How do block internet if PPTP tunnel goes down?

[yorgi]

If i do an iptables -L -v command, i get the following output for the Forward

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination        
65749 4079K TCPMSS     tcp  --  any    any     anywhere             anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
  11M   14G ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   vlan2   anywhere             anywhere          
    0     0 DROP       all  --  vlan2  any     anywhere             anywhere             state INVALID
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere          
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT
107K 7988K ACCEPT     all  --  br0    any     anywhere             anywhere          
    0     0 DROP       all  --  !br0   ppp5    anywhere             anywhere

i read this as "drop any inbound connection to vlan2 (WAN connection) or ppp5 (VPN) unless it comes from br0 (the bridge)" So does this mean that your original suggestion

#!/bin/sh

sleep 4

iptables -I FORWARD -i br0 -o ppp5 -j ACCEPT
iptables -I FORWARD -i ppp5 -o br0 -j ACCEPT
iptables -I FORWARD ! -o ppp5 -s 192.168.2.50 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.60 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.70 -j DROP
iptables -I INPUT -i ppp5 -j REJECT
iptables -t nat -A POSTROUTING -o ppp5 -j MASQUERADE

should work even though br0 is showing a LAN IP instead of a WAN IP?

Not sure unless I try your setup..That script works for openVPN I used it for the longest time until Rmerlin incorporated it in the Policy rules then I took out the script.
br0 is your WAN port. You have a VLAN2 in the equation. I am not sure.
You need to make some tests. It took me months to figure out Policy rules with scripts.