Ubuntu iptables Setup

vpn-killswitch-setup.sh

#!/usr/bin/env bash
set -euo pipefail

### CONFIG ###
PROTON_IF="tun0"
MULLVAD_IF="wg-mullvad"
WAN_IF="wlan0"
##############

echo "[*] Resetting iptables..."

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

echo "[*] Allow loopback..."
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo "[*] Allow established/related..."
iptables -A INPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

echo "[*] Allow VPN bootstrap (DNS + HTTPS)..."
iptables -A OUTPUT -o "$WAN_IF" -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o "$WAN_IF" -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -o "$WAN_IF" -p tcp --dport 443 -j ACCEPT

echo "[*] Allow VPN tunnel protocols..."
iptables -A OUTPUT -o "$WAN_IF" -p udp --dport 1194  -j ACCEPT
iptables -A OUTPUT -o "$WAN_IF" -p udp --dport 51820 -j ACCEPT

echo "[*] Allow traffic via VPN interfaces only..."
iptables -A OUTPUT -o "$PROTON_IF"  -j ACCEPT
iptables -A OUTPUT -o "$MULLVAD_IF" -j ACCEPT
iptables -A INPUT  -i "$PROTON_IF"  -j ACCEPT
iptables -A INPUT  -i "$MULLVAD_IF" -j ACCEPT

echo "[*] Firewall applied successfully."
iptables -L -v -n