1 # note, transmission specific thing here is to
2 # allow one extra port for transmission-remote
4 # format from iptables-save. [0:0] are comments of packet-count/byte-count
10 # from ip route, we can deduce that traffic goes to the
11 # local 10.8.0.x tun0, then to the normal interface.
12 # For the normal interface, we allow only some ports:
13 # dns for root user, vpn, and transmission-remote.
14 # dns is only used to resolve the vpn server ip on initial
16 # rules are mirror on input and output, just for extra safety,
17 # although just having output should do fine.
19 # We could also firewall from outside the nat, for example like this,
20 #-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
21 #-A FORWARD -i brvpn -j REJECT
22 # but I'm thinking firewall from inside is simpler.
24 # prevent dns leaks, openvpn runs as root, allow root to
25 # make non-vpn dns calls, but not transmission which does not run as root.
26 # openvpn needs this in order to lookup the ip of the vpn server
27 # before it's connected to it. We could hardcode the vpn ips in the
28 # config, but our vpn service provider gave us dns, so the ip might change.
29 -A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
30 -A INPUT -p udp -m udp --sport 53 -j ACCEPT
32 -A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
33 -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
36 -A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
37 -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
39 # 1195 is used for the secondary vpn server
40 # 1198 is another vpn port, simpler syntax just to use range
41 -A OUTPUT -p udp -m udp --dport 1194:1198 -j ACCEPT
42 -A INPUT -p udp -m udp --sport 1194:1198 -j ACCEPT
44 -A OUTPUT -o tun0 -j ACCEPT
45 -A INPUT -i tun0 -j ACCEPT
47 # makes debugging things easier
48 -A INPUT -p icmp -j ACCEPT
49 -A OUTPUT -p icmp -j ACCEPT