# note, transmission specific thing here is to
# allow one extra port for transmission-remote

# format from iptables-save. [0:0] are comments of packet-count/byte-count
# which I removed
*filter
:INPUT DROP
:FORWARD ACCEPT
:OUTPUT DROP
# from ip route, we can deduce that traffic goes to the
# local 10.8.0.x tun0, then to the normal interface.
# For the normal interface, we allow only some ports:
# dns for root user, vpn, and transmission-remote.
# dns is only used to resolve the vpn server ip on initial
# connection.
# rules are mirror on input and output, just for extra safety,
# although just having output should do fine.

# We could also firewall from outside the nat, for example like this,
#-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
#-A FORWARD -i brvpn -j REJECT
# but I'm thinking firewall from inside is simpler.

# prevent dns leaks, openvpn runs as root, allow root to
# make non-vpn dns calls, but not transmission which does not run as root.
# openvpn needs this in order to lookup the ip of the vpn server
# before it's connected to it. We could hardcode the vpn ips in the
# config, but our vpn service provider gave us dns, so the ip might change.
-A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT

# transmission-remote
-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT

# 1302 is used by mullvad
-A OUTPUT -p udp -m udp --dport 1302 -j ACCEPT
-A INPUT -p udp -m udp --sport 1302 -j ACCEPT

-A OUTPUT -o tun0 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT

# makes debugging things easier
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
COMMIT