iankelling.org
/
git
/
distro-setup
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
bug fix for pushing btrfs
[distro-setup]
/
transmission-firewall
/
netns.rules
diff --git
a/transmission-firewall/netns.rules
b/transmission-firewall/netns.rules
index f1b6bdd4bc0b76f776e9e9135baeade8aec8e69b..96b404f9251425a6fe69d08f7bc1891342937541 100644
(file)
--- a/
transmission-firewall/netns.rules
+++ b/
transmission-firewall/netns.rules
@@
-1,3
+1,7
@@
+# note, transmission specific thing here is to
+# allow one extra port for transmission-remote, but thats no big deal,
+# might as well use this in general for openvpn-nn
+
# format from iptables-save. [0:0] are comments of packet-count/byte-count
# which I removed
*filter
# format from iptables-save. [0:0] are comments of packet-count/byte-count
# which I removed
*filter
@@
-7,7
+11,7
@@
# from ip route, we can deduce that traffic goes to the
# local 10.8.0.x tun0, then to the normal interface.
# For the normal interface, we allow only some ports:
# from ip route, we can deduce that traffic goes to the
# local 10.8.0.x tun0, then to the normal interface.
# For the normal interface, we allow only some ports:
-# dns
, vpn,
transmission-remote.
+# dns
for root user, vpn, and
transmission-remote.
# dns is only used to resolve the vpn server ip on initial
# connection.
# rules are mirror on input and output, just for extra safety,
# dns is only used to resolve the vpn server ip on initial
# connection.
# rules are mirror on input and output, just for extra safety,
@@
-29,12
+33,14
@@
-A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
+# transmission-remote
-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
# 1195 is used for the secondary vpn server
-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
# 1195 is used for the secondary vpn server
--A OUTPUT -p udp -m udp --dport 1194:1195 -j ACCEPT
--A INPUT -p udp -m udp --sport 1194:1195 -j ACCEPT
+# 1198 is another vpn port, simpler syntax just to use range
+-A OUTPUT -p udp -m udp --dport 1194:1198 -j ACCEPT
+-A INPUT -p udp -m udp --sport 1194:1198 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT