Here's how I thought this could work:
- vpn connection goes down
- NetworkManager then runs through dispatcher scripts on a connection change, sees the
vpn-downaction. - script sees the
vpn-downaction and sets iptables to block all traffic - I select vpn connection using NetworkManager applet
- NetworkManager runs through dispatcher scripts on a connection change, sees the
pre-upaction. - script sees the
pre-upaction and sets iptables to allow traffic again - now that iptables is restored to allow traffic, vpn connection is established.
But things break down at step 5. Instead of running the script that is in the /etc/NetworkManager/dispatcher.d/pre-up.d directory, NetworkManager just turns and turns until I get a Network Connection Failed notification (since the iptables rules are changed to block everything at step 3-- see below for specific rules). Indeed, it doesn't appear as if the script in pre-up.d is even being run (I have it logging the arguments it receives to a file in /tmp but nothing gets logged.)
So my questions are, why does iptables block the dispatcher scripts from running at all (or in other words why won't NetworkManager run these scripts when iptables is set to block everything except lo), and how could I configure iptables to block all traffic but also allow the NetworkManager enough leeway to run the pre-up dispatcher scripts (such that on trying to reconnect to the vpn, the dispatcher can restore the permissive iptables rules)?
(note: The script in step 3 sets iptables to:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP)
edit:
here's all the script in pre-up.d does. It is stripped down because i was trying to see if it was even being run (it's not). all I wanted it to do was spit out the arguments it got to a log, but I'm getting nothing when iptables is restrictive:
#!/usr/bin/env python3
import sys
import logging
from time import gmtime, strftime
logging.basicConfig(filename='/tmp/10test.log', filemode='a', level=logging.DEBUG)
logger = logging.getLogger(name)
iface = sys.argv[1]
action = sys.argv[2]
now = strftime('%Y-%m-%d %H:%M:%S', gmtime())
logging.info(f'time is {now}')
logging.info(f'interface is {iface}')
logging.info(f'action is {action}')edit2: Here is the script that does execute successfully in step #3. Note that both scripts have the same permissions:
#!/usr/bin/env python3
import sys
import subprocess
import logging
import os
logging.basicConfig(filename='/tmp/pypia.log', filemode='a', level=logging.DEBUG)
logger = logging.getLogger(__name__)
config_dir = '/etc/pypia'
if not os.path.isdir(config_dir): logging.debug('making pypia config directory in /etc') os.mkdir(config_dir)
action = sys.argv[2]
logging.debug(f'action is {action}')
if not os.path.isfile('/tmp/pia_ks_status.conf'): logging.info('kill switch status file not found. exiting.') sys.exit(0)
with open('/tmp/pia_ks_status.conf', 'r') as f: logging.debug('loading kill switch status file from /tmp') status = f.readline().strip() logging.info(f'status is {status}')
if (status == 'active') and (action == 'vpn-down'): logging.debug('writing iptables backup file...') with open(os.path.join(config_dir, 'iptables.bak'), 'w') as f: subprocess.call(['iptables-save'], stdout=f) logging.debug('using nmcli to shut off all connected devices...') subprocess.call(['iptables', '-A', 'INPUT', '-i', 'lo', '-j', 'ACCEPT']) subprocess.call(['iptables', '-A', 'OUTPUT', '-o', 'lo', '-j', 'ACCEPT']) subprocess.call(['iptables', '-P', 'INPUT', 'DROP']) subprocess.call(['iptables', '-P', 'OUTPUT', 'DROP']) subprocess.call(['iptables', '-P', 'FORWARD', 'DROP'])
