I came across the following example of how to use iptables to block internet access when the VPN connection is terminated abruptly:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #make sure that you can communicate within your own network
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
iptables -A OUTPUT -o eth+ ! -d a.b.c.d -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects
I have installed iptables-persistence and would like to know how to use the above to work with iptables.
Any help would be much appreciated.
P.S.: I do not have much IT knowledge and even less of Ubuntu. Could someone explain to me how does one obtain the value 192.168.0.0/16 ?
This is called CIDR notation, see: http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
The 192.168.0.0/16 means all addresses from 192.168.0.0 to 192.168.255.255, which is all of the addresses in the private network IP range. If you put 192.168.0.0/24, it is only 192.168.0.0 to 192.168.0.255.
The number after the / corresponds to the number of fixed bits in the address, where there are 8 bits per number (2^8=256), or octet, so 32 bits per address. The rest of the 32 bits correspond to the number of bits that are part of the range.
In the case of 192.168.0.0/24, the
24
means that the first 24 bits of this address are fixed. This corresponds to the first three octets (8 bits each), or192.168.0
. And 32-24=8, so only the last octet is part of the range. This gives 8 bits of range, or 0-255.In the original question, 192.168.0.0/16, the
16
means that the first 16 bits of the address are fixed, or192.168
(2 octets, 8 bits each, 8+8=16). And 32-16=16 bits, so the last two octets are the range. This gives 16 bits of range, which is two octets (8 bits each) of 0-255.