iankelling.org Git - distro-setup/blob - transmission-firewall/netns.rules

   1 # note, transmission specific thing here is to
   2 # allow one extra port for transmission-remote
   3
   4 # format from iptables-save. [0:0] are comments of packet-count/byte-count
   5 # which I removed
   6 *filter
   7 :INPUT DROP
   8 :FORWARD ACCEPT
   9 :OUTPUT DROP
  10 # from ip route, we can deduce that traffic goes to the
  11 # local 10.8.0.x tun0, then to the normal interface.
  12 # For the normal interface, we allow only some ports:
  13 # dns for root user, vpn, and transmission-remote.
  14 # dns is only used to resolve the vpn server ip on initial
  15 # connection.
  16 # rules are mirror on input and output, just for extra safety,
  17 # although just having output should do fine.
  18
  19 # We could also firewall from outside the nat, for example like this,
  20 #-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
  21 #-A FORWARD -i brvpn -j REJECT
  22 # but I'm thinking firewall from inside is simpler.
  23
  24 # prevent dns leaks. note: if we needed openvpn to do initial dns, we could
  25 # add -m owner --uid-owner root to the output rules, but we just connect to
  26 # ip addresses.
  27 -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
  28 -A INPUT -p udp -m udp --sport 53 -j ACCEPT
  29
  30 -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
  31 -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
  32
  33 # transmission-remote
  34 -A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
  35 -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
  36
  37 # 1196 is used by mullvad
  38 -A OUTPUT -p udp -m udp --dport 1196 -j ACCEPT
  39 -A INPUT -p udp -m udp --sport 1196 -j ACCEPT
  40
  41 -A OUTPUT -o tun0 -j ACCEPT
  42 -A INPUT -i tun0 -j ACCEPT
  43
  44 # makes debugging things easier
  45 -A INPUT -p icmp -j ACCEPT
  46 -A OUTPUT -p icmp -j ACCEPT
  47 COMMIT