1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Static routes when using iptables killswitch

Discussion in 'Routers' started by Hardrock, Nov 13, 2019.

  1. Hardrock

    Hardrock New Around Here

    Nov 13, 2019
    Hi all, hope everyone is doing fine today.

    I have a little issue with my iptables which as been setup as a killswitch in the event my VPN fails. The killswitch works absolutely fine on either my Linksys router or Debian build BUT if I try and add a static route 'ip route' to bypass the VPN it simply doesn't work. Would anyone with some knowledge of iptables steer me in the right direction? Ruleset below


    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    # Enable routing.
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Allow all inputs to firewall from the internal network and local interfaces
    iptables -A INPUT -i br0 -s 0/0 -d 0/0 -j ACCEPT
    iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state --state RELATED -j ACCEPT

    # Allow postrouting to tun0.
    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

    # Enable forwarding from the LAN to the VPN (and back via related and established connections).

    iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT