address).

iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -j DROP

iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -d 10.10.10.10 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -j DROP

Results:

Traffic appears to be blocked - but so too is connection to VPN.

Any ideas? Appreciate this is only mobile data rmnet0 interface and doesn't have WiFi in here yet.

Answer 1

I wouldn't use conntrack in this scenario but a much simpler set

iptables -A INPUT  -i tun0 -j ACCEPT
iptables -A INPUT  -s 10.10.10.10 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A OUTPUT -d 10.10.10.10 -j ACCEPT

No need for any connection tracking. You also don't need the DROP rules at the end, by the way, the -P ... DROP takes care of that.

You'll also want to make sure that you use the IP of the VPN server in your config, otherwise, you'll have to whitelist DNS too:

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT  -p udp --sport 53 -j ACCEPT