4

I edited iptables so that when the VPN service is disconnected, no program will access the internet.

Well, I did an experiment. I disconnected the VPN service manually and immediately did a ping by issuing the following command:

sudo ping www.yahoo.com

Below are the results:

PING ds-any-fp3-real.wa1.b.yahoo.com (206.190.36.45) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- ds-any-fp3-real.wa1.b.yahoo.com ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7056ms

Was any data including geolocation information sent out from my computer and received by the destination party during the ping session?

Seth
  • 58,122
n00b
  • 1,897
  • Try to ping your gateway, let us know the results please. – RGS Jun 02 '13 at 15:07
  • What makes you think data is being sent? – Eric Carvalho Jun 02 '13 at 15:19
  • www.yahoo.com was resolved to an IP, so unless your DNS server is local, information has been sent out. – Alaa Ali Jun 02 '13 at 15:23
  • @Alaa Maybe it's in the DNS cache. n00b, can you post the iptables rules? – Eric Carvalho Jun 02 '13 at 15:26
  • Ubuntu does not cache DNS records by default, as per this answer. – Alaa Ali Jun 02 '13 at 15:49
  • @Alaa: What do you mean by "unless your DNS server is local"? My LAN cable connects to a centralized router which then connects to the internet. – n00b Jun 02 '13 at 21:48
  • @Eric: You wrote "What makes you think data is being sent?" Well, the line says "8 packets transmitted, 0 received, 100% packet loss, time 7056ms". But I don't have much knowledge of network security; that is why I posted a question on this forum. – n00b Jun 02 '13 at 22:01
  • @RGS: Here is the relevant extract of the results after I pinged my gateway. The IP address has been changed for security reasons: PING 123.456.789.0 (123.456.789.0) 56(84) bytes of data. --- 123.456.789.0 ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 5038ms – n00b Jun 03 '13 at 00:28
  • @RGS: Based on the results of the ping, did my OS leak data packets? – n00b Jun 03 '13 at 00:28
  • When you type a website's name, your computer goes to its configured DNS to get the IP of that website. So if your computer's configured DNS is 4.2.2.2 for example, it'll definitely go out on the internet to get the IP of yahoo, but if your configured DNS is your router (which is local, and most likely the case), then your computer went to the router and asked for the IP of yahoo. To find out what your configured DNS is, do cat /etc/resolv.conf'. If it readsnameserver 127.x.x.x, then donmcli dev list iface eth0 | grep DNS`, that's your configured DNS server(s). – Alaa Ali Jun 03 '13 at 05:21
  • 2
    Come to think of it though, what is your aim? Is it to block internet access, or to block network access (including LAN)? Because you couldn't ping your gateway either, so the ping program all together is denied everything. And since your computer did find the IP of yahoo, it means that you didn't block DNS. Which brings us to Eric's answer. – Alaa Ali Jun 03 '13 at 05:26
  • let us continue this discussion in chat – Alaa Ali Jun 03 '13 at 05:31
  • @Alaa: My aim is to block internet access of ALL programs/applications/software when the VPN is disconnected. Even ping is not possible when the VPN is down. – n00b Jun 09 '13 at 10:36
  • @n00b, read my comment on Eric's answer below, and go to the chat I mentioned for more information. Also, we should continue any further discussion in that chat room to not clutter the comments section here. – Alaa Ali Jun 09 '13 at 11:52

1 Answers1

3

I think you're worried about the 8 packets transmitted message.

The ping application generates packets and submits them to the kernel for processing. Those are the "transmitted" packets reported in ping statistics. When packets enter the iptables' chains they can be accepted, dropped or rejected.

Ping says sendmsg: Operation not permitted because packets sent by the application were not accepted. So the answer is no, packets sent by ping didn't leave your computer.

But, as said by Alaa, you pinged www.yahoo.com and the name was successfully resolved to an address (206.190.36.45). This only happens if your computer sends a DNS query and receives a reply or if the name is in the DNS cache, which shouldn't happen by default (thanks @Alaa).

Are you sure all the traffic is blocked if VPN is disconnected? Maybe you didn't block DNS. You should only accept output traffic destined to your VPN gateway.

Community
  • 1
Eric Carvalho
  • 54,385
  • 2
    Yes, @n00b, it seems that you haven't blocked DNS. If you want to test this, do nslookup website.com, where website.com is a website you've never visited before; you can use abcdef.com. If it returns results, then you haven't blocked DNS. But then again, in my comments on your question, what is your aim? Block internet access, but not local network access? Because your computer might've went to the router for the DNS query. I'll continue in the chat. – Alaa Ali Jun 03 '13 at 05:34