iankelling.org Git - distro-setup/blob - transmission-firewall/netns.rules

   1 # format from iptables-save. [0:0] are comments of packet-count/byte-count
   2 # which I removed
   3 *filter
   4 :INPUT DROP
   5 :FORWARD ACCEPT
   6 :OUTPUT DROP
   7 # from ip route, we can deduce that traffic goes to the
   8 # local 10.8.0.x tun0, then to the normal interface.
   9 # For the normal interface, we allow only some ports:
  10 # dns, vpn, transmission-remote.
  11 # dns is only used to resolve the vpn server ip on initial
  12 # connection.
  13 # rules are mirror on input and output, just for extra safety,
  14 # although just having output should do fine.
  15
  16 # We could also firewall from outside the nat, for example like this,
  17 # but I'm thinking this is simpler.
  18 #-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
  19 #-A FORWARD -i brvpn -j REJECT
  20
  21 # prevent dns leaks, openvpn runs as root, allow root to
  22 # make non-vpn dns calls, but not transmission which does not run as root.
  23 # openvpn needs this in order to lookup the ip of the vpn server
  24 # before it's connected to it. We could hardcode the vpn ips in the
  25 # config, but our vpn service provider gave us dns, so the ip might change.
  26 -A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
  27 -A INPUT -p udp -m udp --sport 53 -j ACCEPT
  28
  29 -A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
  30 -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
  31
  32 -A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
  33 -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
  34
  35 # 1195 is used for the secondary vpn server
  36 # 1198 is another vpn port, simpler syntax just to use range
  37 -A OUTPUT -p udp -m udp --dport 1194:1198 -j ACCEPT
  38 -A INPUT -p udp -m udp --sport 1194:1198 -j ACCEPT
  39
  40 -A OUTPUT -o tun0 -j ACCEPT
  41 -A INPUT -i tun0 -j ACCEPT
  42
  43 # makes debugging things easier
  44 -A INPUT -p icmp -j ACCEPT
  45 -A OUTPUT -p icmp -j ACCEPT
  46 COMMIT