Hardening my VPN Killswitch

I am currently creating a VPN Killswitch and so far it manages to keep traffic out, I just wanted to run it by others in order to catch something I missed. The killswitch uses source and destination ports, along with source and destination IPs rather than group IDs mentioned here, as I cannot get openvpn to run AFTER the script rather than before the script. I believe this has to do with the OpenVPN assigning the GID after it establishes the connection.

My main questions along with any other error or vulnerability one may find is this:

  1. Upon execution of the script, it outputs the error: iptables: Too many links. I am assuming that has to do with lines regarding NAT
  2. I am also curious if there is a better way to implement the lines using DNS at the bottom as I recall DNS uses TCP with the queries are too large for UDP packets, I am just wondering if there is a safe way of doing that rather than allowing all traffic over port 53, unless that isn’t as bad an idea as I am thinking it is.

CODE:

#!/bin/bash  declare LAN_IP_WITH_CIDR declare VPN_IP_ADDRESS declare VPN_PORT declare VPN_PROTOCOL declare VIRTUAL_INTERFACE declare LOOPBACK_INTERFACE declare INTERFACE declare DNS_IP_ADDRESS  # Flushes all previous policies iptables -F iptables --delete-chain  # Flushes all previous policies for NAT iptables -t nat -flush iptables -t nat --delete-chain  # Sets default policy for incoming/outgoing data to drop iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP  # Sets default IPv6 policy for incoming/outgoing data to drop ip6tables -P OUTPUT DROP ip6tables -P INPUT DROP ip6tables -P FORWARD DROP  # Adds onto filter table: Input and Output through loopback is OK iptables -A INPUT -j ACCEPT -i $  LOOPBACK_INTERFACE iptables -A OUTPUT -j ACCEPT -o $  LOOPBACK_INTERFACE ip6tables -A INPUT -j ACCEPT -i $  LOOPBACK_INTERFACE ip6tables -A OUTPUT -j ACCEPT -o $  LOOPBACK_INTERFACE  # Adds onto filter table: Replies to already established connections/traffic we've already sent out is OK. iptables -A INPUT -j ACCEPT -m state --state ESTABLISH  # Adds onto filter tables: Input and Output to LAN is OK on Ethernet Interface iptables -A INPUT --src $  LAN_IP_WITH_CIDR -j ACCEPT -i $  INTERFACE iptables -A OUTPUT -d $  LAN_IP_WITH_CIDR -j ACCEPT -o $  INTERFACE  # Adds onto filter tables: Input and Output to VPN IP is OK on Ethernet Interface on VPN Port iptables -A OUTPUT -j ACCEPT -d $  VPN_IP_ADDRESS -o $  INTERFACE -p $  VPN_PROTOCOL -m $  VPN_PROTOCOL --dport $  VPN_PORT iptables -A INPUT -j ACCEPT -s $  VPN_IP_ADDRESS -i $  INTERFACE -p $  VPN_PROTOCOL -m $  VPN_PROTOCOL --sport $  VPN_PORT  # Adds onto filter tables: Input and Output to TUN/TAP devices are OK.  # OpenVPN creates the virtual interface after connecting via the above policies iptables -A INPUT -j ACCEPT -i $  VIRTUAL_INTERFACE  iptables -A OUTPUT -j ACCEPT -o $  VIRTUAL_INTERFACE  # Adds onto filter tables: Input and Output queries to DNS on port 53 to specified DNS servers are OK. iptables -A OUTPUT -j ACCEPT -d $  {DNS_IP_ADDRESS[0]} -p "udp" --dport 53 iptables -A INPUT -j ACCEPT -s $  {DNS_IP_ADDRESS[0]} -p "udp" --sport 53