Hi. After very hard search online I discover how can we do Internet Kill Switch for VPN. Please see this link starting from my reply (comment 31) & forward:
http://www.forums.fedoraforum.org/showthread.php?t=311476&page=3
As you see it working 1000000% but we have couple of annoying points:
1) we have to enter 10 (or 11) commands every time we like to enable this Kill Switch rules
2) we need to reboot PC so as to disable Kill Switch rules or to remove all these 10 (11) rules one by one.
3) these rules does not work on user created zone. If you try to create a zone & applied these rules to this zone then you will not be able to connect to internet whether you use this user created zone or any of default zones of Firewalld like public, I you will never be able to restore ability to connect to internet unless by removing these rules from user created zone that you added these rules to it !! Why ??!!!
So, we need to convert them to scripts. Unfortunately I'm not programmer & it is very difficult to me to learn this due to my place where no one can learn me & trying to learn programming by search internet is very difficult.
So, can any one help us to convert these rules to scripts ?
We need to convert 4 groups of rules as following:
A) To build Kill Switch which allow for only out from VPN (maximum security: not allow torrent):
A-1) To enable such Kill Switch the following rules needed in separate script:
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 443 -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP
A-2) To disable such Kill Switch without rebooting PC we need the following rules in seperate script:
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv6 filter INPUT 0 -j DROP sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --remove-rule ipv6 filter OUTPUT 0 -j DROP sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 443 -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 999 -j DROP
--------------------------------------
B) To build Kill Switch which allow for both in & out from VPN (allow torrent):
B-1) To enable such Kill Switch the following rules needed in separate script:
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -j DROP sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -i tun+ -p udp --dport 443 -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -j DROP sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 443 -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 999 -j DROP
B-2) To disable such Kill Switch without rebooting PC we need the following rules in seperate script:
sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
sudo firewall-cmd --direct --remove-rule ipv6 filter INPUT 0 -j DROP sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -i lo -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -i tun+ -p udp --dport 443 -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter INPUT 999 -j DROP
sudo firewall-cmd --direct --remove-rule ipv6 filter OUTPUT 0 -j DROP sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 443 -j ACCEPT sudo firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 999 -j DROP
--------------------------------
Any one can convert these 4 sets of rules to 4 corresponding scripts will give great help for many users of Firewalld by making VPN usage with it reliable. VPN without Kill Switch useless.
firewalld-users@lists.fedorahosted.org