LEAKBLOCK HOWTO (Android and Ubuntu)

Desu to the Strike · Post by **Desu to the Strike** » Fri Jul 18, 2014 2:05 pm

!	Message from: DesuStrike
	I hereby invite the community helpers and staff to keep these reference charts and howtos up2date together with me. Yet I ask for respecting two things: 1. Don't change the overall layout and/or style of my lists/posts 2. Don't change/remove my personal choice of words like "United States of NSA" or "Mother Russia" Thanks and keep on being the most awesome people on the internets!

last updated: 28 December 2014

[ANDROID]

1. Get AFWALL+ from F-Droid or (if you must...) Play-Store.

2. In AFWALL+ set things up like this

3. In AFWALL+ settings set things like that:

4. ENABLE the Firewall!

5. In Arne Schwabes openVPN for Android go to settings tab and activate PERSISTANT TUN

6. DONE: You have the best possible leakblock on Android. It's not perfect but pretty solid and should keep you safe for 99,9% of the time.

7. Also read those posts:
-> viewtopic.php?p=9376#p9376
-> viewtopic.php?p=9416#p9416
-> The second guest post here: viewtopic.php?f=32&t=6245

[UBUNTU]

1. Create a text file named "iptables-vpn" in your home directory and paste this stuff: READ THE INFO IN THE DNS SECTION!

Code: Select all

####removes all entries so we get a clean list

iptables -F
ip6tables -F


####by default all connections are blocked

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP


####only the tunnel adapter is allowed

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT


####local network stuff

#localhost and dnsmasq for ubuntu
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT

iptables -A INPUT -s 127.0.1.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.1.1 -j ACCEPT

#Router
## Add your routers IP if need to access it.
##iptables -A INPUT -s x.x.x.x -j ACCEPT
##iptables -A OUTPUT -d x.x.x.x -j ACCEPT

#other stuff
## basically add everything else on your local network you want to access to or get accessed from.
##iptables -A INPUT -s x.x.x.x -j ACCEPT
##iptables -A OUTPUT -d x.x.x.x -j ACCEPT

####DNS
## As long as we are connecting directly via IPs we don't need to whitelist those.
## There is an ongoing controvery about this procedure among the CryptoStorm community.
## If you are among those using hostnames you MUST uncomment the following lines.
##
##iptables -A INPUT -s 198.100.146.51 -j ACCEPT
##iptables -A OUTPUT -d 198.100.146.51 -j ACCEPT
##
##iptables -A INPUT -s 91.191.136.152 -j ACCEPT
##iptables -A OUTPUT -d 91.191.136.152 -j ACCEPT
##
##iptables -A INPUT -s 213.73.91.35 -j ACCEPT
##iptables -A OUTPUT -d 213.73.91.35 -j ACCEPT

####VPN exit nodes

#Germany - Cantus
iptables -A INPUT -s 46.165.222.248 -j ACCEPT
iptables -A OUTPUT -d 46.165.222.248 -j ACCEPT

#Canada - Maple
iptables -A INPUT -s 198.27.89.56 -j ACCEPT
iptables -A OUTPUT -d 198.27.89.56 -j ACCEPT

#Iceland - Fenrir
iptables -A INPUT -s 79.134.235.133 -j ACCEPT
iptables -A OUTPUT -d 79.134.235.133 -j ACCEPT

#United States of NSA - NSA-Central
iptables -A INPUT -s 167.88.9.27 -j ACCEPT
iptables -A OUTPUT -d 167.88.9.27 -j ACCEPT

#United States of NSA - Emerald
iptables -A INPUT -s 23.19.35.14 -j ACCEPT
iptables -A OUTPUT -d 23.19.35.14 -j ACCEPT

#France - Onyx
iptables -A INPUT -s 212.83.167.81 -j ACCEPT
iptables -A OUTPUT -d 212.83.167.81 -j ACCEPT

#Portugal - Tagus/Lisbon
iptables -A INPUT -s 89.26.243.109 -j ACCEPT
iptables -A OUTPUT -d 89.26.243.109 -j ACCEPT

2. Put that file into your home folder, right-click on it and check "allow executing file as program"

3. In terminal run

Code: Select all

sudo ./iptables-vpn

4. Check if the rules were added with

Code: Select all

sudo iptables -S

5. Now run

Code: Select all

sudo apt-get install iptables-persistent

4. Agree to import your existing rules.

5. DONE!

6. Also read the second guest post here: viewtopic.php?f=32&t=6245

marzametal · Post by **marzametal** » Sat Jul 19, 2014 6:24 am

Wow, I will have to test this out... well part of it, the DNS Proxy is disabled in your screenshot!

vpnDarknet · Post by **vpnDarknet** » Sat Jul 19, 2014 6:58 am

Thanks for sharing this man

IP tables have always been a dark art to me, do I need to sacrifice a black cockrel at any point to ensure it works

vpnDarknet · Post by **vpnDarknet** » Sat Jul 19, 2014 3:59 pm

Desu, not sure if I'm following this correctly, but the file name leakblock-vpn is then referred to in your guide as iptables-vpn?

