I have a VPN, and my server frequently sends data to a private IP address that routes over the VPN. When the OpenVPN gets established or dies, it enables/disables the routes.
I want to null-route that private IP range from going out over the main Internet interface (eth0). Is there an easy way to do that without interfering with the route commands coming from the VPN software?
Iptables won't do it. I tried
iptables -A OUTPUT -i eth0 -p tcp -d 192.168.0.0/16 -j REJECT
But iptables does not work when specifying an interface in the output chain.
Anyone know if there is a way to add a dummy route onto a specific interface (eth0) only, without interfering with other interfaces that may be using that route?
Ps- I am aware 192.168.0.0/16 is not INTERNET routeable, but for security reasons, want to ensure no data gets out in the rare chance another local server or network device starts listening on the private subnet.
Your interface specification in the iptables rule is backward.
You specified:
Using
-imatches traffic that enters the system on the named interface.Instead, you want to match traffic leaving the system on the named interface, which is done with
-o.(And you probably don't want
-p tcpin there, otherwise non-TCP traffic might pass.)In addition to Michael's answer, I think one should block the traffic in the
FORWARDchain, since theOUTPUTchain applies only to locally generated packets and going out from the firewall. As far as I know, it doesn't apply to routed packets.You've already got the answer you needed to do it with iptables.
If you want to do it with routes, a good way is to have a route for 192.168.0.0/16 and have your vpn server send you two routes that are a bit more specific, in your case the two routes would be 192.168.0.0/17 and 192.168.128.0/17
The /16 route would be fixed and null-routed:
And your vpn server (or vpn-up script) would provide you with the others:
This is actually what the
def1option in OpenVPN does to override the default gateway without messing with existing routes.