Native NordVPN app creates additional rules in the iptables firewall when connected or set to the KillSwitch mode. These rules bring mess in my own firewall configuration, and I couldn’t find a way either to disable or to adjust them.
When connected or set to the KillSwitch mode the NordVPN app creates 3 additional rules in each section and puts them on top my rules:
Input:
-P INPUT DROP
-A INPUT -s 104.140.53.106/32 -i eth0 -j ACCEPT
-A INPUT -s 10.10.10.0/24 -i eth0 -j ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -s 10.10.10.0/24 -i eth0 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
Output:
-P OUTPUT ACCEPT
-A OUTPUT -d 104.140.53.106/32 -o eth0 -j ACCEPT
-A OUTPUT -d 10.10.10.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
I do not want all packets to be accepted from 104.140.53.106/32 (which is a VPN network), I want them to be accepted only in two cases: this is a RELATED, ESTABLISHED connection or the packet is going to an open port (for now I have none). All other options are unsafe.
Then the second rule just doubles the fourth one because of the whitelisted network in the NordVPN app.
The third rule is obsolete, since the default action is set to DROP. This rule will make other rules not to be applied.
Another problem is when the server or the NordVPN app are unexpectedly shut down all created rules stay in iptables, which creates a mess.
I haven’t yet found a way ti fix this. I will be grateful for any suggestions.