I'm running with leakblock-vpn set throughout, the tables are updated... but I can't seem to access the internet.

Only tested with Brunon though 46.165.222.248, which is included on the IP Table, and the DNS's I have set, that you provided earlier seem to be allowed too?

Any help appreciated

Post by **parityboy** » Sat Jul 19, 2014 4:25 pm

@vpnDarknet

Those iptables rules are pretty similar to what I'm running. Can you connect to the VPN at all? If so, can you run "route" in a terminal and post the output here?

Desu to the Strike · Post by **Desu to the Strike** » Sat Jul 19, 2014 10:34 pm

I indeed made two mistakes!

Could a moderator please edit my original post and correct it like this?

1. The file in the first step of Ubuntu guide has to be called "iptables-vpn"

2. in the iptables-vpn file you should add the following:

Code: Select all

####local network stuff
#localhost and dnsmasq for ubuntu
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT

iptables -A INPUT -s 127.0.1.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.1.1 -j ACCEPT

#Router
iptables -A INPUT -s YOUR ROUTER IP -j ACCEPT
iptables -A OUTPUT -d YOUR ROUTER IP -j ACCEPT

#Printer and other stuff
iptables -A INPUT -s CUSTOM IP -j ACCEPT
iptables -A OUTPUT -d CUSTOM IP -j ACCEPT

vpnDarknet · Post by **vpnDarknet** » Sun Jul 20, 2014 2:44 am

Thanks for your help with this guys

IP Table running, vpn UP

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.33.0.1 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
10.33.0.0 * 255.255.0.0 U 0 0 0 tun0
128.0.0.0 10.33.0.1 128.0.0.0 UG 0 0 0 tun0
174.142.78.196 192.168.1.254 255.255.255.255 UGH 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 1 0 0 eth0

PING 174.142.78.196 (174.142.78.196) 56(84) bytes of data.
64 bytes from 174.142.78.196: icmp_seq=1 ttl=44 time=255 ms
64 bytes from 174.142.78.196: icmp_seq=2 ttl=44 time=259 ms
64 bytes from 174.142.78.196: icmp_seq=3 ttl=44 time=255 ms

ping: unknown host https://cryptostorm.ch/

No traffic through Firefox... is it related to DNS?
FF screen content:

Server not found

Firefox can't find the server at cryptostorm.ch.

Check the address for typing errors such as ww.example.com instead of www.example.com
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

vpnDarknet · Post by **vpnDarknet** » Mon Jul 21, 2014 1:48 pm

Desu, you're a star, thanks dude

All working like a charm!

b3lt3r5 · Post by **b3lt3r5** » Mon Jul 21, 2014 6:17 pm

Desu to the Strike wrote: The very first thing you do is putting on some Orchestral Dubstep because following this guide makes you fucking awesome and thus you need some epic background music to emphasize your newly achived awesomeness:

This part here is FUCKING quality bro!
Damn near pissed myself reading that.

Desu to the Strike · Post by **Desu to the Strike** » Mon Jul 21, 2014 6:49 pm

@vpnDarknet: Don't mention it! CryptoStorm is a collaborative project that greatly benefits from community input and other contributions. It's the time, energy and money the CS_team and the community together invest into it what makes it so great. You resell tokens. Others think of new CS-Projects, post news and provide support. I write guides. And the CS_team do their black magic voodoo arts. I feel pride in being part of this and all of you should as well!

@b3lt3r5:

(I actually wrote my guide while listening to this.

)

@marzametal: Nope, the DNS Proxy setting is exactly how it has to be in my picture. Otherwise you risk Android falling back to your ISP provided DNS-Servers and thus leaking.

@CS_Support: Please remember fixing my first post as described in my second one!

marzametal · Post by **marzametal** » Tue Jul 22, 2014 5:46 am

@Desu... can ya' make a HOW TO tutorial with a Hardstyle background? lmao... cheers for the info in relation to DNS Proxy, had no idea that fallback could occur if it is set to enabled auto.

DesuStrike · Post by **DesuStrike** » Sat Dec 06, 2014 6:11 am

I so gonna fix thix guide as soon as I got my mod powers back! It's only a hand full changes but I bet it frustrated many people who weren't able to run it because of them.

DesuStrike · Post by **DesuStrike** » Wed Dec 10, 2014 1:51 am

Updated as promised. Enjoy

marzametal · Post by **marzametal** » Sat May 02, 2015 3:55 pm

Any chance to get the Ubuntu IPTables section updated to reflect the new IPs and new exit nodes?
I am willing to try it on my VM, but I ain't a ubernix person... lol

If using Linux via VM, how would the rules be modified?

cryptostorm's community forum

LEAKBLOCK HOWTO (Android and Ubuntu)

LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)

Re: LEAKBLOCK HOWTO (Android and Ubuntu)